ACL - bwmtools

Next: NAT, Previous: Global, Up: Configuration

3.2 The `<acl>` section

This is basically the firewall section, you can add all your firewall rules here or just leave it blank to use your current firewall.

The syntax for this section is a little more complex and is as follows...

     <firewall>
     .
     .
     .
         <acl>
             <table name="filter">
                 <chain name="INPUT" defualt="ACCEPT">
                     <rule name="excess_connections" target="DROP">
                         excess_connections_to_webserver
                     </rule>
                 </chain>
             </table>
         </acl>
     .
     .
     .
     </firewall>

Explaining the above example, this will add 1 rule to the INPUT chain under the filter table which will drop all new packets that arrive if the concurrent connections on port 80 is higher than 10.

It is the equivalent to...

iptables -t filter -A INPUT -d 192.168.0.10 -p tcp -dport 80 -m connlimit --connlimit-above 10 -j DROP

The following tags and parameters are available...

Specify the table with <table> ... </table>

The <table> tag is used to enclose the directives you plan to use with a specific table. Examples of tables are... filter, nat, mangle

The <table> tag takes the following parameters...
- name="..." - This is the name of the table we will be working with
Specify a chain with <chain> ... </chain>

The <chain> tag is used to specify what chain the rules defined between the starting and ending tags apply to. Examples of already defined chains are INPUT, OUTPUT and FORWARD.

The <chain> tag takes the following parameters...
- name="..." - This is the name of the chain we will be working with
- default="..." - This specifies the default target for the chain
Specify a rule with <rule> ... </rule>

The <rule> tag is used to specify what classes apply to what rule, and are in order inserted into the actual iptables chains as iptables rules.

The <rule> tag takes the following parameters...
- name="..." - Optional name of rule
- cmd-line="..." - Optional extra command line parameters to pass to iptables
- target="..." - This is the target for the rule, used as the -j <target> parameter when generating iptables rules.
Between the opening and closing tags, classes defined in the <global> section are listed, these classify which traffic applies to which rule.
Multiple classes can be listed, one per line.

Using the above, here is an example of a simple firewall which allows http and ssh traffic, assuming your IP address is 10.0.0.2 of course...

     <firewall>
         # Global configuration and access classes
         <global>
             <class name="http_traffic">
                 <address dst="10.0.0.2" proto="tcp" dst-port="80"/>
             </class>
             <class name="ssh_traffic">
                 <address dst="10.0.0.2" proto="tcp" dst-port="22"/>
             </class>
         </global>
     
         # Access control lists
         <acl>
             <table name="filter">
                 <chain name="INPUT" default="DROP">
                     <rule name="allowed_traffic" target="ACCEPT">
                         http_traffic
                         ssh_traffic
                     </rule>
                 </chain>
                 <chain name="FORWARD" default="DROP">
                 </chain>
                 <chain name="OUTPUT" default="ACCEPT">
                 </chain>
             </table>
         </acl>
     </firewall>

3.2 The <acl> section

3.2 The `<acl>` section