IPtables Manager¶

iptables_manager.py

We use the argument –no_default_config so we can see only what we generated. In order to deploy the configuration use the –deploy argument. If you start the firewall for the first time is better to also apply the default config also.

Command usage:

bin/iptables_manager.py --help

usage: iptables_manager.py [-h] [--config CONFIG [CONFIG ...]]
                   [--no_default_config] [--allow] [--drop_all]
                   [--interface INTERFACE] [--update_sets]
                   [--update_list UPDATE_LIST [UPDATE_LIST ...]]
                   [--exclude_list EXCLUDE_LIST [EXCLUDE_LIST ...]]
                   [--deploy] [--generate_files] [--map_config_files]

optional arguments:
  -h, --help            show this help message and exit
  --config CONFIG [CONFIG ...]
                        Type the location of your config file to parse(absolut
                        path)
  --no_default_config   Apply default configuration from scratch
  --allow               Apply ACCEPT policy to everything
  --drop_all            Apply DROP policy to everything
  --interface INTERFACE
                        Type the name of nic card you want the default rules
                        to be applied for
  --update_sets         Update only the ipsets
  --update_list UPDATE_LIST [UPDATE_LIST ...]
                        Update only the specified ipsets: Use general section
                        names
  --exclude_list EXCLUDE_LIST [EXCLUDE_LIST ...]
                        Exclude these ipsets from update: Use general section
                        names
  --deploy              Deploy the configuration
  --generate_files      Generate iptables and ip6tables files
  --map_config_files    Generates dot language code in order to visualize host
                        file contents

Command usage:

bin/iptables_manager.py -h
usage: iptables_manager.py [-h] [--config CONFIG [CONFIG ...]]
                           [--no_default_config] [--allow] [--drop_all]
                           [--interface INTERFACE] [--update_sets] [--deploy]
                           [--generate_files]

optional arguments:
  -h, --help            show this help message and exit
  --config CONFIG [CONFIG ...]
                        Type the location of your config file to parse(absolut
                        path)
  --no_default_config   Apply default configuration from scratch
  --allow               Apply ACCEPT policy to everything
  --drop_all            Apply DROP policy to everything
  --interface INTERFACE
                        Type the name of nic card you want the default rules
                        to be applied for
  --update_sets         Update only the ipsets
  --deploy              Deploy the configuration
  --generate_files      Generate iptables and ip6tables files

Check what we will apply.

bin/iptables_manager.py --no_default_config --config custom_conf_files/example_config_14.cfg

Set type is:  hash:ip
/usr/sbin/ipset create admin_workstations_x_v4 hash:ip family inet hashsize 1024 maxelem 65536
Set  admin_workstations_x_v4  created
/usr/sbin/ipset add admin_workstations_x_v4 128.142.159.200
/usr/sbin/ipset add admin_workstations_x_v4 188.184.88.15
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.172
/usr/sbin/ipset add admin_workstations_x_v4 10.18.16.58
/usr/sbin/ipset add admin_workstations_x_v4 128.142.147.69
/usr/sbin/ipset add admin_workstations_x_v4 188.184.90.241
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.51
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.181
/usr/sbin/ipset add admin_workstations_x_v4 188.184.94.26
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.253
/usr/sbin/ipset add admin_workstations_x_v4 188.184.90.205
/usr/sbin/ipset add admin_workstations_x_v4 188.184.90.217
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.114
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.101
/usr/sbin/ipset add admin_workstations_x_v4 188.184.90.55
/usr/sbin/ipset add admin_workstations_x_v4 188.184.91.95
/usr/sbin/ipset add admin_workstations_x_v4 188.184.92.218
/usr/sbin/ipset add admin_workstations_x_v4 188.184.91.164
/usr/sbin/ipset add admin_workstations_x_v4 128.142.153.55
admin_workstations_x_v4
Script  ['test_nets_v4.sh']  not in system path
Trying herlpers: /root/linux-firewall/helpers/test_nets_v4.sh
['100.64.0.0/10', '192.91.242.0/24', '188.184.0.0/15']
Set type is:  hash:net
/usr/sbin/ipset create static_dns_servers4_v4 hash:net family inet hashsize 1024 maxelem 65536
Set  static_dns_servers4_v4  created
/usr/sbin/ipset add static_dns_servers4_v4 100.64.0.0/10
/usr/sbin/ipset add static_dns_servers4_v4 188.184.0.0/15
/usr/sbin/ipset add static_dns_servers4_v4 192.91.242.0/24
static_dns_servers4_v4
Script  ['test_nets_v6.sh']  not in system path
Trying herlpers: /root/linux-firewall/helpers/test_nets_v6.sh
['2001:1458::/32', 'FD01:1459::/32']
Set type is:  hash:net
/usr/sbin/ipset create static_dns_servers4_v6 hash:net family inet6 hashsize 1024 maxelem 65536
Set  static_dns_servers4_v6  created
/usr/sbin/ipset add static_dns_servers4_v6 2001:1458::/32
/usr/sbin/ipset add static_dns_servers4_v6 FD01:1459::/32
static_dns_servers4_v6
/etc/init.d/ipset save

######### USER DEFINED FIREWALL RULES #########
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED -m set --match-set admin_workstations_x_v4 src -j ACCEPT -m comment --comment essential_services
/sbin/iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,50 -m set --match-set admin_workstations_x_v4 dst -j ACCEPT -m comment --comment essential_services
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m set --match-set static_dns_servers4_v4 src -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/iptables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m set --match-set static_dns_servers4_v4 src -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/iptables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m set --match-set static_dns_servers4_v4 dst -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/iptables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m set --match-set static_dns_servers4_v4 dst -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/ip6tables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m set --match-set static_dns_servers4_v6 src -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/ip6tables -A INPUT -i eth0 -p udp -m state --state NEW,ESTABLISHED -m set --match-set static_dns_servers4_v6 src -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/ip6tables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m set --match-set static_dns_servers4_v6 dst -j ACCEPT -m comment --comment access_outgoing_ports_tcp
/sbin/ip6tables -A OUTPUT -o eth0 -p udp -m state --state ESTABLISHED -m set --match-set static_dns_servers4_v6 dst -j ACCEPT -m comment --comment access_outgoing_ports_tcp
######### USER DEFINED FIREWALL RULES #########

This way we deploy the configuration. On each deploy is better not to specify the –no_default_config so the default rules apply. It cleans also everything and the ipsets so you have a clean deploy from scratch.

If you are absolutely certain that you applied the default before and just want what you defined then use the argument

Like this we deploy the configuration

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --deploy

If you have a running firewall and just want to update ipsets that are in use you have to use the –update_sets argument.

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets

UPDATE IPsets ONLY
Set type is:  hash:ip
admin_workstations_x_v4

To be added:  []

To be removed:  []

0 ['admin_workstations_x']
Script  ['test_nets_v4.sh']  not in system path
Trying herlpers: /root/linux-firewall/helpers/test_nets_v4.sh
['100.64.0.0/10', '192.91.242.0/24', '188.184.0.0/15']
Set type is:  hash:net
static_dns_servers4_v4

To be added:  []

To be removed:  []

0 ['static_dns_servers4']
Script  ['test_nets_v6.sh']  not in system path
Trying herlpers: /root/linux-firewall/helpers/test_nets_v6.sh
['2001:1458::/32', 'FD01:1459::/32']
Set type is:  hash:net
static_dns_servers4_v6

To be added:  ['FD01:1459::/32']

To be removed:  ['fd01:1459::/32']

/usr/sbin/ipset  add  static_dns_servers4_v6   FD01:1459::/32
/usr/sbin/ipset  del  static_dns_servers4_v6   fd01:1459::/32
0 ['static_dns_servers4']
/etc/init.d/ipset save

You can also use –update_list and –exclude_list so to define a list of sets, to either update those only or update all except those in the list.

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --update_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2"

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --exclude_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2"

Like this we deploy the update of the ipsets

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --deploy

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --update_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2" --deploy

bin/iptables_manager.py --config custom_conf_files/example_config_14.cfg --update_sets --exclude_list "SET_SECTION_NAME_1" "SET_SECTION_NAME_2" --deploy

IPtables Manager¶

Related Topics

This Page