1 |
Alejandro <elcorreodeale <at> gmail.com> writes: |
2 |
|
3 |
|
4 |
|
5 |
> I use APF, for all my desktop/servers with debian and gentoo, |
6 |
> is quite easy and works great. In 10' you have iptables running. |
7 |
|
8 |
Interesting. I usually hack my rule by hand, as I like to learn |
9 |
as much about iptables and the ever changing kernel interaction |
10 |
issues. Particularly, I'm experimenting with embedded and very |
11 |
light weight fire hardware (586 processors). |
12 |
|
13 |
|
14 |
Do you think APF will allow me to use it's front end (gui) to build |
15 |
the raw iptable files and then go into them manually, make |
16 |
edits and changes, and load them manually onto a variety of |
17 |
light_weight linux servers and firewall. |
18 |
|
19 |
|
20 |
Most of the frontend (gui) systems to iptables, do not simple write |
21 |
out, either the rules one needs. |
22 |
/var/lib/iptables/rules-save file contains a form of the rules |
23 |
or better yet, a front end that just generate raw rules in |
24 |
iptable format that I can read and add to my /etc script? |
25 |
|
26 |
|
27 |
var/lib/iptables/rules-save |
28 |
first few rules looks like this: |
29 |
|
30 |
|
31 |
:INPUT DROP [44:2925] |
32 |
:FORWARD ACCEPT [117727109:41814106432] |
33 |
:OUTPUT ACCEPT [75971:11854908] |
34 |
[8913:443731] -A INPUT -p tcp -m tcp --dport 445 -j DROP |
35 |
[2629:133240] -A INPUT -p tcp -m tcp --dport 139 -j DROP |
36 |
[9578:481396] -A INPUT -p tcp -m tcp --dport 135 -j DROP |
37 |
[1174:49600] -A INPUT -p tcp -m tcp --dport 1433 -j DROP |
38 |
[23160:1195298] -A INPUT -p tcp -m tcp --dport 25 -j DROP |
39 |
[198:9532] -A INPUT -p tcp -m tcp --dport 4899 -j DROP |
40 |
[160198:18547126] -A INPUT -i ! eth2 -j ACCEPT |
41 |
|
42 |
|
43 |
|
44 |
The corresponding rules from my script look like this: |
45 |
|
46 |
iptables="/sbin/iptables" |
47 |
iptables -F |
48 |
iptables -P INPUT ACCEPT |
49 |
iptables -P OUTPUT ACCEPT |
50 |
iptables -P FORWARD DROP |
51 |
iptables -X |
52 |
$iptables --flush |
53 |
$iptables -t nat --flush |
54 |
$iptables -t mangle --flush |
55 |
$iptables -X |
56 |
$iptables -t nat -X |
57 |
$iptables -t mangle -X |
58 |
$iptables --policy INPUT ACCEPT |
59 |
$iptables --policy OUTPUT ACCEPT |
60 |
$iptables --policy FORWARD ACCEPT |
61 |
$iptables -t nat --policy PREROUTING ACCEPT |
62 |
$iptables -t nat --policy OUTPUT ACCEPT |
63 |
$iptables -t nat --policy POSTROUTING ACCEPT |
64 |
$iptables -t mangle --policy PREROUTING ACCEPT |
65 |
$iptables -t mangle --policy OUTPUT ACCEPT |
66 |
|
67 |
|
68 |
Im looking for a gui front end to iptables that generates |
69 |
the rules in a format you can put directly into a script. |
70 |
|
71 |
Does ADF do this? |
72 |
|
73 |
Any other package? |
74 |
|
75 |
|
76 |
James |