Linux – iptables management tools for large scale environment

firewalliptableslinux

The environment I'm operating in is a large-scale web hosting operation (several hundred servers under management, almost-all-public addressing, etc — so anything that talks about managing ADSL links is unlikely to work well), and we're looking for something that will be comfortable managing both the core ruleset (around 12,000 entries in iptables at current count) plus the host-based rulesets we manage for customers. Our core router ruleset changes a few times a day, and the host-based rulesets would change maybe 50 times a month (across all the servers, so maybe one change per five servers per month).

We're currently using filtergen (which is balls in general, and super-balls at our scale of operation), and I've used shorewall in the past at other jobs (which would be preferable to filtergen, but I figure there's got to be something out there that's better than that).

The "musts" we've come up with for any replacement system are:

Must generate a ruleset fairly quickly (a filtergen run on our ruleset takes 15-20 minutes; this is just insane) — this is related to the next point:
Must generate an iptables-restore style file and load that in one hit, not call iptables for every rule insert
Must not take down the firewall for an extended period while the ruleset reloads (again, this is a consequence of the above point)
Must support IPv6 (we aren't deploying anything new that isn't IPv6 compatible)
Must be DFSG-free
Must use plain-text configuration files (as we run everything through revision control, and using standard Unix text-manipulation tools are our SOP)
Must support both RedHat and Debian (packaged preferred, but at the very least mustn't be overtly hostile to either distro's standards)
Must support the ability to run arbitrary iptables commands to support features that aren't part of the system's "native language"

Anything that doesn't meet all these criteria will not be considered. The following are our "nice to haves":

Should support config file "fragments" (that is, you can drop a pile of files in a directory and say to the firewall "include everything in this directory in the ruleset"; we use configuration management extensively and would like to use this feature to provide service-specific rules automatically)
Should support raw tables
Should allow you to specify particular ICMP in both incoming packets and REJECT rules
Should gracefully support hostnames that resolve to more than one IP address (we've been caught by this one a few times with filtergen; it's a rather royal pain in the butt)
The more optional/weird iptables features that the tool supports (either natively or via existing or easily-writable plugins) the better. We use strange features of iptables now and then, and the more of those that "just work", the better for everyone.

Best Answer

If you're perhaps wanting to make a move from a rule-driven approach to a "describe the final state required" way of doing things, have a look at fwbuilder.

Pros:

multiple firewalls supported - your core + host-based rules - from 1 set of objects
SQL-esque "tell me what you want" rather than "tell me how to do it" approach (NB I'm not saying there's any SQL in there! Just that it's descriptive Vs procedural :-)
It's a GUI, kinda like commercial hardware f/w vendors' interfaces, so it's possible to push some tasks down the employee/skills stack
supports most "wierd' usage I've tried
can generate rules for a variety of f/w implementations - BSD/cicso/iptables/etc
seperates front-end from rule-compiler, which makes me hopeful that speed is a concern to the authors. NB I've nothing near the scale to which you're alluding
File format isn't binary
does IPv6
Creates an iptables-save stylee config for atomic and quick loading

Cons:

It's a GUI
Moving your existing ruleset is unlikely to be pain-free
Whilst GPL and in Debian, Windows+OSX clients are 30-day eval, as no-one's cross-compiled a Free version yet for those OS; hence the commercial arm of the devs has a monopoly on those binaries
File format is technically XML; NB don't let this put you off: take a look at the tools that they provide (you can use the gui binary to manipulate it via the CLI for example), the CLI XML tools that already exist, and remember that - at your scale - some semblance of meta-data + structure ain't a /bad/ thing! It diffs quite nicely across edits, IIRC.

Link : http://www.fwbuilder.org

Related Solutions

Firewall – Virtual environment firewall with CSF + iptables rules on VM

My advice is to perform the following on the hardware node:

If your HN has two interfaces, configure them both as bridges (in my case I have vmbr0 and vmbr1)
In the csf.conf, configure your ETH_DEVICE as "vmbr+"

Create a file called csfpost.sh in /etc/csf/ that simply allows forwarding:

#!/bin/sh 
IPT=/sbin/iptables 
$IPT -F FORWARD
$IPT -P FORWARD ACCEPT

Now your HN is protected on all interfaces, but will transparently pass traffic to and from your containers.
Configure your containers with CSF to keep them protected.

Notes
Make sure the modules needed for CSF are available to your VE's by placing the following in your /etc/vz/vz.conf:

 IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"

Also make sure that your value for "numiptent" value is around 256 or higher, the default or 128 will cause CSF to half-load on your VE's (see /proc/user_bean_counters to see if you're hitting the numiptent limit)

I've also added the above netfilter modules to my /etc/modules (1 per line). I'm not entirely sure if this is necessary. Hope this helps!

Linux – A secure, standard iptables rule-set for a basic HTTP(s) webserver

The most secure way to work with iptables is close everything and only open what you need. I'm kind of distracted, so I always try to be as lazy as possible, so I do not make mistakes which can lead the server to be unsecure.

I use this one, only a little bit of varible assignment must be done in order to make it work.

  #!/bin/bash +x

  # first author: marcos de vera
  # second: joan marc riera

  ip=/sbin/iptables
  mriera="xx.xx.xx.xx"
  nsancho="yy.yy.yy.yy"
  admins="$mriera $nsancho "
  sshers=""
  mysqlrs="zz.zz.zz.zz/23"
  snmprs="uu.uu.uu.uu"
  tcpservices="80 443 22"
  udpservices=""

  # Firewall script for servername

  echo -n ">> Applying iptables rules... "

  ## flushing...
  $ip -F
  $ip -X
  $ip -Z
  $ip -t nat -F

  # default: DROP!
  $ip -P INPUT DROP
  $ip -P OUTPUT DROP
  $ip -P FORWARD DROP

  # filtering...

  # localhost: free pass!
  $ip -A INPUT -i lo -j ACCEPT
  $ip -A OUTPUT -o lo -j ACCEPT

  # administration ips: free pass!
  for admin in $admins ; do
      $ip -A INPUT -s $admin -j ACCEPT
      $ip -A OUTPUT -d $admin -j ACCEPT
  done

  # allow ssh access to sshers
  for ssher in $sshers ; do
      $ip -A INPUT -s $ssher -p tcp -m tcp --dport 22 -j ACCEPT
      $ip -A OUTPUT -d $ssher -p tcp -m tcp --sport 22 -j ACCEPT
  done

  # allow access to mysql port to iReport on sugar

  for mysql in $mysqlrs ; do
      $ip -A INPUT -s $mysql -p tcp -m tcp --dport 3306 -j ACCEPT
      $ip -A OUTPUT -d $mysql -p tcp -m tcp --sport 3306 -j ACCEPT
      $ip -A INPUT -s $mysql -p udp -m udp --dport 3306 -j ACCEPT
      $ip -A OUTPUT -d $mysql -p udp -m udp --sport 3306 -j ACCEPT
  done


  # allowed services
  for service in $tcpservices ; do
      $ip -A INPUT -p tcp -m tcp --dport $service -j ACCEPT
      $ip -A OUTPUT -p tcp -m tcp --sport $service -m state --state RELATED,ESTABLISHED -j ACCEPT
  done
  for service in $udpservices ; do
      $ip -A INPUT -p udp -m udp --dport $service -j ACCEPT
      $ip -A OUTPUT -p udp -m udp --sport $service -m state --state RELATED,ESTABLISHED -j ACCEPT
  done

  $ip -A INPUT -j LOG --log-level 4
  # VAS and VGP
  #88 tcp udp
  #389 tcp ldap queries , udp ldap ping
  #464 tcp upd kerberos
  #3268 tcp global catalog access
  for dc in ip.ip.ip.ip ; do # our dc servers for some ldap auth
      vas=88
      $ip -A INPUT -s $dc -p tcp -m tcp --dport $vas -j ACCEPT
      $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $vas -j ACCEPT
      $ip -A INPUT -s $dc -p udp -m udp --dport $vas -j ACCEPT
      $ip -A OUTPUT -d $dc -p udp -m udp --dport $vas -j ACCEPT
      ldap=389
      $ip -A INPUT -s $dc -p tcp -m tcp --dport $ldap -j ACCEPT
      $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $ldap -j ACCEPT
      $ip -A INPUT -s $dc -p udp -m udp --dport $ldap -j ACCEPT
      $ip -A OUTPUT -d $dc -p udp -m udp --dport $ldap -j ACCEPT
      kpasswd=464
      $ip -A INPUT -s $dc -p tcp -m tcp --dport $kpasswd -j ACCEPT
      $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $kpasswd -j ACCEPT
      $ip -A INPUT -s $dc -p udp -m udp --dport $kpasswd -j ACCEPT
      $ip -A OUTPUT -d $dc -p udp -m udp --dport $kpasswd -j ACCEPT
      gca=3268
      $ip -A INPUT -s $dc -p tcp -m tcp --dport $gca -j ACCEPT
      $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $gca -j ACCEPT
      vgp=445
      $ip -A INPUT -s $dc -p tcp -m tcp --dport $vgp -j ACCEPT
      $ip -A OUTPUT -d $dc -p tcp -m tcp --dport $vgp -j ACCEPT
  done


  # allow the machine to browse the internet
  $ip -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
  $ip -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
  $ip -A INPUT -p tcp -m tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT
  $ip -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

  $ip -A INPUT -p tcp -m tcp --sport 8080 -m state --state RELATED,ESTABLISHED -j ACCEPT
  $ip -A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT


  # don't forget the dns...
  $ip -A INPUT -p udp -m udp --sport 53 -j ACCEPT
  $ip -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
  $ip -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
  $ip -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT

  # ... neither the ntp... (hora.rediris.es)
  #$ip -A INPUT -s 130.206.3.166 -p udp -m udp --dport 123 -j ACCEPT
  #$ip -A OUTPUT -d 130.206.3.166 -p udp -m udp --sport 123 -j ACCEPT

  $ip -A INPUT -p udp -m udp --dport 123 -j ACCEPT
  $ip -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT


  # and last but not least, the snmp access
  for monitor in $snmprs ; do
      $ip -A INPUT -s $monitor -p tcp -m tcp --sport 161 -j ACCEPT   # monitoring service
      $ip -A OUTPUT -d $monitor -p tcp -m tcp --dport 161 -j ACCEPT  # monitoring service
  end
  # outgoing SMTP
  $ip -A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
  $ip -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT


  # temporary backup if we change from DROP to ACCEPT policies
  $ip -A INPUT -p tcp -m tcp --dport 1:1024 -j DROP
  $ip -A INPUT -p udp -m udp --dport 1:1024 -j DROP


  echo "OK. Check rules with iptables -L -n"

  # end :)

I've been using it for some time , and any kind of modification will be very appreciated if it makes it easier to administrate.

Best Answer

Related Solutions

Firewall – Virtual environment firewall with CSF + iptables rules on VM

Linux – A secure, standard iptables rule-set for a basic HTTP(s) webserver

Related Topic