Skip to content
Snippets Groups Projects
Select Git revision
  • lintian-fixes
  • master default protected
2 results

firewall

  • Clone with SSH
  • Clone with HTTPS
    • Forked from ai3 / tools / firewall
    18 commits behind the upstream repository.
    Name Last commit Last update
    conf-dist
    debian
    .gitignore
    .gitlab-ci.yml
    COPYING
    Makefile
    README.md
    update-firewall
    update-ipset
    README.md

    firewall

    A shell-based DSL for quick and easy configuration of an iptables firewall, primarily targeted at individual servers, supporting both IPv4 and IPv6. Instead of parameterizing the hell out of iptables like more sophisticated solutions (think Shorewall), it provides helpers to write iptables configs from shell snippets. These helpers make it easy to maintain IPv4 and IPv6 rules in sync.

    The main driver script will perform some basic setup and then execute application-specific configuration snippets from the /etc/firewall tree. This setup allows packages to plug into the firewall setup by simply deploying a snippet in /etc/firewall.

    The configuration is loaded from the directories below /etc/firewall, every iptables table (such as filter, nat, and mangle) is configured independently from its own subdirectory named after the table, with a .d extension. Individual files from each directory are loaded in lexicographical order using run-parts(8).

    Once the new rules have been loaded, the firewall script will invoke all executable scripts from the /etc/firewall/reload-hooks directory (again using run-parts). Use this to reload daemons that maintain their own firewall setup (docker, libvirtd, etc), or to perform additional non-iptables networking setup.

    Configuration

    Configuration files are simple shell scripts. Their purpose is to generate output for iptables-restore, rather than invoking iptables directly, so that we can load the new rules atomically.

    Rules are generated by invoking the following predefined helper functions:

    create_chain CHAIN_NAME

    Create a new chain with the specified name.

    add_rule IPTABLES_ARGS

    add_rule4 IPTABLES_ARGS

    add_rule6 IPTABLES_ARGS

    This function will generate a full iptables rule exactly as specified. The first form will generate the rule for IPv4 and IPv6, the other two are protocol-specific.

    An example:

    add_rule -A bad-host -s 1.2.3.4 -j DROP

    add_to_chain CHAIN_NAME IPTABLES_ARGS

    A shortcut for add_rule -A CHAIN_NAME IPTABLES_ARGS.

    allow_port PROTOCOL PORT [IPTABLES_ARGS]

    Allow incoming traffic to the specified protocol / port. IPTABLES_ARGS is just a placeholder for any number of arbitrary iptables options (the default is simply -j ALLOW).

    allow_ports PROTOCOL PORT_SPEC [IPTABLES_ARGS]

    Allow incoming traffic to the specified ports. PORT_SPEC should be a comma-separated list of destination ports.

    Usage

    Run update-firewall to set up iptables whenever the rules below /etc/firewall change.

    Notes

    The firewall script will always attempt to setup IPv6 rules, even if IPv6 is disabled on the host. To disable IPv6 functionality, run the script with the -4 command-line option.