How to manage the iptables for many servers?
I am new to manage linux server.
We have many dedicated server in different regions. Some of them serve mysql and allow access each other.
I can modify iptables configuration to add rule accepting port 3306 requests from some server in iptables by myself. Is there other way to manage many iptables efficiently ?
Check out Firewall builder or you can also use puppet iptables module.
Firewall Builder supports GUI based firewall policy configuration and management on the following firewalls:
- Linux iptables - 2.4 & 2.6 kernels
- Cisco router access control lists (ACL)
- Cisco ASA/PIX
- Cisco Firewall Service Module (FWSM)
- OpenBSD pf
- FreeBSD ipfw and ipfilter
- HP ProCurve ACL
Use puppet chef or cfengine to distribiute rules and restart iptables.
I use Shorewall and Shorewall-lite. On the master server I have the following arrangement:
- /etc/shorewall - firewall configuration for the server
- /etc/shorewall/common - common files such as standard zone definitions, policies, macros, etc.
- /etc/shorewall/hostname - definition for each host.
Using the common directory allows me to avoid repeating definitions for each server. The config file has a path variable which can be used to specify a list of directories containing common files. If you have a lot of servers with the same rule set you could place the rules in the common
directory, or a different shared directory for that class of servers.
I use make
to build the firewall scripts firewall
and firewall.conf
. These are then distributed and executed using ssh
.
I've tried some of the graphical firewall builders, but find shorewall with its config files easier to work with and verify. I keep the whole configuration directory in git
to allow me to easily verify changes before implementation.
For chef on Ubuntu you can use the UFW cookbook.
Beware: UFW doesn't work on Open VZ without many modifications.