Managing iptables rules in Linux

linux iptables fedora

Try iptables' ipsets. ipsets are configured separately, and these are also faster if you have enough ip addresses to manage.

iptables rule can refer to ipset like this:

iptables -A FORWARD -m set --set blocklist src,dst -j DROP


One simple solution is to use multiple bash scripts for each section something like: 

iptables-routing.sh
iptables-ssh-bans.sh
iptables-blacklist.sh

And run this files from a master script.


iptables does not read the file directly, that is done by a program called iptables-restore. This is usually called from one of your init scripts.

You could add extra input files to your iptables-restore line. You'll have to find where this line is on your system but on my Debain box, it is in /etc/init.d/nat

The line currently reads like this:

/sbin/iptables-restore < /etc/network/iptables

Perhaps it could be changed to something like this:

cat /etc/network/iptables \
    /etc/network/pre_routing_tables \
    /etc/network/ssh_bans | /sbin/iptables-restore

I tend to use one of the many on-top-of-iptables firewalling scripts/tools, like Firestarter or Shorewall, they come with many files, separated by purpose, add interesting rules to protect against certain types of bogus packets and they usually work well.

Related

Supervisor always quit process with 'exit status 0; not expected'
Long-term storage of Business Critical data
Why can't I cd into a directory?
vsFTPd default uploaded file permissions on Ubuntu not working
Deploying VM from vmdk / vmx file
ssh command line specify server host key fingerprint
Mount an VHD on Mac OS X
A secure, standard iptables rule-set for a basic HTTP(s) webserver
Disable IPv6 on Loopback address (Localhost, Computer name, ...)
Difference between Apache CXF and Axis
What is the difference between Xamarin.Form's LayoutOptions, especially Fill and Expand?
Why is $$ returning the same id as the parent process?