Re: Cisco ACL vs. iptables semantics

Walter Roberson wrote:

I'm not familar with the iptables fields, but I suspect that the
answer is NO.

*Every* Cisco ACL, for IOS and PIX, has an implied "deny everything"
at the end of it. Therefore your ip access-list extended blockssh
is equivilent to "deny ssh, and deny everything else too". If
the iptables entries you show do not have those semantics, then
they are not equivilent to the ACL.

Note: That's -every- Cisco IOS or PIX ACL, for every purpose I've
been able to find. But deny does not -always- mean "drop the traffic":
for example, in the context of Policy Based Routing (PBR), a deny in
the matching ACL just means that the policy is not in effect for
that denied traffic, and that it should be processed through any
remaining policies, with a default of going through regular
routing-table routing of none of the PBRs matched the packet.

Of course you are right, I should have phrased my question using better
Let's try: I know that ACLs "deny" does not always mean "block" or
"drop" packets.
But here, I was referring to a context of firewalling/packet filtering,
so "deny" should
really mean "drop" here. Then, you are right about the implicit deny at
the end of cisco
ACLs, but again I did not make clear what I was trying to understand.
Let's use the
incoming - first group of rules from my previous example, and assume
default policies are already
configured the same. My understanding (which of course could be wrong)
is that, if a cisco router is
running the ACL from my first example and receives a packet that
matches (eg, tcp port 22 with
destination, it drops the packet no matter what.
If, instead, the router is a host running iptables, the packet could be
assigned either to the
INPUT chain (if is an IP assigned to the router) or to the
FORWARD chain (if
the router's IP address is different). So, if I wanted to write some
iptables rule(s) for a "generic"
router host whose IP address is not known, and I wanted to guarantee
the same behavior, would
it be correct (semantically equivalent to the ACL) and enough to write
the two rules I wrote, one for
the INPUT chain and the other for the FORWARD chain?
For the output case, the problem is related, since packets leaving the
router could be originating
from the router itself or be forwarded by the router. So, the critical
info here is the source address
of the packet (and yes, as another poster already noted, I should have
written my second group
of rules differently instead of copying/pasting). Thus, the question:
whereas a cisco router running
an ACL like

ip access-list extended blah
deny tcp any eq 22

interface <name>
ip access-group blah out

drops a leaving matching packet no matter where it originated, does an
iptables firewall (whose IP
address is not known) need two rules, one for the FORWARD chain and one
for the OUPUT chain?

I hope it's clearer now.
Thanks for any help.


Relevant Pages

  • RE: deny access
    ... If this is an edge router you'd like secure it a bit more, ... Subject: deny access ... ACL to block one host would effectively block all hosts. ... From interface config mode, ...
  • Re: Hiding NATs with PF
    ... Even with my transparent squid setup I still get OpenBSD ... +acl snmppublic snmp_community somecommunitystring ... +http_access deny contextclick ... routing disabled between them cannot be described as a 'router' per-ce. ...
  • RE: ACL design.
    ... Remember to switch the acl statements ... access-list 110 deny ip any ... This may clog up your router if there is a lot of traffic so be careful. ... Definitely build this out as a test network. ...
  • Re: [Full-disclosure] RE: Example firewall script
    ... > of every ACL. ... > DENY ANY ANY at the end of their ACL's ... > should have a deny statement at the end, ... situations where large numbers of disparate hosts ...
  • Transparent Proxy using Squid and PF
    ... I need a little help on setting up transparent proxy with Squid and PF in FreeBSD 5.4-RELEASE. ... rdr on $int_if inet proto tcp from any to any port www -> port 3128 ... acl QUERY urlpath_regex cgi-bin \? ... no_cache deny QUERY ...