cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

358
Views
5
Helpful
2
Replies
Highlighted
Beginner

Dynamic ACL spamhaus.org

I have a task: using spamhaus.org and TCL for update access-list. How can I use tcl to add an entry to access-list from a text file? I thought to add a file to the array, but this principle requires the "read" function, unfortunately IOS doesn't have this function. I need full automation from the script: editing a text file for the access-list syntax, adding an entry to the acess-list. Sorry, if this topic was raised before, I didn’t find it.
P.s. I'am talking about a blacklist "drop.txt", where the entry form differs from access-list.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: Dynamic ACL spamhaus.org

Hi,

 

I am not so sure what do you mean about "read" function is not supported. I used it in the below scripting, but I didn't try in IOS device.

 

Could you try this:

 

$ cat update_acl.tcl
set fd [open "nvram:/drop.txt" r]
set entries [read $fd]
set entry [split $entries "\n"]

set cmd "ip access-list extended blacklist"
foreach line $entry {
    if {[string length $line] > 0} {
        set ace [append ace "deny ip host " $line " any log"]
        ios_config $cmd $ace
        set ace ""
    }
}
ios_config $cmd "no permit ip any any"
ios_config $cmd "permit ip any any"
ios_config "write memory"
$ cat drop.txt
8.8.8.8
8.8.4.4
1.1.1.1

Upload it to your device

IOU3#copy http://192.168.137.1:8080/update_acl.tcl nvram:/update_acl.tcl
Destination filename [update_acl.tcl]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing http://192.168.137.1:8080/update_acl.tcl...
Loading http://192.168.137.1:8080/update_acl.tcl
412 bytes copied in 0.030 secs (13733 bytes/sec)

Execute it

IOU3#tclsh nvram:/update_acl.tcl
IOU3#
*May 17 16:17:46.371: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
IOU3#

Verify it:

IOU3#show access-list
Extended IP access list blacklist
    20 deny ip host 8.8.8.8 any log
    40 deny ip host 8.8.4.4 any log
    50 deny ip host 1.1.1.1 any log
    60 permit ip any any

 

** WARNING: This automation is vulnerable to command injection, you must have to refine the coding to resolve the vulnerability. **

View solution in original post

2 REPLIES 2
Highlighted
Enthusiast

Re: Dynamic ACL spamhaus.org

Hi,

 

I am not so sure what do you mean about "read" function is not supported. I used it in the below scripting, but I didn't try in IOS device.

 

Could you try this:

 

$ cat update_acl.tcl
set fd [open "nvram:/drop.txt" r]
set entries [read $fd]
set entry [split $entries "\n"]

set cmd "ip access-list extended blacklist"
foreach line $entry {
    if {[string length $line] > 0} {
        set ace [append ace "deny ip host " $line " any log"]
        ios_config $cmd $ace
        set ace ""
    }
}
ios_config $cmd "no permit ip any any"
ios_config $cmd "permit ip any any"
ios_config "write memory"
$ cat drop.txt
8.8.8.8
8.8.4.4
1.1.1.1

Upload it to your device

IOU3#copy http://192.168.137.1:8080/update_acl.tcl nvram:/update_acl.tcl
Destination filename [update_acl.tcl]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing http://192.168.137.1:8080/update_acl.tcl...
Loading http://192.168.137.1:8080/update_acl.tcl
412 bytes copied in 0.030 secs (13733 bytes/sec)

Execute it

IOU3#tclsh nvram:/update_acl.tcl
IOU3#
*May 17 16:17:46.371: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
IOU3#

Verify it:

IOU3#show access-list
Extended IP access list blacklist
    20 deny ip host 8.8.8.8 any log
    40 deny ip host 8.8.4.4 any log
    50 deny ip host 1.1.1.1 any log
    60 permit ip any any

 

** WARNING: This automation is vulnerable to command injection, you must have to refine the coding to resolve the vulnerability. **

View solution in original post

Highlighted
VIP Engager

Re: Dynamic ACL spamhaus.org

 

  - If  you are looking for those kind of solutions then you'd better look into firewall-application-appliances which can offer such solutions in a much more automated and flexible manner.

 M.

CreatePlease to create content
Content for Community-Ad