How do you manage your Linux iptables configuration on a machine acting as a router?

I have a couple Linux machines that act as routers/firewalls for my networks and I have a script that runs all the iptables commands to set my rules. This seems to me like a really silly way to do it though.

How do you do this? Is there a program with config files that are a bit easier to manage? Does it have a GUI or web interface?


Solution 1:

I use firehol combined with a web interface that I developed to manage the configuration file.

I really like firehol, it provides a simplier syntax then using iptables directly.

  • You can use the firehol debug command to exactly what iptables commands are generated
  • If you have an error in your configuration and you start the firewall, firehol detects the error and reverts to the previous state.
  • Firehol has a 'try' command which you can use to start the firewall remotely, if your changes kill your connection, firehol will revert to the previous state, if you didn't kill your connection then it will ask you to confirm the change.
  • Firehol has a large set of services pre-defined so you don't have to remember exactly what ports you have to have what ports to open for some obscure protocol.

Solution 2:

For RedHat and related OSs (and perhaps for others), you can use the script to create the firewall, and then service iptables ... to handle it from there. This is what I do. When I change my iptables configuration, I use a script. Then I save it with

service iptables save

At this point, the machine will now always come up with the new rules. You can dump a brief version of your current rules with

service iptables status

Solution 3:

We've used shorewall - "iptables made easy". A GUI is available via Webmin 1.060 and later

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.