How do you manage your Linux iptables configuration on a machine acting as a router?
I use firehol combined with a web interface that I developed to manage the configuration file.
I really like firehol, it provides a simplier syntax then using iptables directly.
- You can use the firehol debug command to exactly what iptables commands are generated
- If you have an error in your configuration and you start the firewall, firehol detects the error and reverts to the previous state.
- Firehol has a 'try' command which you can use to start the firewall remotely, if your changes kill your connection, firehol will revert to the previous state, if you didn't kill your connection then it will ask you to confirm the change.
- Firehol has a large set of services pre-defined so you don't have to remember exactly what ports you have to have what ports to open for some obscure protocol.
For RedHat and related OSs (and perhaps for others), you can use the script to create the firewall, and then
service iptables ... to handle it from there. This is what I do. When I change my iptables configuration, I use a script. Then I save it with
service iptables save
At this point, the machine will now always come up with the new rules. You can dump a brief version of your current rules with
service iptables status
We've used shorewall - "iptables made easy". A GUI is available via Webmin 1.060 and later
The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.
I can't see anything wrong with your method, assuming each machine has different rules.
The way I normally setup firewall rules is by entering them normally on the command line and then running
iptables-save > /etc/iptables_rules, I'll then insert the following into
/etc/network/if-pre-up.d/iptables so when the network interface starts the rules are automatically imported.
#!/bin/bash /sbin/iptables-restore < /etc/iptables_rules
I've used Firewall Builder and I quite like it - it's a GUI program that's designed for managing firewall configurations, primarily on remote hosts which could be servers, routers, whatever. The interface looks a little intimidating at first but in my experience, it's worth the couple of hours or so it takes to figure it out. (And apparently they just recently released version 3 since I last checked, so quite possibly the GUI has gotten more intuitive)