Cumulus Linux vs Cisco IOS Access-Lists




The user already knows Cisco IOS format, and wants translation of ACLs to iptables for use with Cumulus Linux and cl-acltool (iptables->hardware ASIC converter).

Please refer to the netfilter documentation for more information. Nixcraft is also a great resource for learning Linux and iptables, check out their article here. In addition to the man pages, Debian also has great documentation here.

You can find the Cisco Configuration Guide used to interpret their commands here.


ACL / iptables Syntax Rules

IOS Standard Syntax

access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]


 access-list 10 permit tcp eq www

IOS Extended Syntax (including NX-OS)

ip access-list extended  {<number> | <name>}
  [<sequence>] {permit | deny} <protocol> <source> [<ports>]<destination> [<ports>] [<options>]


ip access-list extended allow_http
  10 permit tcp eq www

iptables (Netfilter)

 iptables -A {FORWARD | INPUT | OUTPUT} -j {ACCEPT | DROP | POLICE | SPAN | ERSPAN} | -p <protocol> -s <source> --sport [<ports>] -d destination> --dport [<ports>] [<options>]


iptables -A FORWARD -j ACCEPT -p tcp -s -d --dport 80

*remember to put this in a flat file under /etc/cumulus/acl/policy.d/ and push into hardware via the cl-acltool command.

**the ordering does not matter in iptables, however the suggested format above matches closely to IOS syntax to make it easier to memorize 



ACL-iptables Translation Table

Cumulus Linux Cisco Systems IOS
iptables -A FORWARD -j DROP -i swp1 -p icmp --icmp-type echo-request

Description: Blocks icmp echo requests on the specified switchport (swp1 for Cumulus Linux and Gigabit Ethernet 0/0 on Cisco)

ip access-list extended block_icmp
deny icmp any any echo interface g0/0 ip access-group block_icmp in

iptables -A INPUT -j DROP -p tcp -s --dport 22 

Description: Blocks SSH traffic from the specified subnet ( to the switch itself (destination is the switch, i.e. an IP address that is assigned to the switch). For the Cisco device, the subnet(s) that you want to protect are specified, which is indicated by the subnet. Using this particular method, each interface would need to have the access-list tied to it. For Cumulus, the INPUT chain indicates all subnets that the switch has configured on it (control plane). 

ip access-list extended block_ssh
  deny tcp eq 22
interface g0/0
  ip access-group block_ssh in
iptables -A FORWARD -j ACCEPT -p udp -s --dport 123

Description: Allows NTP traffic to transit the switch (UDP port 123). The Cumulus Linux example applies this to all switchports, while the Cisco example is only applying this to the Gigabit 0/0 interface.

ip access-list extended allow_ntp
  permit udp any eq ntp
interface g0/0
  ip access-group allow_ntp in

Flat File Configuration

For persistent configuration of the iptables rules, create a .rules file, in /etc/cumulus/acl/policy.d/. An example file is shown below.

cumulus@switch$ cat /etc/cumulus/acl/policy.d/sean.rules
-A FORWARD -j ACCEPT -p udp -s --dport 123
-A INPUT -j DROP -p tcp -s --dport 22
-A FORWARD -j ACCEPT -p tcp -s -d --dport 80
-A FORWARD -j DROP -i swp1 -p icmp --icmp-type echo-request

See Also

Have more questions? Submit a request


Powered by Zendesk