HAProxy ALOHA Documentation 15.5

IP Access Control Lists

You can use access control lists (ACLs) to permit or deny access to load-balanced applications based on interface, protocol, IP address, and port.

Add an IP ACL:

  1. Click the IP ACLs tab.

  2. Click the Insert new ACL icon.

  3. Fill in the fields:

    Field

    Description

    IN

    Interface receiving the packet. One of: string indicating interface (example: eth0) or any.

    Protocol

    Network protocol. One of: ICMP, TCP, UDP, or any.

    Source

    Packet source address or network. One of: IP address (example: 144.59.32.12), IP address/mask (example: 144.59.32.0/24), or any.

    Port

    Packet source port or range. Ignored if the protocol is ICMP or any. One of: port (example: 30100), port range (example: 30100-30299), or any.

    Destination

    Packet destination address or network. One of: IP address (example: 192.168.10.02), IP address/mask (example: 192.168.10.0/16), or any.

    Port

    Packet destination port or range. Ignored if the protocol is ICMP or any. One of: port (example: 30100), port range (example: 30100-30299), or any.

    Action

    Filter action to apply. One of: allow or deny.

  4. When complete, click the Add icon to save or click the Cancel icon to discard.

  5. In the Setup tab, click Save under Local Configuration to persist your changes after a reboot.

The IP ACLs are stored in the file /etc/ipacls/ipacls.cfg. To edit the file directly, click advanced mode.

The following ACLs deny all packets targeted for IP address 10.10.100.11 except for packets complying with the permit ACLs.

# cat /etc/ipacls/ipacls.cfg
eth1 tcp 10.10.100.0/24 any 10.11.100.11 22 permit
eth1 tcp 10.10.100.0/24 any 10.10.100.11 4444 permit
any any any any 10.10.100.11 any deny

Use the iptables command to display the rules and related details.

Show the ACLs and related details.

# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 594 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination
  596  226K pre_appli  all  --  any    any     anywhere             anywhere

Chain INPUT (policy ACCEPT 594 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 985 packets, 69713 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 985 packets, 69713 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain _acls (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    78 RETURN     all  --  lo     any     anywhere             anywhere
  106  9896 RETURN     tcp  --  eth1   any     10.10.100.0/24       10.11.100.11         tcp dpt:ssh
    0     0 RETURN     tcp  --  eth1   any     10.10.100.0/24       10.10.100.11         tcp dpt:krb524
    0     0 DROP       all  --  any    any     anywhere             10.10.100.11

Chain pre_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
  596  226K _acls      all  --  any    any     anywhere             anywhere

Next up

API