{{table_of_contents}}
Issue
The user already knows Cisco IOS format, and wants translation of ACLs to iptables for use with Cumulus Linux and cl-acltool (iptables->hardware ASIC converter).
Please refer to the netfilter documentation for more information. Nixcraft is also a great resource for learning Linux and iptables, check out their article here. In addition to the man pages, Debian also has great documentation here.
You can find the Cisco Configuration Guide used to interpret their commands here.
Format
ACL / iptables Syntax Rules |
IOS Standard Syntax access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>] e.g. access-list 10 permit tcp 10.10.10.0/24 3.3.3.3/24 eq www |
IOS Extended Syntax (including NX-OS) ip access-list extended {<number> | <name>} e.g. ip access-list extended allow_http 10 permit tcp 10.10.10.0/24 3.3.3.3/24 eq www |
iptables (Netfilter) iptables -A {FORWARD | INPUT | OUTPUT} -j {ACCEPT | DROP | POLICE | SPAN | ERSPAN} | -p <protocol> -s <source> --sport [<ports>] -d destination> --dport [<ports>] [<options>] e.g. iptables -A FORWARD -j ACCEPT -p tcp -s 10.10.10.0/24 -d 3.3.3.3/24 --dport 80 *remember to put this in a flat file under /etc/cumulus/acl/policy.d/ and push into hardware via the cl-acltool command. **the ordering does not matter in iptables, however the suggested format above matches closely to IOS syntax to make it easier to memorize |
ACL-iptables Translation Table
Cumulus Linux | Cisco Systems IOS |
iptables -A FORWARD -j DROP -i swp1 -p icmp --icmp-type echo-request Description: Blocks icmp echo requests on the specified switchport (swp1 for Cumulus Linux and Gigabit Ethernet 0/0 on Cisco) |
ip access-list extended block_icmp |
iptables -A INPUT -j DROP -p tcp -s 5.5.5.0/24 --dport 22 Description: Blocks SSH traffic from the specified subnet (5.5.5.0/24) to the switch itself (destination is the switch, i.e. an IP address that is assigned to the switch). For the Cisco device, the subnet(s) that you want to protect are specified, which is indicated by the 192.50.50.0/24 subnet. Using this particular method, each interface would need to have the access-list tied to it. For Cumulus, the INPUT chain indicates all subnets that the switch has configured on it (control plane). |
ip access-list extended block_ssh deny tcp 5.5.5.0 0.0.0.255 192.50.50.0 0.0.0.255 eq 22 interface g0/0 ip access-group block_ssh in |
iptables -A FORWARD -j ACCEPT -p udp -s 192.168.1.0/24 --dport 123 Description: Allows NTP traffic to transit the switch (UDP port 123). The Cumulus Linux example applies this to all switchports, while the Cisco example is only applying this to the Gigabit 0/0 interface. |
ip access-list extended allow_ntp permit udp 192.168.1.0 0.0.0.255 any eq ntp interface g0/0 ip access-group allow_ntp in |
Flat File Configuration
For persistent configuration of the iptables rules, create a .rules file, in /etc/cumulus/acl/policy.d/
. An example file is shown below.
cumulus@switch$ cat /etc/cumulus/acl/policy.d/sean.rules [iptables] -A FORWARD -j ACCEPT -p udp -s 192.168.1.0/24 --dport 123 -A INPUT -j DROP -p tcp -s 5.5.5.0/24 --dport 22 -A FORWARD -j ACCEPT -p tcp -s 10.10.10.0/24 -d 3.3.3.3/24 --dport 80 -A FORWARD -j DROP -i swp1 -p icmp --icmp-type echo-request
Comments