D-Link DI-1750 Reference Manual page 203

6.8.3 Apply the Access List to an Interface
After you create an access list, you can apply it to one or more interfaces. Access lists can be applied
on either outbound or inbound interfaces.
Use the following command on configuring interface.
ip access-group name {in | out}
In the prompt select ip option ,it will list all arguments.
(00)access-group
(01)address
(02)beigrp
......
Please Input the code of command to be excute(0-18): 0
input 0，Select access-group option ，prompt is as below:
(00)WORD
Please Input the code of command to be excute(0-0): 0
input 0，Select WORD option ，prompt is as below:
Please input a string:
input list string ，then prompt is as below:
(00)in
(01)out
Please Input the code of command to be excute(0-1):
Select applying the access list to the interface.
The access list can be used in inbound infterface and outbound interface. For inbound access lists,
after receiving a packet, the D-Link IOS software checks the source address of the packet against the
access list. If the access list permits the address, the software continues to process the packet. If the
access list rejects the address, the software discards the packet and returns an ICMP Host
Unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software
checks the source address of the packet against the access list. If the access list permits the address,
the software transmits the packet. If the access list rejects the address, the software discards the
packet and returns an ICMP Host Unreachable message.
If the specified access list dose not existed, the software will transmits all packets.
6.8.4 Extended Access List Examples
In the following example, the first line permits any incoming TCP connections with destination ports
greater than 1023. The second line permits incoming TCP connections to the SMTP port of host
130.2.1.2.
ip access-list extended aaa
permit tcp any 130.2.0.0 255.255.0.0 gt 1023
permit tcp any 130.2.1.2 255.255.255.255 eq 25
interface ethernet 1/0
ip access-group aaa in
For another example of using an extended access list, suppose you have a network connected to the
Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the
Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the
Ethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end.
The same two port numbers are used throughout the life of the connection. Mail packets coming in from
the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed.
The fact that the secure system behind the router always will be accepting mail connections on port 25
is what makes it possible to separately control incoming and outgoing services.The access list can be
configured on either the outbound or inbound interface.
Command
Specify access control for packets
IP address
Enhanced Interior Gateway Routing Protocol
Access-list name
Inbound packets
Outbound packets
Model Name
Function
Apply the access list to interface.
- 201 -