cypherpunk.cz

Simple Linux Firewall configuration tool – ipt-conf

Posted in Administration, IT, Linux, Posts-EN on October 26th, 2011 by Robert Vojcik

IPT-CONF is light-weight iptables configuration framework. Time to time it’s good to have something light and easy to control.

You can use our set of preconfigured rules or create your own. It’s very easy to creating own rules.

Sometimes even if your are iptables professional, you need some quick solution with init scripts, easy configuration and administration and this is ipt-conf.

Example

If you have some big and network complex application you can create entire rule for this (like allow-ftp or enable-nat rule).

All what app needs can be in this rule (load some specific iptables module, set something in /proc /sys or sysctl etc.) and you can easily maintain it and distribute to other machines or servers.

You can create conf for rule so other administrator just copy your rule and enable it. System ask him for some information your rule needs (defined in conf file) and everything is ready.

Main tool (ipt-conf)

For all operations you should use ipt-conf wrapper located in /usr/local/sbin/.

List actual firewall configuration

ipt-conf status

00-default-policy.rule
05-deny-badpackets.rule
10-deny-forwarding.rule
11-antispoof.rule
20-allow-localhost.rule
35-allow-icmp.rule
50-allow-state.rule
55-allow-ssh.rule

Each line represent one rule or one set of rules. First number is for ordering rules. If you add rule, by default it create space of 5 for reordering.

Add rule

ipt-conf add [rule-name]

If you know name of rule/rules you’d like to add, just type it in order.

ipt-conf add allow-ssh allow-http ...

If you dont’t know rules just type ipt-conf add

Avaible rules are:
allow-forwarding
allow-ftp
allow-http
allow-icmp
allow-intranet
allow-ips
allow-localhost
allow-multiport
allow-nrpe
allow-snmp
allow-ssh
allow-state
antispoof
check-old-traffic
custom-template
....
deny-ssh
deny-state
enable-nat 

Enter rule/rules:

Now if we want enable nat for our internal network just type enable-nat

Actual rules
00-default-policy.rule
05-deny-badpackets.rule
10-deny-forwarding.rule
11-antispoof.rule
20-allow-localhost.rule
35-allow-icmp.rule
50-allow-state.rule
55-allow-ssh.rule 

Enter position number for enable-nat [60]

At this point we can just type enter or change default (60) order of enable-nat rule.
For example if we want put enable-nat after allow-icmp and before allow-state, we can type 36.

Now some rules need specific information. If rule needs some information from you it generate some questions.

Enter IP ranges you'd like to NAT (separated by space) 192.168.1.0/24 10.1.100.0/24
Enter output interface: eth0
Do you want restart firewall ? [y/n] [y] 

Reset firewall Done
Starting firewall
Adding /etc/ipt-conf/rules.enabled/00-default-policy.rule[OK]
Adding /etc/ipt-conf/rules.enabled/05-deny-badpackets.rule[OK]
Adding /etc/ipt-conf/rules.enabled/10-deny-forwarding.rule[OK]
Adding /etc/ipt-conf/rules.enabled/11-antispoof.rule[OK]
Adding /etc/ipt-conf/rules.enabled/20-allow-localhost.rule[OK]
Adding /etc/ipt-conf/rules.enabled/35-allow-icmp.rule[OK]
Adding /etc/ipt-conf/rules.enabled/50-allow-state.rule[OK]
Adding /etc/ipt-conf/rules.enabled/55-allow-ssh.rule[OK]
Adding /etc/ipt-conf/rules.enabled/60-enable-nat.rule[OK] Done

We can check firewall configuration

iptables -L -n -v

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0
DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0
ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 35 4677
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 

Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0
ACCEPT all -- * eth0 192.168.1.0/24 0.0.0.0/0 0 0
ACCEPT all -- * eth0 10.1.100.0/24 0.0.0.0/0 

Chain OUTPUT (policy ACCEPT 37 packets, 2783 bytes) pkts bytes target prot opt in out source destination 

iptables -L -n -v -t nat

.... 

Chain POSTROUTING (policy ACCEPT 21809 packets, 2181K bytes) pkts bytes target prot opt in out source destination 0 0
MASQUERADE all -- * eth0 192.168.1.0/24 0.0.0.0/0 0 0
MASQUERADE all -- * eth0 10.1.100.0/24 0.0.0.0/0

Links

Iptables configuration framework – ipt-conf on GitHUB

This entry was posted on Wednesday, October 26th, 2011 at 8:48 am and is filed under Administration, IT, Linux, Posts-EN. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Search
Recent Posts
Recent Comments
Categories
- IT (19)
  - Administration (7)
  - Coding (4)
    - Perl (2)
    - Web apps (1)
  - Old HW (1)
  - Projects (7)
    - hysteria.sk (4)
    - ihrisko (3)
  - Small Notes (6)
    - Linux (6)
- Posts-EN (12)
- Posts-SK (10)
- Society (8)
- Uncategorized (1)
Vulnerabilities
Slashdot news
Blogroll
- Wiro Wire Gallery
Friendly sites
February 2012

M T W T F S S

« Jan

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29
Meta

February 2012
M	T	W	T	F	S	S
« Jan
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

Simple Linux Firewall configuration tool – ipt-conf

List actual firewall configuration

Add rule

Links

Leave a Reply

Search

Recent Posts

Recent Comments

Categories

Vulnerabilities

Slashdot news

Blogroll

Friendly sites

Meta