XRPi Home

Documentation Index
Alphabetic Index

XRPi Documentation - Commands

IP Access Control List Commands

Synopsis

        ACL PERMIT <src>[/bits][:port] <dst>[/bits][:port] [proto]

        ACL DENY <src>[/bits][:port] <dst>[/bits][:port] [proto]

Description

The ACL (Access Control List) commands specify "rules" which govern the IP source and destination address ranges that are alllowed to be handled by XRPi's IP router.

These rules act like a "filter", allowing XRPi to handle selected IP addresses, whilst ignoring others.

If no ACL rules are present, the default action is to handle all IP traffic without restriction.

If one or more ACL rules is present, IP filtering is enabled. In this case, the default action is to block everything, unless it matches a PERMIT rule.

The order in which the rules are specified is important. XRPi tests them in the specified order, and stops at the first match.

Source and destination addresses, or ranges thereof are specified in the form
<address>[/bits][:port]

<address>
is a single IP address, or a mask used in combination with [/bits] to specify a range of addresses.

[/bits]
is the number of bits of the <address> to be compared with the source or destination addresses of a datagram. If not specified it defaulys to /32 i.e. an exact match.

[:port]
is an optional TCP or UDP port or "service" number. If present, it specifies a single port, according to [proto]. If the field is not present, or the value is 0, the rule will match any port number.

[proto]
is an optional IP protocol number (e.g. 6=TCP, 17=UDP). If present and non-zero, the rule is used only if the protocol matches. If [proto] is omitted, or is zero. The rule will be used for all protocols.

0.0.0.0/0 means "all addreses".

0.0.0.0/32 is a special case meaning any of XRPi's addresses.

Options

ACL PERMIT specifies the source and destination addresses, or ranges thereof which are permitted to be handled by XRPi. You may need to specify several rules in order to cover all the permutations.

Any addresses not allowed by a PERMIT rule are automatically blocked.

ACL DENY specifies the source and destination addresses, or ranges thereof which are NOT permitted to be handled by XRPi. This rule allows you to block single addresses or ranges within a larger allowed range.

Examples

        ; Allow LAN sources to access any dest
        acl permit  192.168.0.0/16  0.0.0.0/0

        ; Allow 44 sources to access any dest
        acl permit  44.0.0.0/8	0.0.0.0/0

        ; Allow non-44 sources to access XRPi (e.g. axudp)
        acl permit  0.0.0.0/0	0.0.0.0/32

        ; Allow XRPi to access any dest 
        acl permit  0.0.0.0/32	0.0.0.0/0

        ; Prevent non-44 sources from accessing 44 dests
        acl deny   0.0.0.0.0	44.0.0.0/8

Availability

The ACL commands are currently only available for use in IPROUTE.SYS file.

Files

ACL commands are used in IPROUTE.SYS. If present, this file must be located in the same directory as XRPi.EXE.

See Also