Iptables to limit indentifed IP to outgoing

  • 1
  • Question
  • Updated 2 years ago
Hello,

I got a problem now which my target is limit the host which specified IP can access to other places.

My iptables rules in below:
[iptables]
-A INPUT --in-interface swp3 -s 192.168.100.4/32 -d 0.0.0.0/0 -j ACCEPT
-A INPUT --in-interface swp3 -j DROP

PC with IP 192.168.100.4 is connected direct to swp3.  Once other IP which not same then DROP it.

However, it did not work now.  Any have idea?

Below is switch config for reference.

=============
auto swp1
iface swp1
        bridge-access 400

auto swp2
iface swp2
        bridge-access 400

auto swp3
iface swp3
        bridge-access 400

auto swp4
iface swp4

auto bridge
iface bridge
        bridge-ports swp1 swp2 swp3 swp4
        bridge-vlan-aware yes
        bridge-allow-untagged yes
        bridge-vids 1 400
        bridge-pvid 1
        bridge-stp on
====================

Thanks!
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb

Posted 2 years ago

  • 1
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 4,082 Points 4k badge 2x thumb
You need to use "-A FORWARD" instead of "input" here. See the docs on "Understanding Chains" docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs#Netfilter-ACLs-UnderstandingChains
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb
Thanks and updated as following

[iptables]
-A FORWARD --in-interface swp3 -s 192.168.100.14/32 -d 0.0.0.0/0 -j ACCEPT
-A FORWARD --in-interface swp3 -j DROP

but still not work.
Photo of David Marshall

David Marshall, Employee

  • 530 Points 500 badge 2x thumb
Where is "192.168.100.14/32"?
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb
192.168.100.14 is host which direct connecting to swp3
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 4,082 Points 4k badge 2x thumb
What does the output of "cl-acltool -L all" show?
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb
Hello, please check the following output.

$ sudo cl-acltool -L all
warning: Detected platform is Cumulus VX
warning: Running in no-hw-sync mode. No rules will be programmed in hw
-------------------------------
Listing rules of type iptables:
-------------------------------
TABLE filter :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  swp+   any     240.0.0.0/5          anywhere
    0     0 DROP       all  --  swp+   any     loopback/8           anywhere
    0     0 DROP       all  --  swp+   any     224.0.0.0/4          anywhere
    0     0 DROP       all  --  swp+   any     255.255.255.255      anywhere
    0     0 SETCLASS   udp  --  swp+   any     anywhere             anywhere             udp dpt:3785 SETCLASS  class:7
    0     0 POLICE     udp  --  any    any     anywhere             anywhere             udp dpt:3785 POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   udp  --  swp+   any     anywhere             anywhere             udp dpt:3784 SETCLASS  class:7
    0     0 POLICE     udp  --  any    any     anywhere             anywhere             udp dpt:3784 POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   udp  --  swp+   any     anywhere             anywhere             udp dpt:4784 SETCLASS  class:7
    0     0 POLICE     udp  --  any    any     anywhere             anywhere             udp dpt:4784 POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   ospf --  swp+   any     anywhere             anywhere             SETCLASS  class:7
    0     0 POLICE     ospf --  any    any     anywhere             anywhere             POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   pim  --  swp+   any     anywhere             anywhere             SETCLASS  class:6
    0     0 POLICE     pim  --  any    any     anywhere             anywhere             POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   tcp  --  swp+   any     anywhere             anywhere             tcp dpt:bgp SETCLASS  class:7
    0     0 POLICE     tcp  --  any    any     anywhere             anywhere             tcp dpt:bgp POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   tcp  --  swp+   any     anywhere             anywhere             tcp spt:bgp SETCLASS  class:7
    0     0 POLICE     tcp  --  any    any     anywhere             anywhere             tcp spt:bgp POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   tcp  --  swp+   any     anywhere             anywhere             tcp dpt:5342 SETCLASS  class:7
    0     0 POLICE     tcp  --  any    any     anywhere             anywhere             tcp dpt:5342 POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   tcp  --  swp+   any     anywhere             anywhere             tcp spt:5342 SETCLASS  class:7
    0     0 POLICE     tcp  --  any    any     anywhere             anywhere             tcp spt:5342 POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   icmp --  swp+   any     anywhere             anywhere             SETCLASS  class:2
    0     0 POLICE     icmp --  any    any     anywhere             anywhere             POLICE  mode:pkt rate:100 burst:40
    0     0 SETCLASS   udp  --  swp+   any     anywhere             anywhere             udp dpts:bootps:bootpc SETCLASS  class:2
    0     0 POLICE     udp  --  any    any     anywhere             anywhere             udp dpt:bootps POLICE  mode:pkt rate:100 burst:100
    0     0 POLICE     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc POLICE  mode:pkt rate:100 burst:100
    0     0 SETCLASS   tcp  --  swp+   any     anywhere             anywhere             tcp dpts:bootps:bootpc SETCLASS  class:2
    0     0 POLICE     tcp  --  any    any     anywhere             anywhere             tcp dpt:bootps POLICE  mode:pkt rate:100 burst:100
    0     0 POLICE     tcp  --  any    any     anywhere             anywhere             tcp dpt:bootpc POLICE  mode:pkt rate:100 burst:100
    0     0 SETCLASS   udp  --  swp+   any     anywhere             anywhere             udp dpt:10001 SETCLASS  class:3
    0     0 POLICE     udp  --  any    any     anywhere             anywhere             udp dpt:10001 POLICE  mode:pkt rate:2000 burst:2000
    0     0 SETCLASS   igmp --  swp+   any     anywhere             anywhere             SETCLASS  class:6
    0     0 POLICE     igmp --  any    any     anywhere             anywhere             POLICE  mode:pkt rate:300 burst:100
    0     0 POLICE     all  --  swp+   any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL POLICE  mode:pkt rate:1000 burst:1000 class:0
    0     0 POLICE     all  --  swp+   any     anywhere             anywhere             ADDRTYPE match dst-type IPROUTER POLICE  mode:pkt rate:400 burst:100 class:0
    0     0 SETCLASS   all  --  swp+   any     anywhere             anywhere             SETCLASS  class:0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  swp+   any     240.0.0.0/5          anywhere
    0     0 DROP       all  --  swp+   any     loopback/8           anywhere
    0     0 DROP       all  --  swp+   any     224.0.0.0/4          anywhere
    0     0 DROP       all  --  swp+   any     255.255.255.255      anywhere
    0     0 ACCEPT     all  --  swp3   any     192.168.100.14       anywhere
    0     0 DROP       all  --  swp3   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination




TABLE mangle :
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination




TABLE raw :
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination




--------------------------------
Listing rules of type ip6tables:
--------------------------------
TABLE filter :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      swp+   any     ::                   anywhere
    0     0 DROP       all      swp+   any     ff00::/8             anywhere
    0     0 DROP       all      swp+   any     ::                   anywhere
    0     0 DROP       all      swp+   any     ::ffff:0.0.0.0/96    anywhere
    0     0 DROP       all      swp+   any     localhost            anywhere
    0     0 POLICE     udp      swp+   any     anywhere             anywhere             udp dpt:3785 POLICE  mode:pkt rate:2000 burst:2000 class:7
    0     0 POLICE     udp      swp+   any     anywhere             anywhere             udp dpt:3784 POLICE  mode:pkt rate:2000 burst:2000 class:7
    0     0 POLICE     udp      swp+   any     anywhere             anywhere             udp dpt:4784 POLICE  mode:pkt rate:2000 burst:2000 class:7
    0     0 POLICE     ospf     swp+   any     anywhere             anywhere             POLICE  mode:pkt rate:2000 burst:2000 class:7
    0     0 POLICE     tcp      swp+   any     anywhere             anywhere             tcp dpt:bgp POLICE  mode:pkt rate:2000 burst:2000 class:7
    0     0 POLICE     tcp      swp+   any     anywhere             anywhere             tcp spt:bgp POLICE  mode:pkt rate:2000 burst:2000 class:7
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmp router-solicitation POLICE  mode:pkt rate:100 burst:100 class:2
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmp router-advertisement POLICE  mode:pkt rate:500 burst:500 class:2
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmp neighbour-solicitation POLICE  mode:pkt rate:400 burst:400 class:2
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmp neighbour-advertisement POLICE  mode:pkt rate:400 burst:400 class:2
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmptype 130 POLICE  mode:pkt rate:200 burst:100 class:6
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmptype 131 POLICE  mode:pkt rate:200 burst:100 class:6
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmptype 132 POLICE  mode:pkt rate:200 burst:100 class:6
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             ipv6-icmptype 143 POLICE  mode:pkt rate:200 burst:100 class:6
    0     0 POLICE     ipv6-icmp    swp+   any     anywhere             anywhere             POLICE  mode:pkt rate:64 burst:40 class:2
    0     0 POLICE     udp      swp+   any     anywhere             anywhere             udp dpts:dhcpv6-client:dhcpv6-server POLICE  mode:pkt rate:100 burst:100 class:2
    0     0 POLICE     tcp      swp+   any     anywhere             anywhere             tcp dpts:dhcpv6-client:dhcpv6-server POLICE  mode:pkt rate:100 burst:100 class:2
    0     0 POLICE     all      swp+   any     anywhere             anywhere             ADDRTYPE match dst-type LOCAL POLICE  mode:pkt rate:1000 burst:1000 class:0
    0     0 POLICE     all      swp+   any     anywhere             anywhere             ADDRTYPE match dst-type IPROUTER POLICE  mode:pkt rate:400 burst:100 class:0
    0     0 SETCLASS   all      swp+   any     anywhere             anywhere             SETCLASS  class:0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      swp+   any     ff00::/8             anywhere
    0     0 DROP       all      swp+   any     ::                   anywhere
    0     0 DROP       all      swp+   any     ::ffff:0.0.0.0/96    anywhere
    0     0 DROP       all      swp+   any     localhost            anywhere

Chain OUTPUT (policy ACCEPT 7 packets, 640 bytes)
 pkts bytes target     prot opt in     out     source               destination




TABLE mangle :
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination




TABLE raw :
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination




-------------------------------
Listing rules of type ebtables:
-------------------------------
TABLE filter :
Bridge table: filter

Bridge chain: INPUT, entries: 16, policy: ACCEPT
-d BGA -i swp+ -j setclass --class 7 , pcnt = 0 -- bcnt = 0
-d BGA -j police --set-mode pkt --set-rate 2000 --set-burst 2000 , pcnt = 0 -- bcnt = 0
-d 1:80:c2:0:0:2 -i swp+ -j setclass --class 7 , pcnt = 0 -- bcnt = 0
-d 1:80:c2:0:0:2 -j police --set-mode pkt --set-rate 2000 --set-burst 2000 , pcnt = 0 -- bcnt = 0
-d 1:80:c2:0:0:e -i swp+ -j setclass --class 6 , pcnt = 0 -- bcnt = 0
-d 1:80:c2:0:0:e -j police --set-mode pkt --set-rate 200 --set-burst 200 , pcnt = 0 -- bcnt = 0
-d 1:0:c:cc:cc:cc -i swp+ -j setclass --class 6 , pcnt = 0 -- bcnt = 0
-d 1:0:c:cc:cc:cc -j police --set-mode pkt --set-rate 200 --set-burst 200 , pcnt = 0 -- bcnt = 0
-p ARP -i swp+ -j setclass --class 2 , pcnt = 0 -- bcnt = 0
-p ARP -j police --set-mode pkt --set-rate 400 --set-burst 100 , pcnt = 0 -- bcnt = 0
-d 1:0:c:cc:cc:cd -i swp+ -j setclass --class 7 , pcnt = 0 -- bcnt = 0
-d 1:0:c:cc:cc:cd -j police --set-mode pkt --set-rate 2000 --set-burst 2000 , pcnt = 0 -- bcnt = 0
-p IPv4 -i swp+ -j ACCEPT , pcnt = 0 -- bcnt = 0
-p IPv6 -i swp+ -j ACCEPT , pcnt = 0 -- bcnt = 0
-i swp+ -j setclass --class 0 , pcnt = 0 -- bcnt = 0
-j police --set-mode pkt --set-rate 100 --set-burst 100 , pcnt = 0 -- bcnt = 0

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 4,082 Points 4k badge 2x thumb
The issue is in the first two lines of the output above:
warning: Detected platform is Cumulus VX
warning: Running in no-hw-sync mode. No rules will be programmed in hw

Unfortunately Cumulus VX does not simulate ACL rules in the same way as with normal hardware. Could you provide output from the "iptables-save" command?
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb
Hello,

Thanks for your update.  That means suppose it will not happen when deploy under physical switch?

Following please find output of "iptables-save"
****************************
cumulus@cumulus:~$ sudo iptables-save
[sudo] password for cumulus:
# Generated by iptables-save v1.4.21 on Mon Oct  3 03:21:23 2016
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Oct  3 03:21:23 2016
# Generated by iptables-save v1.4.21 on Mon Oct  3 03:21:23 2016
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Oct  3 03:21:23 2016
# Generated by iptables-save v1.4.21 on Mon Oct  3 03:21:23 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 240.0.0.0/5 -i swp+ -j DROP
-A INPUT -s 127.0.0.0/8 -i swp+ -j DROP
-A INPUT -s 224.0.0.0/4 -i swp+ -j DROP
-A INPUT -s 255.255.255.255/32 -i swp+ -j DROP
-A INPUT -i swp+ -p udp -m udp --dport 3785 -j SETCLASS --class 7
-A INPUT -p udp -m udp --dport 3785 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p udp -m udp --dport 3784 -j SETCLASS --class 7
-A INPUT -p udp -m udp --dport 3784 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p udp -m udp --dport 4784 -j SETCLASS --class 7
-A INPUT -p udp -m udp --dport 4784 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p ospf -j SETCLASS --class 7
-A INPUT -p ospf -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p pim -j SETCLASS --class 6
-A INPUT -p pim -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p tcp -m tcp --dport 179 -j SETCLASS --class 7
-A INPUT -p tcp -m tcp --dport 179 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p tcp -m tcp --sport 179 -j SETCLASS --class 7
-A INPUT -p tcp -m tcp --sport 179 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p tcp -m tcp --dport 5342 -j SETCLASS --class 7
-A INPUT -p tcp -m tcp --dport 5342 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p tcp -m tcp --sport 5342 -j SETCLASS --class 7
-A INPUT -p tcp -m tcp --sport 5342 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p icmp -j SETCLASS --class 2
-A INPUT -p icmp -j POLICE --set-mode pkt --set-rate 100 --set-burst 40
-A INPUT -i swp+ -p udp -m udp --dport 67:68 -j SETCLASS --class 2
-A INPUT -p udp -m udp --dport 67 -j POLICE --set-mode pkt --set-rate 100 --set-burst 100
-A INPUT -p udp -m udp --dport 68 -j POLICE --set-mode pkt --set-rate 100 --set-burst 100
-A INPUT -i swp+ -p tcp -m tcp --dport 67:68 -j SETCLASS --class 2
-A INPUT -p tcp -m tcp --dport 67 -j POLICE --set-mode pkt --set-rate 100 --set-burst 100
-A INPUT -p tcp -m tcp --dport 68 -j POLICE --set-mode pkt --set-rate 100 --set-burst 100
-A INPUT -i swp+ -p udp -m udp --dport 10001 -j SETCLASS --class 3
-A INPUT -p udp -m udp --dport 10001 -j POLICE --set-mode pkt --set-rate 2000 --set-burst 2000
-A INPUT -i swp+ -p igmp -j SETCLASS --class 6
-A INPUT -p igmp -j POLICE --set-mode pkt --set-rate 300 --set-burst 100
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -j POLICE --set-mode pkt --set-rate 1000 --set-burst 1000 --set-class 0
-A INPUT -i swp+ -m addrtype --dst-type IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100 --set-class 0
-A INPUT -i swp+ -j SETCLASS --class 0
-A FORWARD -s 240.0.0.0/5 -i swp+ -j DROP
-A FORWARD -s 127.0.0.0/8 -i swp+ -j DROP
-A FORWARD -s 224.0.0.0/4 -i swp+ -j DROP
-A FORWARD -s 255.255.255.255/32 -i swp+ -j DROP
COMMIT
# Completed on Mon Oct  3 03:21:23 2016

*************************
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 4,082 Points 4k badge 2x thumb
Output from "iptables-save" is what the standard Linux implementation thinks is applied; your output from "cl-acltool -L all" shows the 192.168.100.14 rule installed but the standard linux iptables implementation shows it as absent and that is why it is not having effect. The summary here is that ACL rules cannot be applied in the same way in Vx as they are in standard Cumulus Linux on hardware -- but they can still be applied via direct calls to iptables.
(Edited)
Photo of machiasiaweb

machiasiaweb

  • 930 Points 500 badge 2x thumb
Finally get a demo physical unit. Test again this function and it work.
----
[iptables]
-A INPUT --in-interface swp3 -s 192.168.100.4/32 -d 0.0.0.0/0 -j ACCEPT
-A INPUT --in-interface swp3 -j DROP
-----