My use case is that I deploy arch-linux servers with different services running depending on customer requirements. The services are application specific running on custom ports but for the argument lets say its FTP, WEB and WEB SSL that can be used. In any combination.
For each service I have a custom package that installs that specific service and to make it easy I would like the package to also install an iptables rule making it possible to use the service.
So, by default I want to have a rule that denies everything except SSH. Then when I install for example the WEB package I want that package to install a file containing a rule to open port 80. The FTP package port 21 and so on.
However, I can only see that iptables have built in support for one file in total via the iptables-restore/save utilities.
I could write my own utility that reads several files and manually interact with iptables. But I feel that this must be a "common enough" use case and that such utility surely must exist. However, my google skills did not do me any good this time 🙂
Basically what I want is to have a folder, say /etc/iptables.d where I can place files 15-http, 10-ftp, 20-ssl. etc where the files and there rules are applied according to the number in the file name.
Best Answer
You could install
ufwon your devices. It has support for defining apps through configuration files (you tell it which ports to open in the file) and then you can enable them (make the firewall take it into account) by running a command.Make your packages depend on
ufw, drop a file in/etc/ufw/applications.dand then using a post-install hook runufw allow <app name>to enable the rules.Shorewall seems to be an even advanced front-end for IPtables and I'm sure it would support what you are trying to do. I recommend you check out its documentation and see if it would be a better fit.