Nokia (Alcatel-Lucent). Configuring Packet (IP) Filters#
Packet filters (or in Cisco terminology Access Control Lists, aka ACL) are one of the most used tools in a network engineer's tool set. Blocking telnet/ssh access, restricting specific traffic flows, implementing policy-based routing or NATing - all of these tasks use IP filter's capabilities.
In this example I'll show you how to configure a basic SSH-blocking IP filter on a Nokia (Alcatel-Lucent) SROS running TiMOS-B-12.0.R8.
According to the topology provided we will block SSH access to R1's system IP. This particular task could be done in various ways, but we will configure IP filter on R2 (applied to R2's interface to_R4 in the incoming direction).
And the rule we will configure on R2 will be as follows:
- If R2 receives a packet with a TCP destination port == 22 on interface
to_R4it must drop it.
Lets begin with testing ssh access before any configuration is done:
A:R4# ssh 1.1.1.1
The authenticity of host '1.1.1.1 (1.1.1.1)' can't be established.
RSA key fingerprint is 9c:97:50:00:b0:f7:45:6f:9e:14:9a:06:11:ba:c6:e8.
Are you sure you want to continue connecting (yes/no)? yes
TiMOS-B-12.0.R8 both/i386 ALCATEL SR 7750 Copyright (c) 2000-2015 Alcatel-Lucent.
All rights reserved. All use subject to applicable license agreements.
Built on Fri Jan 9 09:55:30 PST 2015 by builder in /rel12.0/b1/R8/panos/main
[email protected]'s password:
A:R1# logout
Connection to 1.1.1.1 closed.
Working, as expected, good. Now lets block SSH access via IP filter configuration on R2:
## Creating ip-filter
*A:R2# configure filter ip-filter 100 create
## Adding description (optional)
*A:R2>config>filter>ip-filter$ description "block ssh to 1.1.1.1/32"
## Adding name to a filter (optional)
*A:R2>config>filter>ip-filter$ filter-name "block_ssh_to_R1"
## Creating filter entry
*A:R2>config>filter>ip-filter$ entry 10 create
## Specifying match statement for TCP packets, since SSH uses TCP
*A:R2>config>filter>ip-filter>entry$ match protocol "tcp"
## In match context specifying the SSH port number
*A:R2>config>filter>ip-filter>entry>match$ dst-port eq 22
## optionally adding another match rule - Destination IP for R1
*A:R2>config>filter>ip-filter>entry>match$ dst-ip 1.1.1.1/32
## Leaving "match" context and adding DROP action to this filter's entry
*A:R2>config>filter>ip-filter>entry>match$ back
*A:R2>config>filter>ip-filter>entry$ action drop
## Moving one step back to filter's context and adding default action FORWARD, since implicitly it is DROP.
*A:R2>config>filter>ip-filter>entry$ back
*A:R2>config>filter>ip-filter$ default-action forward
## Lets see the whole filter config at once
*A:R2# configure filter ip-filter 100
*A:R2>config>filter>ip-filter# info
----------------------------------------------
filter-name "block_ssh_to_R1"
default-action forward
description "block ssh to 1.1.1.1/32"
entry 10 create
match protocol tcp
dst-ip 1.1.1.1/32
dst-port eq 22
exit
action drop
exit
----------------------------------------------
We created a simple IP filter, but it was not applied to any interface. Lets do this:
*A:R2# configure router interface "toR4"
*A:R2>config>router>if# ingress filter ip
ip
"block_ssh_to_R1" 100 ## you can refer to ip filter by its name or id
*A:R2>config>router>if# ingress filter ip "block_ssh_to_R1"
## make sure that ip filter applied correctly
*A:R2>config>router>if# info
----------------------------------------------
address 10.2.4.2/24
port 1/1/3
ingress
filter ip 100
exit
no shutdown
----------------------------------------------
Done, the filter has been applied to the appropriate interface and now should be running properly. Lets verify it by making SSH login attempt once again:
You use show filter command to see the details of the newly created filter along with a number of packets matched by this filter:
*A:R2# show filter ip 100
===============================================================================
IP Filter
===============================================================================
Filter Id : 100 Applied : Yes
Scope : Template Def. Action : Forward
Radius Ins Pt: n/a
CrCtl. Ins Pt: n/a
RadSh. Ins Pt: n/a
Entries : 1
Description : block ssh to 1.1.1.1/32
-------------------------------------------------------------------------------
Filter Match Criteria : IP
-------------------------------------------------------------------------------
Entry : 10
Description : (Not Specified)
Log Id : n/a
Src. IP : 0.0.0.0/0
Src. Port : n/a
Dest. IP : 1.1.1.1/32
Dest. Port : eq 22
Protocol : 6 Dscp : Undefined
ICMP Type : Undefined ICMP Code : Undefined
Fragment : Off Src Route Opt : Off
Sampling : Off Int. Sampling : On
IP-Option : 0/0 Multiple Option: Off
TCP-syn : Off TCP-ack : Off
Option-pres : Off
Match action : Drop
Ing. Matches : 2 pkts (156 bytes) ## See matched SSH packets
Egr. Matches : 0 pkts
===============================================================================
Match-list and Port list#
In the example above we used one ip address and one port to create our filter, but what if we need to match on the whole range of IP addresses and ports? You need to use match-list and port-list in this case:
*A:R1>config>filter# info
----------------------------------------------
match-list
ip-prefix-list "3_routes" create
prefix 10.10.10.10/32
prefix 20.20.20.20/32
prefix 30.30.30.30/32
exit
port-list "allowed_ports" create
port 22
port 80
exit
exit
ip-filter 10 create
default-action forward
entry 10 create
match protocol tcp
dst-port port-list "allowed_ports"
src-ip ip-prefix-list "3_routes"
exit
action drop
exit
exit
----------------------------------------------
And that's all for this quick IP filter tutorial.