How do you manage your Linux iptables configuration on a machine acting as a router?

linux iptables router gateway

I have a couple Linux machines that act as routers/firewalls for my networks and I have a script that runs all the iptables commands to set my rules. This seems to me like a really silly way to do it though.

How do you do this? Is there a program with config files that are a bit easier to manage? Does it have a GUI or web interface?


Solution 1:

I use firehol combined with a web interface that I developed to manage the configuration file.

I really like firehol, it provides a simplier syntax then using iptables directly.

  • You can use the firehol debug command to exactly what iptables commands are generated
  • If you have an error in your configuration and you start the firewall, firehol detects the error and reverts to the previous state.
  • Firehol has a 'try' command which you can use to start the firewall remotely, if your changes kill your connection, firehol will revert to the previous state, if you didn't kill your connection then it will ask you to confirm the change.
  • Firehol has a large set of services pre-defined so you don't have to remember exactly what ports you have to have what ports to open for some obscure protocol.

Solution 2:

For RedHat and related OSs (and perhaps for others), you can use the script to create the firewall, and then service iptables ... to handle it from there. This is what I do. When I change my iptables configuration, I use a script. Then I save it with

service iptables save

At this point, the machine will now always come up with the new rules. You can dump a brief version of your current rules with

service iptables status

Solution 3:

We've used shorewall - "iptables made easy". A GUI is available via Webmin 1.060 and later

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

Related

A list of Windows rootkit detection and removal tools
How can I use SELinux to confine PHP scripts?
How can I route some emails to a script in Postfix?
Suggestions for free/cheap asset/patch management software (Adobe, Java, etc)
Explain in Plain English what is LXC and for what it is useful [closed]
SSL setup with apache in front of tomcat
Redirect loop using cloudflare's Flexible ssl
VPS Administration for the Absolute Beginner
How should someone create an encrypted password for /etc/shadow?
Kernel Tuning with Privileged Docker Container
Is it possible to use etckeeper with a single shared git repository?
Isolating Apache virtualhosts from the rest of the system