Focus on Linux
Re: Syncing iptables rules between two servers Apr 12 2006 03:13PM
Lars Solberg (sunberg gmail com)
Thanks for all the answers!
I'v started making a script for doing this in bash (ye, not perl!).
The script will first collect all the iptables-save from a couple of
servers, sort out dublicates, sort out ips that is whitelistet (if
any) and then dist the rules with ssh and public key and the ssh
command= option and finally restart iptables around if the rules have
changes (it makes and md5 sum of the fw rules and check if its
changed..)

Again, thanks! :=)

--
Lars

On 4/11/06, Hayes, Ian <Ian.Hayes (at) wynnlasvegas (dot) com [email concealed]> wrote:
> > -----Original Message-----
> > From: Lars Solberg [mailto:sunberg (at) gmail (dot) com [email concealed]]
> > Sent: Saturday, April 08, 2006 3:26 PM
> > To: focus-linux (at) securityfocus (dot) com [email concealed]; security-basics (at) securityfocus (dot) com [email concealed]
> > Subject: Syncing iptables rules between two servers
> >
> > Hi
> >
> > Is there anyone that know about how I can "sync" iptables rules on two
> > different servers? The plan is to have (on one of the servers) a
> > script that automaticly block ip adresses with iptables depending on
> > different conditions. When that ip adress is blocked I want it to
> > automaticly be blocked on another server to.
> >
> > One idea is to change the script that is adding the block rule to
> > iptables to make it soo it can send the rule to the other server, but
> > this is not an option, the iptables rules must be synced after the
> > iptables rule have been added.
> > Another idea is to get the iptables to use an sql database of some
> > sort to load the rules, but I dont know how, and this whould be
> > somehow ruining the whole thing of having a firewall if you make it
> > dependent an sql server (i think).. But afterall, if this is possible
> > this is option.
> >
> > Any ideas?
> > Hope someone can help out..
>
> Iptables-save and restore, or you can go super-cool and use dsh
>
>
> Ian Hayes | Senior Systems Engineer
> Wynn Las Vegas
> 3131 South Las Vegas Blvd, Las Vegas, NV 89109
> Ph (702) 770-3252 | Cell (702) 266-6002
> Ian.hayes (at) wynnlasvegas (dot) com [email concealed]
>
>
> ------------------------------------------------------------------------
-
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> obligation. See why so many companies trust Spy Sweeper Enterprise to
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> ------------------------------------------------------------------------
--
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus