Focus on Linux
ANNOUNCE: New iptables(8) firewall script release, many new features Oct 19 2008 02:33PM
TJ Easter (tjeaster gmail com)
Note to Mods: If this is considered SPAM, please drop it in the
bit-bucket. This appeared to me to be acceptable according to the FAQ
for the list.

Hello all!

A week or so ago I added several new features to my firewall script
that I had been considering. This brings me to release 1.8.2.
The script is for Linux-systems only, using the netfilter/iptables
tools to create a secure firewall for almost any situation. This
newest release
brings many new levels of flexibility and customization. The initial
purpose of this firewall script was to be able to create a secure
ruleset from the very beginning; and then allowing easy addition of
rules to manage services in an obvious way. I believe that by
naming a file something like /etc/firewall/tcp.ssh, and adding one
subnet/host per line, I make it fairly straight-forward to build a
ruleset, even with minimal experience.

A quick rundown on features are as follows:
- All services configurable via flat text files, such as tcp.ssh, one
subnet/host per line
- Ability to add "deny" entries from service files by prefixing
subnet/host with a !
- Ability to let non-root users to manage rules, setup information is
in the README
- Stateful firewall, allows outbound-connection-related packets (ICMP
host-unreach, time-exceeded, TCP RST, etc) back in automatically
- A secure, "deny all except what's explicitly allowed" default configuration
- Ability to allow/deny any packets from a subnet/host (use of this is
- Simple masquerading configuration by adding subnet/hosts to "masquerade" file
- Ability to set up TCP and UDP port-forwarding, details in the README
- Configuration variables such as $FWCONF, where the service files are
located, can be set in /etc/sysconfig/network
- A "status" and "running" parameter that shows the firewall status
and running ruleset, respectively
- Rate-limits control the amount of outbound replies to minimize
damage in a DoS or reflective DoS
- Rate-limits control the number of entries that get logged per second
to mitigate overloading the syslog system
- All files/scripts are distro-agnostic
- Use of $FWCONF/rc.local.{nat,rules} to allow advanced users the
ability to write their own rules,
or manipulate the automatically generated rules.

For complete details, see the README file available at:

Release 1.8.2 can be found here:

As always, I welcome all comments, questions, complaints, flames, cash
donations, etc. Please CC me on
all replies as I have not been on the focus-linux list for some time
now. Thanks!


TJ Easter
"Being a humanist means trying to behave decently without expectation
of rewards or punishment after you are dead." -- Kurt Vonnegut, 1922
- 2007

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus