Host ACLs¶
TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface. These ACLs are implemented using Netfilter.
As mentioned in Default Allowed Traffic, TNSR includes a default set of host ACLs which protect host OS interfaces. Host ACLs created by administrators can override or augment the default blocking behavior.
ACLs are ordered by sequence number, and evaluated from the start to the end, stopping when a match is found. Each ACL contains one or more rules which define matching criteria and actions taken.
To create a new ACL, from config
mode, use the command host acl
<acl-name>
, with the name to use for the new ACL. This command enters
config-host-acl
mode, where the following commands are available:
- description <text>:
A text description of the host ACL.
- sequence <acl-seq>:
The sequence number of this ACL. This sequence number controls the order of the ACLs when TNSR generates the host OS ruleset.
- rule <rule-seq>:
Creates a new rule in this ACL with the given sequence number and enters
config-host-acl-rule
mode. The sequence number of the rule controls the order of the individual rules inside this ACL.
Inside config-host-acl-rule
mode, the following commands are available:
- action (deny|permit):
Controls whether packets matching this rule will be passed (
permit
) or dropped (deny
).- description <text>:
A text description of this rule.
- match input-interface <host-interface>:
When set, this rule will only match traffic on the given host interface name. This is an interface name as seen by the host operating system, and not a TNSR interface.
- match ip address (source|destination) <ip-prefix>:
Matches based on a given source or destination network.
- match ip icmp type <type> [code <code>]:
Matches a specific IPv4 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP
protocol
must be set toicmp
.Allowed types include:
address-mask-reply
,address-mask-request
,destination-unreachable
,echo-reply
,echo-request
,info-reply
,info-request
,parameter-problem
,redirect
,router-advertisement
,router-solicitation
,source-quench
,time-exceeded
,timestamp-reply
,timestamp-request
.- match ip icmpv6 type <type> [code <code>]:
Matches a specific IPv6 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP
protocol
must be set toicmp
.Allowed types include:
destination-unreachable
,echo-reply
,echo-request
,mld-listener-query
,mld-listener-reduction
,mld-listener-report
,nd-neighbor-advert
,nd-neighbor-solicit
,nd-redirect
,nd-router-advert
,nd-router-solicit
,packet-too-big
,parameter-problem
,router-renumbering
,time-exceeded
.- match ip port (source|destination) <port-num>:
Matches the given source or destination port number. To match a port, the
protocol
must betcp
orudp
.- match ip port (source|destination) range start <low-port-num> [end <high-port-num>]:
Matches the given source or destination port range, given as a lower start port number and a higher ending port number. To match a port, the
protocol
must betcp
orudp
.- match ip protocol (icmp|tcp|udp|<proto-number>):
Matches the specified IP protocol. When unset, any protocol will match the rule. However, this option must be set to enable protocol-specific matching such as ports (TCP or UDP) or ICMP types/codes. To match protocols other than TCP, UDP, and ICMP, specify the protocol number from
0-255
.- match ip tcp flag (ack|cwr|ece|fin|psh|rst|syn|urg):
Matches specific TCP Flags. May only be used when
protocol
is set totcp
.- match ip version (4|6):
Matches based on whether a packet is IPv4 (
4
), or IPv6 (6
). This is required when matching by source or destination address.- match mac address (source|destination) <mac>:
Matches based on the source or destination MAC address. This is only valid for neighboring hosts on interfaces which provide layer 2 information, such as Ethernet.
Host ACL Example¶
This example configures a rule to allow traffic from the remote system
203.0.113.54
to reach a local host OS daemon on port 12345
, used by the
TNSR IDS daemon:
tnsr(config)# host acl tnsrids
tnsr(config-host-acl)# sequence 10
tnsr(config-host-acl)# description TNSR IDS
tnsr(config-host-acl)# rule 100
tnsr(config-host-acl-rule)# description Pass to tnsrids
tnsr(config-host-acl-rule)# action permit
tnsr(config-host-acl-rule)# match ip address source 203.0.113.54/32
tnsr(config-host-acl-rule)# match ip version 4
tnsr(config-host-acl-rule)# match ip protocol tcp
tnsr(config-host-acl-rule)# match ip port destination 12345
Host ACL Status¶
To see the list of current host ACLs, use the following command:
tnsr# show host acl
Access Control List: tnsrids
IPv Seq Action Src IP Dst IP Src MAC Dst MAC Proto SP/T DP/C Flag bytes pkts
---- --- ------ ----------------- -------- ----------------- ----------------- ----- ------- ------- ---- ----- -----
ipv4 100 accept 203.0.113.54/32 tcp 12345 0 0
Alternately, to see the host ACL ruleset directly:
tnsr# show host ruleset
table inet tnsr_filter {
chain tnsr_input_mgmt_local {
jump tnsrids
}
chain tnsr_input_mgmt_default {
tcp dport 22 accept
tcp dport 80 accept
tcp dport 443 accept
ip protocol 1 accept
ip6 nexthdr 58 accept
tcp dport 123 accept
udp dport 123 accept
udp dport 161 accept
ip ttl 1 udp dport 33434-33524 counter packets 0 bytes 0 accept
ip6 hoplimit 1 udp dport 33434-33524 counter packets 0 bytes 0 accept
tcp dport 9482 accept
}
chain tnsr_input {
type filter hook input priority 0; policy accept;
iifname "lo" accept
ct state 0x2,0x4 accept
jump tnsr_input_mgmt_local
jump tnsr_input_mgmt_default
drop
}
chain tnsr_forward {
type filter hook forward priority 0; policy drop;
}
chain tnsrids {
meta nfproto 2 meta nfproto 2 ip saddr 203.0.113.54 tcp dport 12345 counter packets 0 bytes 0 accept
}
}