Cumulus Linux ACL Example Rules

Follow

Cumulus Linux provides the cl-acltool command line tool to manage access control lists (ACLs). This article offers more examples to help illustrate its functionality.

Warning: 'iptables' rules sometimes get confused by the user since they were originally envisioned with a host in mind.  The INPUT chain means traffic TO THE BOX, not traffic going through the box.  Please use the FORWARD chain to control traffic going THROUGH THE BOX as seen in the examples below.  Please read the documentation for more explanation and hardware limitations.

 

Examples

Reference Diagram

Switch Configurations

Following are the configurations for the two switches used in these examples. The configuration for each switch appears in /etc/network/interfaces.

Switch 1

auto swp1
iface swp1 inet manual
up ip link set $IFACE up
down ip link set $IFACE down

auto swp2 iface swp2 inet manual up ip link set $IFACE up down ip link set $IFACE down auto swp2.100 iface swp2.100 inet manual up ip link set $IFACE up down ip link set $IFACE down auto swp3 iface swp3 inet manual up ip link set $IFACE up down ip link set $IFACE down auto swp4 iface swp4 inet manual up ip link set $IFACE up down ip link set $IFACE down auto bond2 iface bond2 inet manual up ip link set $IFACE up down ip link set $IFACE down pre-up ip link set up dev swp3 pre-up ip link set up dev swp4 bond-slaves swp3 swp4 bond-mode 802.3ad bond-miimon 100 bond-use-carrier 1 bond-lacp-rate 1 bond-min-links 1 bond-xmit_hash_policy layer3+4 up ip link set $IFACE up down ip link set $IFACE down auto br-untagged iface br-untagged inet static address 10.0.0.1 netmask 255.255.255.0 bridge_ports swp1 bond2 bridge_stp on auto bond2.100 iface bond2.100 inet manual up ip link set $IFACE up down ip link set $IFACE down auto br-tag100 iface br-tag100 inet static address 10.0.100.1 netmask 255.255.255.0 bridge_ports swp2.100 bond2.100 bridge_stp on


Switch 2

auto swp3
iface swp3 inet manual
        up ip link set $IFACE up
        down ip link set $IFACE down
        pre-up ethtool -s $IFACE speed 1000 duplex full autoneg on
auto swp4
iface swp4 inet manual
        up ip link set $IFACE up
        down ip link set $IFACE down
        pre-up ethtool -s $IFACE speed 1000 duplex full autoneg on

auto br-untagged
iface br-untagged inet static
   address 10.0.0.2
   netmask 255.255.255.0
   bridge_ports bond2
   bridge_stp on

auto br-tag100
iface br-tag100 inet static
   address 10.0.100.2
   netmask 255.255.255.0
   bridge_ports bond2.100
   bridge_stp on

auto bond2
iface bond2 inet manual
   up ip link set $IFACE up
   down ip link set $IFACE down
   pre-up ip link set up dev swp3
   pre-up ip link set up dev swp4
   bond-slaves swp3 swp4
   bond-mode 802.3ad
   bond-miimon 100
   bond-use-carrier 1
   bond-lacp-rate 1
   bond-min-links 1
   bond-xmit_hash_policy layer3+4
   up ip link set $IFACE up
   down ip link set $IFACE down

auto bond2.100
iface bond2.100 inet manual
   up ip link set $IFACE up
   down ip link set $IFACE down

Preface for Creating Rules

Cumulus Linux installs rules that are placed in the /etc/cumulus/acl/policy.d directory. These rules are either installed when the switch boots or running the cl-acltool -i command. It does not matter what the file name is called or how many file names are placed within that folder. For example a single rule may be placed with a file named test.rules. The rule must be listed under the specific category of rule:

  • iptables corresponds to IPv4
  • ip6tables corresponds to IPv6
  • ebtables corresponds to either IPv4 or IPv6 depending on the rule, or just layer2 if no IP is specified within the rule.

If any errors occur while installing rules from /etc/cumulus/acl/policy.d/ on any file on any rule, all rules will not be installed and an error will be generated. For example:

cumulus@switch:/etc/cumulus/acl/policy.d$ sudo cl-acltool -i
Reading files under /etc/cumulus/acl/policy.d
Reading rule file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Reading rule file /etc/cumulus/acl/policy.d/a_bad_rule.rule ...
Processing rules in file /etc/cumulus/acl/policy.d/a_bad_rule.rule ...
error: unknown rule type [ip5tables]
No acl policies to install, ... aborting
cumulus@switch:/etc/cumulus/acl/policy.d$

A mix of rules and their types are listed below. Each is created in a file called test.rules, located in /etc/cumulus/acl/policy.d/, and contains the full contents of the file.

Egress Rule

The following rule blocks any TCP with a destination port of 200 traffic going from host1 or host2 through the switch (corresponding to the diagram rule-1).

[iptables]
-A FORWARD -o bond2 -p tcp --dport 200 -j DROP

Ingress Rule

The following rule blocks any UDP traffic with a source port of 200 going from host1 through the switch (corresponding to the diagram rule-2).

[iptables]

-A FORWARD -i swp2 -p udp --sport 200 -j DROP

Input Rule

The following rule blocks any UDP traffic with a source port of 200 and destination of 50 going from host1 to the switch (corresponding to the diagram rule-3).

[iptables]
-A INPUT -i swp1 -p udp --sport 200 --dport 50 -j DROP

Output Rule

The following rule blocks any TCP traffic with a source port of 123 and destination of 123 going from Switch1 to host2 (corresponding to the diagram rule-4). 

[iptables]
-A OUTPUT -o br-tag100 -p tcp --sport 123 --dport 123 -j DROP

Combined Rules

The following rule blocks any TCP traffic with a source port of 123 and destination of 123 going from any switchport egress or generated from Switch1 to host1 or host2 (corresponding to the diagram rule-4 and rule-1).

[iptables]

-A OUTPUT,FORWARD -o swp+ -p tcp --sport 123 --dport 123 -j DROP

This also becomes 2 ACLs. It is effectively:

-A FORWARD -o swp+ -p tcp --sport 123 --dport 123 -j DROP
-A OUTPUT -o swp+ -p tcp --sport 123 --dport 123 -j DROP

L2-only Rules/ebtables

The following rule blocks any traffic with a source MAC address of 00:00:00:00:00:12 and destination MAC address of 08:9e:01:ce:e2:04 going from any switch port egress/ingress. 

[ebtables]
-A FORWARD -s 00:00:00:00:00:12 -d 08:9e:01:ce:e2:04 -j DROP

 

Have more questions? Submit a request

Comments

  • Avatar
    Anastas Dancha

    there is a typo in "Combined Rules" section. FORWARD is spelled as "FOWARD"

  • Avatar
    Sean Cavanaugh

    Hey Anastas, thanks, fixed it!

Powered by Zendesk