ACL Planning
The newly created ACL table is in blacklist mode by default, and the default outbound and inbound rules are the "allow all" rules with the lowest priority. In practical scenarios, due to its stateless nature, ACL setting can be quite complex. The following will introduce the points of ACL rule setting and how to set appropriate ACL rules according to the scene.
ACL Rule Suggestions
When setting up ACL rules, the following is suggested:
- ACL rules are stateless, so both outbound and inbound directions need to be considered when setting rules.
- The default effective level of the SurferCloud ACL product is a single cloud resource. For example, if a reject rule with a target address of 0.0.0.0/0 is added, the interaction between the host and other hosts in the same subnet will also be affected. Therefore, it is necessary to add an additional accept rule for the same subnet segment.
- Different inbound rules in the same ACL table are not allowed to have the same priority. Different outbound rules in the same ACL table are not allowed to have the same priority.
- When setting up ACL rules, they should be as close as possible to the source of the traffic. For example, to forbid an IP to access subnet resources, blacklisting can be achieved in both outbound and inbound rules. It should be set up as an inbound rule to reject traffic.
- The public service segment of SurferCloud is accepted by default.
ACL Case Study
By use of an example, let's discuss how to configure ACL rules.
The network architecture is shown below:
In this example, we need to configure ACL rules for subnet A in the SurferCloud Guangzhou Region. Subnet A needs to meet the following rules:
- The segment of subnet A is 10.10.1.0/24, and all within the subnet can communicate with each other.
- Port 22 of subnet A can and can only be accessed by subnet B, whose segment is 192.168.1.0/24.
- Cloud resources of subnet A can only access port 53 (UDP/TCP) of 8.8.8.8 and cannot access other external network addresses.
- Port 80 of subnet A's cloud resources can be accessed by any address.
- Subnet A can normally use the public services provided by SurferCloud.
All other traffic is forbidden.
Therefore, the ACL rules for subnet A should be configured as follows:
- Inbound rules
| Priority | Destination Port | Protocol | Source Address | Strategy | Description |
|---|---|---|---|---|---|
| 1 | 22 | TCP | 192.168.1.0/24 | Accept | Allow subnet B to access port 22 |
| 2 | 80 | TCP | 0.0.0.0/0 | Accept | Allow any address to access port 80 |
| 3 | 32768-65535 | TCP | 8.8.8.8/32 | Accept | Allow subnet internal host to access port TCP 53 of 8.8.8.8, temporary port pass |
| 4 | 32768-65535 | UDP | 8.8.8.8/32 | Accept | Allow subnet internal host to access port UDP 53 of 8.8.8.8, temporary port pass |
| 5 | All | All | 10.10.1.0/24 | Accept | Allow intercommunication between hosts within the network |
| 6 | All | All | 10.13.192.0/18 | Accept | Allow access to public services |
| 30000 | All | All | 0.0.0.0/0 | Reject | Reject all traffic by default |
| * | All | All | 0.0.0.0/0 | Accept | All traffic is allowed by default, automatically added by the system at creation. Lowest priority. |
- Outbound rules
| Priority | Destination Port | Protocol | Destination Address | Policy | Description |
|---|---|---|---|---|---|
| 1 | 53 | TCP | 8.8.8.8/32 | Accept | Allow subnet internal hosts to access port TCP 53 of 8.8.8.8 |
| 2 | 53 | UDP | 8.8.8.8/32 | Accept | Allow subnet internal hosts to access port UDP 53 of 8.8.8.8 |
| 3 | 32768-65535 | TCP | 0.0.0.0/0 | Accept | Allow port 80 to access the outside, allow port 22 to access subnet B, temporary port released. |
| 4 | All | All | 10.10.1.0/24 | Accept | Allow subnet internal hosts to communicate with each other |
| 5 | All | All | 10.13.192.0/18 | Accept | Allow access to public services |
| 30000 | All | ALL | ALL | Reject | Reject all traffic by default |
| * | All | All | 0.0.0.0/0 | Accept | All traffic is allowed by default. The system automatically adds it when it is created. The priority is the lowest. |
ACL Rule Analysis
Taking "The port 22 of Subnet A can and is only be accessed by Subnet B, and the segment of Subnet B is 192.168.1.0/24." as an example, the analysis is as follows:
The temporary port is a port that can be assigned from a preset range when TCP, UDP, etc., actively initiate a connection. The port is occupied only during the connection life cycle. This range can be obtained through the following:
cat /proc/sys/net/ipv4/ip_local_port_rangeThe following commands can be used to modify the temporary port range:
echo "32768 65535" > /proc/sys/net/ipv4/ip_local_port_rangeThis article uses "32768-65535" to refer to the temporary port.
As shown above, the four tuples of port 22 of subnet A being accessed by subnet B are marked. Therefore, under the condition of default rejection, the following inbound and outbound rules need to be added:
- Inbound rules
| Priority | Destination Port | Protocol | Source Address | Action | Description |
|---|---|---|---|---|---|
| 1 | 22 | TCP | 192.168.1.0/24 | Accept | Allow subnet B to access port 22 |
- Outbound rules
| Priority | Destination Port | Protocol | Destination Address | Action | Description |
|---|---|---|---|---|---|
| 1 | 32768-65535 | TCP | 192.168.1.0/24 | Accept | Allow subnet B to access port 22 |
For other scenarios, the inbound, outbound quintuplets (source and target IP, port, and protocol used) can be listed and analyzed.
