Netfilter ACL


Userlevel 1
I'm trying to deny reachability from 10.1.2.4 over to 10.1.2.3 with the following rule (below) applied to SwitchA, however it seems as though I can still ping from .4 to .3 - I was expecting this rule to work since it seems it would drop all packets, but for some reason it isn't. Thanks in advance!
The topology of the lab is:
10.1.2.3/24---swp5(SwitchA)swp1---swp1(SwitchB)swp5---10.1.2.4/24
-A OUTPUT -o swp5 -s 10.1.2.4/32 -d 10.1.2.3/32 -j DROP

21 replies

Userlevel 4
What is 10.1.2.3? A server plugged into swp5 on SwitchA?
Userlevel 1
Hey Sean, it's an end PC. Both .3 and .4 are PCs.
Userlevel 4
So Linux terminology can be a bit 'odd' when you are coming from a networking background. In this case you are using the 'output' chain which only affects traffic that originates from SwitchA (rather than traffic transiting SwitchA). You want to the use the 'forward' chain instead. My next question is VX or real hw? There is slight nuances with VX vs hw in regard to iprules.
Userlevel 1
Ok...so I changed it to the following, but still was able to ping .3 from .4
-A FORWARD -i swp5 -s 10.1.2.4 -d 10.1.2.3 -j DROP
I'm running VX version 3.0
Userlevel 4
Ok so you are on Cumulus VX. How did you 'apply' the rule? cl-acltool won't work on the VM (its hw dependent). Just try applying the iptables rule directly on the command line 'iptables -A FORWARD -i swp5 10.1.2.4 -d 10.1.2.3 -j DROP'
Userlevel 1
I was actually using the cl-acltool to the install the rules.
I flushed the tables, installed the rule directly from the command line, verified that it was installed via the cl-acltool -L command, but for some reason am still able to ping across from .4 to .3
Userlevel 4
Hey B,

Can you please post the output of the following command->
cumulus@leaf01:~$ sudo iptables -L --line-numbers
Userlevel 1
Sean Cavanaugh wrote:

Hey B,

Can you please post the output of the following command->

cumulus@leaf01:~$ sudo ipt...

Hey Sean, just checking to make sure I sent the screenshot to the right address.
Thanks.
Userlevel 1
Just sent the screenshot over to your email. Feel free to continue the thread here.
Userlevel 4
Hey B,

I got your email. Can you email me or post here the configuration of /etc/network/interfaces of the switch that has the iptable rule installed?
Userlevel 1
Here you go Sean...
auto lo
iface lo inet loopback
address 10.2.1.1/32
auto eth0
iface eth0 inet dhcp
auto swp1
iface swp1
alias to Cumulus VX SW2 SWP1
bridge-access 100 1 2
up ip route add 0.0.0.0/0 via 10.1.1.2
auto swp2
iface swp2
mstpctl-portadminedge yes
mstpctl-bpduguard yes
bridge-access 100
auto swp3
iface swp3
auto swp4
iface swp4
auto swp5
iface swp5
bridge-access 2
auto bridge
iface bridge
bridge-vlan-aware yes
bridge-ports swp1 swp2 swp5
bridge-vids 100 200 300 1
bridge-pvid 1000
bridge-stp on
bridge-ageing 28800
bridge-mcsnoop 1
auto bridge.100
iface bridge.100
address 10.3.3.1/24
auto bond0
iface bond0
address 10.1.1.1/30
bond-slaves regex swp[3-4]
bond-mode 802.3ad
bond-miimon 100
bond-lacp-rate 1
bond-min-links 1

Userlevel 4
We might be hitting something where VX has different behavior from real HW. At cursory glance this looks ok. Go ahead and test something for me. Add the stanza

auto bridge.2 iface bridge.2     10.2.2.100/24 
preform an ifreload -a, then try the ping again. Let me know the results.
Userlevel 1
Stanza has been added, however, I'm still able to ping .4 from .3
Userlevel 4
Sent you an email, we can jump on a gotomeeting and screen share or something. If you can't get online today try the following troubleshooting steps->

  • try tcpdump on the switch. Normal in HW this would be data-plane but this is all SW so we can see the packet. Its possible the subnet you are pinging 'from' is different than what you think you are...
  • try removing the -o swp5.... maybe there is an issue with iptables and specifying a specific interface with our renaming script on VX (this is not a problem on real hw...) this is a wild guess and most likely not the issue
  • use the -I with ping to specify a specific IP address to force the IP out a certain way...
  • can you ping the SVI (bridge.2) that we made from the 10.1.2.3/24? I have a another guess that traffic is bypassing the device with the iptables rule on it (possibly).
Userlevel 1
Hey Sean,
  • the tcpdump verified that the source and destination IPs are correct
  • removed the swp5 attribute, but like you said, it wasn't the issue
  • the -l displayed same results
  • I cannot ping the bridge.2 from 10.1.2.3/24, which hangs off of that switch
Userlevel 4
Follow-Up: VX seems to have some different behavior for iptables / cl-acltool for 3.1. This configuration would work on Cumulus Linux. I am talking to engineering and will follow-up on this ASAP. B's configuration looked correct when we got on a GoToMeeting and did a screen share.
Userlevel 1
Sean Cavanaugh wrote:

Follow-Up: VX seems to have some different behavior for iptables / cl-acltool for 3.1. This conf...

Thanks for all your efforts and support on this, it's greatly appreciated!
Userlevel 4
Sean Cavanaugh wrote:

Follow-Up: VX seems to have some different behavior for iptables / cl-acltool for 3.1. This conf...

Sent you unicast-email:

Please try the following:

root@sw1:~# cat /etc/cumulus/acl/policy.d/10.rules[ebtables]
-A FORWARD -p ip --ip-source 10.1.2.4/32 --ip-destination 10.1.2.3/32 -o swp10 -j DROP
Then install the rules->

cl-acltool -i


Userlevel 1
Sean Cavanaugh wrote:

Follow-Up: VX seems to have some different behavior for iptables / cl-acltool for 3.1. This conf...

Hey Sean, that worked! Is this a temp fix for the VM? I think you were saying that my original rule should work in actual hardware, right?
Thanks
Userlevel 4
Sean Cavanaugh wrote:

Follow-Up: VX seems to have some different behavior for iptables / cl-acltool for 3.1. This conf...

Still trying to get a better explanation. ebtables is the tables you want to use for Layer2, iptables for Layer3. My initial thoughts are that when you have 3 devices the lookup is done in L3 and out L3, but when there is a L2 adj (2 switches in the middle) this comes in L3, put into L2 and goes out L2, meaning we have to use ebtables.

I will see if I get confirmation today from eng. ebtables will work in hw too. What I found out from this discussion as that we have started supporting cl-acltool in VX! I was not aware we were actually getting it to work on 3.1 and later.

So use ebtables for now, even on real hardware.
Userlevel 1
Sean Cavanaugh wrote:

Follow-Up: VX seems to have some different behavior for iptables / cl-acltool for 3.1. This conf...

Excellent Sean, thanks for update!!

Reply