This package is a set of scripts to manage iptables rules. It is enspired by the method apache2 uses to manage sites on Debian systems.
That is, one folder with available rules, that get symlinked into a folder of enabled rules.
Root access and iptables.
/etc/iptables/rules-available you have all the available rules with names you can understand and remember easily. You then run the
ipenrule command with the rule name as an argument and it will symlink the rule from the
rules-available folder into
/etc/iptables/rules-enabled. You then need to run
iprules reload to build the iptables script (in
/etc/iptables.rules) and load it into iptables. You can use
ipdisrule in the same manner to disable a rule.
It also uses a policy file (found in
/etc/iptables/policy.rules) to drop or accept by default (you likely want the former).
I have built a Debian package you can get from here (v1.1).
Otherwise you will have to clone this repo and install it manually. It's pretty straight forward, just copy all the folders (except for DEBIAN) to
/ and then run the
Here is how you would give access to your webserver and allow it to be pinged:
ipenrule http-in ipenrule ping-in iprules reload
Piece of pie.
Drop everything except for incoming SSH packets:
ipenrule ssh-in ippol drop iprules reload
Easy as cake.
You will probably want to do this by default:
ipenrule loopback http-out https-out dns-out ping-out ssh-out ssh-in ippol drop iprules reload
You can view the iptables rules before you reload them:
Disable access to your webserver:
ipdisrule http-in https-in iprules reload
I have ommitted the script output for brevity above but it will let you know stuff:
$ ipenrule http-out hsdsd ssh-in dns-out Must be root. $ sudo ipenrule http-out hsdsd ssh-in dns-out http-out rules enabled ERROR: No such rule called: hsdsd ssh-in rules enabled dns-out rules enabled Remember to run 'iprules reload' to activate the configuration. $ sudo ippol drop WARNING: be sure remote access is allowed (if needed) before reloading Remember to run 'iprules reload' to activate the configuration. $ sudo iprules reload Rebuilt rules file. Reloaded rules.
Check out what rules are available...
$ sudo iprules av[ail] dns-out http-in http-out loopback synflood-protect
And whats enabled...
$ sudo iprules en[abled] dns-out http-out loopback
You can see the list of rules in the share folder in the source. If you have ideas for new ones, or see errors in the existing ones submit a patch or pull request and I will add them in.
As above, you can also run
iprules avail to see what rules are installed.
You most certainly can. IPrules makes it easy to manage your iptables rules... if you know the iptables syntax... but you know how to use google right?
Just make your own file in
/etc/iptables/rules-available (as root) and then you can use
ipdisrule on it. If you change it when it's already enabled, simply run
iprules reload again.
If you make an error in the syntax, iptables won't accept it and will fail to reload.
If you put comments in the file, they will be printed out when the rule is enabled:
$ ipenrule synflood-protect Notes from synflood-protect rules: * need to set net.ipv4.tcp_syncookies=1 in /etc/sysctl.conf * need to set net.netfilter.nf_conntrack_tcp_timeout_syn_recv=30 in /etc/sysctl.conf synflood-protect rules enabled Remember to run 'iprules reload' to activate the configuration.
If you have the package iptables-persistent installed on Debian, it will already do this. RPM based distro's should do this out of the box but may use the file
/etc/sysconfig/iptables instead. So delete that file and make a symlink to the rules file (
ln -s /etc/iptables.rules /etc/sysconfig/iptables.
If neither of these is the case, you can just add this line to
`which iptables-restore` < /etc/iptables.rules;
Be very careful using the default drop policy (
ippol drop) with remote systems. If you have not allowed SSH in then you will lock yourself out!
- add a
/etc/iptables/envvarsfile so you can specify variables to use in the rule files.
- specify priorities in the enable script e.g.
- add more rules!
- some kind of port forwarding command maybe...?