How to manage the iptables for many servers?
I am new to manage linux server.
We have many dedicated server in different regions. Some of them serve mysql and allow access each other.
I can modify iptables configuration to add rule accepting port 3306 requests from some server in iptables by myself. Is there other way to manage many iptables efficiently ?
Check out Firewall builder or you can also use puppet iptables module.
Firewall Builder supports GUI based firewall policy configuration and management on the following firewalls:
- Linux iptables - 2.4 & 2.6 kernels
- Cisco router access control lists (ACL)
- Cisco ASA/PIX
- Cisco Firewall Service Module (FWSM)
- OpenBSD pf
- FreeBSD ipfw and ipfilter
- HP ProCurve ACL
Use puppet chef or cfengine to distribiute rules and restart iptables.
I use Shorewall and Shorewall-lite. On the master server I have the following arrangement:
- /etc/shorewall - firewall configuration for the server
- /etc/shorewall/common - common files such as standard zone definitions, policies, macros, etc.
- /etc/shorewall/hostname - definition for each host.
Using the common directory allows me to avoid repeating definitions for each server. The config file has a path variable which can be used to specify a list of directories containing common files. If you have a lot of servers with the same rule set you could place the rules in the common directory, or a different shared directory for that class of servers.
I use make to build the firewall scripts firewall and firewall.conf. These are then distributed and executed using ssh.
I've tried some of the graphical firewall builders, but find shorewall with its config files easier to work with and verify. I keep the whole configuration directory in git to allow me to easily verify changes before implementation.
For chef on Ubuntu you can use the UFW cookbook.
Beware: UFW doesn't work on Open VZ without many modifications.