Host Manager¶

host_manager.py

We use the argument –no_default_config so we can see only what we generated. In order to deploy the configuration use the –deploy argument. If you start the firewall for the first time is better to also apply the default config also.

Command usage:

bin/host_manager.py --help

usage: host_manager.py [-h] [--no_default_config] [--update_sets]
               [--update_list UPDATE_LIST [UPDATE_LIST ...]]
               [--exclude_list EXCLUDE_LIST [EXCLUDE_LIST ...]]
               [--config CONFIG [CONFIG ...]] [--deploy]
               [--generate_files] [--allow] [--drop_all]
               [--ignore_check] [--check_matches] [--map_hostfile]

optional arguments:
  -h, --help            show this help message and exit
  --no_default_config   Default configuration
  --update_sets         Only update IPSets
  --update_list UPDATE_LIST [UPDATE_LIST ...]
                        Update only the specified ipsets: Use general section
                        names
  --exclude_list EXCLUDE_LIST [EXCLUDE_LIST ...]
                        Exclude these ipsets from update: Use general section
                        names
  --config CONFIG [CONFIG ...]
                        Type the location of your config file to parse(absolut
                        path)
  --deploy              Deploy the configuration
  --generate_files      Generate iptables and ipset configuration files
  --allow               Set policy to ACCEPT
  --drop_all            Set policy to DENY
  --ignore_check        Ignore needed network components check
  --check_matches       Check all section of the file and print at which
                        sections is this machine matching
  --map_hostfile        Generates dot language code in order to visualize host
                        file contents

Check what we will apply.

bin/host_manager.py --no_default_config --config /root/linux-firewall-tool/custom_conf_files/test_hosts.cfg

####### SECTION matched: 'itdb_test_2' ################
Deploy is: False
Section name: access_incoming_sshd
Set type is:  hash:net
/usr/sbin/ipset create static_cern_networks_v4 hash:net family inet hashsize 1024 maxelem 65536
Set  static_cern_networks_v4  created
/usr/sbin/ipset add static_cern_networks_v4 172.16.0.0/12
/usr/sbin/ipset add static_cern_networks_v4 10.0.0.0/8
/usr/sbin/ipset add static_cern_networks_v4 188.184.0.0/15
/usr/sbin/ipset add static_cern_networks_v4 192.91.242.0/24
/usr/sbin/ipset add static_cern_networks_v4 137.138.0.0/16
/usr/sbin/ipset add static_cern_networks_v4 194.12.128.0/18
/usr/sbin/ipset add static_cern_networks_v4 192.16.155.0/24
/usr/sbin/ipset add static_cern_networks_v4 192.16.165.0/24
/usr/sbin/ipset add static_cern_networks_v4 192.168.0.0/16
/usr/sbin/ipset add static_cern_networks_v4 128.142.0.0/16
/usr/sbin/ipset add static_cern_networks_v4 128.141.0.0/16
/usr/sbin/ipset add static_cern_networks_v4 100.64.0.0/10
Section name: access_incoming_sshd
Set type is:  hash:net
/usr/sbin/ipset create static_cern_networks_v6 hash:net family inet6 hashsize 1024 maxelem 65536
Set  static_cern_networks_v6  created
/usr/sbin/ipset add static_cern_networks_v6 fd01:1459::/32
/usr/sbin/ipset add static_cern_networks_v6 2001:1458::/32
/usr/sbin/ipset add static_cern_networks_v6 2001:1459::/32
/usr/sbin/ipset add static_cern_networks_v6 fd01:1458::/32
/etc/init.d/ipset save

######### USER DEFINED FIREWALL RULES #########
/sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22 -m set --match-set static_cern_networks_v4 src -j ACCEPT -m comment --comment access_incoming_sshd
/sbin/ip6tables -A INPUT -i eth0 -p tcp -m multiport --dports 22 -m set --match-set static_cern_networks_v6 src -j ACCEPT -m comment --comment access_incoming_sshd
######### USER DEFINED FIREWALL RULES #########

This way we deploy the configuration. On each deploy is better not to specify the –no_default_config so the default rules apply. It cleans also everything and the ipsets so you have a clean deploy from scratch.

If you are absolutely certain that you applied the default before and just want what you defined then use the argument

Like this we deploy the configuration

bin/host_manager.py --config /root/linux-firewall-tool/custom_conf_files/test_hosts.cfg --deploy

If you have a running firewall and just want to update ipsets that are in use you have to use the –update_sets argument.

bin/host_manager.py --config /root/linux-firewall-tool/custom_conf_files/test_hosts.cfg --update_sets

####### SECTION matched: 'itdb_test_2' ################
Deploy is: False
UPDATE IPsets ONLY
Set type is:  hash:net
static_cern_networks_v4

To be added:  []

To be removed:  []

0 ['static_cern_networks']
Set type is:  hash:net
static_cern_networks_v6

To be added:  []

To be removed:  []

0 ['static_cern_networks']
/etc/init.d/ipset save

You can also use –update_list and –exclude_list so to define a list of sets, to either update those only or update all except those in the list.

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --update_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2"

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --exclude_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2"

Like this we deploy the update of the ipsets

bin/host_manager.py --config /root/cerndb-infra-firewall-tool/custom_conf_files/test_hosts.cfg --update_sets --deploy

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --update_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2" --deploy

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --exclude_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2" --deploy

Host Manager¶

Related Topics

This Page