Load balancing

Configure IP Access Control Lists in HAProxy ALOHA

On this page

You can use access control lists (ACLs) to permit or deny access to load-balanced applications based on interface, protocol, IP address, and port.

Add an IP ACL:

  1. Click the IP ACLs tab.

  2. Click the Insert new ACL icon.

  3. Fill in the fields:

    Field Description
    IN Interface receiving the packet. One of: string indicating interface (example: eth0) or any.
    Protocol Network protocol. One of: ICMP, TCP, UDP, or any.
    Source Packet source address or network. One of: IP address (example: 144.59.32.12), IP address/mask (example: 144.59.32.0/24), or any.
    Port Packet source port or range. Ignored if the protocol is ICMP or any. One of: port (example: 30100), port range (example: 30100-30299), or any.
    Destination Packet destination address or network. One of: IP address (example: 192.168.10.02), IP address/mask (example: 192.168.10.0/16), or any.
    Port Packet destination port or range. Ignored if the protocol is ICMP or any. One of: port (example: 30100), port range (example: 30100-30299), or any.
    Action Filter action to apply. One of: allow or deny.

  4. When complete, click the Add icon to save or click the Cancel icon to discard.

  5. To make your changes persistent after a reboot, click the Setup tab. Then click Save under Configuration.

    The IP ACLs are stored in the file /etc/ipacls/ipacls.cfg. To edit the file directly, click advanced mode.

  6. To make the changes persist after a reboot, go to the Setup tab and click Save within the Configuration section.

Example Jump to heading

The following ACLs deny all packets targeted for IP address 10.10.100.11 except for packets complying with the permit ACLs.

nix
cat /etc/ipacls/ipacls.cfg
nix
cat /etc/ipacls/ipacls.cfg
/etc/ipacls/ipacls.cfg
text
eth1 tcp 10.10.100.0/24 any 10.11.100.11 22 permit
eth1 tcp 10.10.100.0/24 any 10.10.100.11 4444 permit
any any any any 10.10.100.11 any deny
/etc/ipacls/ipacls.cfg
text
eth1 tcp 10.10.100.0/24 any 10.11.100.11 22 permit
eth1 tcp 10.10.100.0/24 any 10.10.100.11 4444 permit
any any any any 10.10.100.11 any deny

Use the iptables command to display the rules and related details.

nix
iptables -t mangle -L -v
nix
iptables -t mangle -L -v
output
text
Chain PREROUTING (policy ACCEPT 594 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination
  596  226K pre_appli  all  --  any    any     anywhere             anywhere
Chain INPUT (policy ACCEPT 594 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 985 packets, 69713 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 985 packets, 69713 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain _acls (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    78 RETURN     all  --  lo     any     anywhere             anywhere
  106  9896 RETURN     tcp  --  eth1   any     10.10.100.0/24       10.11.100.11         tcp dpt:ssh
    0     0 RETURN     tcp  --  eth1   any     10.10.100.0/24       10.10.100.11         tcp dpt:krb524
    0     0 DROP       all  --  any    any     anywhere             10.10.100.11
Chain pre_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
  596  226K _acls      all  --  any    any     anywhere             anywhere
output
text
Chain PREROUTING (policy ACCEPT 594 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination
  596  226K pre_appli  all  --  any    any     anywhere             anywhere
Chain INPUT (policy ACCEPT 594 packets, 225K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 985 packets, 69713 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 985 packets, 69713 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain _acls (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    78 RETURN     all  --  lo     any     anywhere             anywhere
  106  9896 RETURN     tcp  --  eth1   any     10.10.100.0/24       10.11.100.11         tcp dpt:ssh
    0     0 RETURN     tcp  --  eth1   any     10.10.100.0/24       10.10.100.11         tcp dpt:krb524
    0     0 DROP       all  --  any    any     anywhere             10.10.100.11
Chain pre_appli (1 references)
 pkts bytes target     prot opt in     out     source               destination
  596  226K _acls      all  --  any    any     anywhere             anywhere

Do you have any suggestions on how we can improve the content of this page?

Previous page GSLB Next page NAT
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences