Those who followed my CISH efforts a bit know that I started it off by
writing a wrapper for ipchains which accepted and displayed cisco-syntax
access-list rules. I've taken this concept one step further now and put
this functionality in a separate binary. This new command no longer needs
the ipchains command to function, it interfaces with the 2.2 kernel
interface directly.
Of course, this new command is what I'm using from cish now. It could be
that there's an interest for it with other LEAF developers, though. Here's
a little overview of how to operate it:
[root@nexus /root]# access-list
access-list 200 permit tcp any any eq auth
access-list 200 jumpto 101 ip any any via eth2
access-list 200 jumpto 102 ip any any via dummy0
access-list 200 jumpto 103 ip any any via lo0
!
access-list 101 deny tcp any host 62.250.1.1 eq 7000
access-list 101 deny tcp any host 62.250.1.30 eq squid log
access-list 101 jumpto ssh tcp any any eq ssh
access-list 101 permit ip host 62.250.1.1 host 255.255.255.255
access-list 101 deny ip any 127.0.0.0 0.255.255.255
access-list 101 deny ip any 172.16.0.0 0.15.255.255
access-list 101 deny ip any 192.168.0.0 0.0.255.255
access-list 101 deny ip any 10.0.0.0 0.255.255.255
access-list 101 permit tcp any 62.250.1.0 0.0.0.31 range 21-23
access-list 101 permit tcp any 62.250.1.0 0.0.0.31 eq www
access-list 101 permit tcp any 62.250.1.0 0.0.0.31 estab
access-list 101 permit udp any 62.250.1.0 0.0.0.31 gt 1023
access-list 101 permit tcp any 62.250.1.0 0.0.0.31 gt 1023
access-list 101 deny ip any any log
!
access-list 102 permit ip any any
!
access-list 103 permit tcp any lt 1024 any gt 1023 estab
access-list 103 deny tcp any lt 1024 any lt 1024 syn
access-list 103 permit ip any any
!
access-list ssh permit ip 62.250.3.0 0.0.0.255 any
access-list ssh permit tcp any any estab
access-list ssh permit ip 213.136.0.0 0.0.255.255 any
access-list ssh permit ip host 62.250.7.5 any
access-list ssh permit ip host 195.64.94.172 any
access-list ssh permit ip any any log
[root@nexus /root]#
The output of the command without arguments prints out the access rules in
"conf format". Adding the "show" flag will show packet counts:
[root@nexus /root]# access-list show ssh
Extended IP access list ssh
permit ip 62.250.3.0 0.0.0.255 any (0 matches)
permit tcp any any estab (60354 matches)
permit ip 213.136.0.0 0.0.255.255 any (8 matches)
permit ip host 62.250.7.5 any (6 matches)
permit ip host 195.64.94.172 any (8 matches)
permit ip any any (84 matches)
[root@nexus /root]#
Some "beyond cisco" features are there as well, including inserting a
rule a the top, as in:
access-list 100 insert permit tcp any any eq 80
and nuking a specific list-entry, as in:
access-list ssh no permit ip 62.250.3.0 0.0.0.255 any
If you're interested in testing this tool, drop me a note. It comes as a
single .c/.h file that can be compiled. If I get most of the bugs squashed
I will make it available as a generic download.
Cheers,
Pi
--
Head Development -- Vuurwerk Internet -- http://www.vuurwerk.nl/
Brainbench MVP Unix Programming, twisted artist and Free Software idiot.
Serversitter and Operator for the Efnet and Undernet chat networks.
* I need a mental stoma.
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
