Skip to content

Access Control Lists in Linux

Many router operating systems run on top of Linux. This means that in some instances, the router OS is an overlay for functionality that is in actuality implemented in Linux functions. FRR (Free Range Routing), for instance, only carries Control Plane functionality, while the Data-plane of the router is handled in the underlying Linux system. Access Control Lists (ACL) is a functionality that is implemented in the data-plane, as there is no automatic generation or logic operating the access control lists. Due to FRR missing functionality for generating or handling ACLs, we must implement the ACLs in the Linux Terminal of the router. In GNS3, the Linux terminal can be access by right-clicking the router and selecting "Auxillary Console". This should open a terminal/telnet window with a somewhat default-looking Linux terminal.

One caveat of using ACLs in the linux terminal in the TTM4240 lab (docker based) is that the configurations aren't default persistant. For the lab, persistance isn't necessary, as the tasks that require ACLs can be done, documented and don't need to persist for the rest of the lab.

To configure ACLs, we use the linux-tool "iptables". iptables has a rich amount of instructions, but for brevity sake, we've provided the following example commands:

Example Commands

Setting default policies: 

iptables -P INPUT ACCEPT/DROP
iptables -P FORWARD ACCEPT/DROP
iptables -P OUTPUT ACCEPT/DROP

Blocking or accepting a source or destination (respectively) for packets incoming on a set interface (ethX): 

iptables -A FORWARD -i ethX -s 10.0.0.0/8 -j DROP/ACCEPT
iptables -A FORWARD -i ethX -d 192.168.0.0 -j DROP/ACCEPT

ACLs can also be set to be active on outgoing interfaces, as well as a combination of input and output: 

iptables -A FORWARD -o ethX -s 123.213.13.0/24 -d 111.222.121.0/24 -j DROP
iptables -A FORWARD -i eth0 -o eth1 -d 8.8.8.8 -j DROP

ACLs in IP-tables can also be used to block specific layer 4 ports: 

iptables -A FORWARD -i eth0 -p tcp --dport 22 -j DROP # Blocks tcp/22 traffic on interface eth0

Setting Defaults

If there are pre-existing iptables rules that may block setting you own iptable rules, you may have to flush pre-existing configurations and defining new defaults: 

iptables -F
iptables -X

iptables -P INPUT DROP #Sets a default behaviour to drop packets going to the router.
iptables -P FORWARD ACCEPT #Sets a default allow on forwarding of packets (packets going through the router)
iptables -P OUTPUT ACCEPT #Sets a default allow for outgoing packets from the router.