What is this?

This package is a set of scripts to manage iptables rules. It is enspired by the method apache2 uses to manage sites on Debian systems.

That is, one folder with available rules, that get symlinked into a folder of enabled rules.

What is required?

Root access and iptables.

How does it work?

In /etc/iptables/rules-available you have all the available rules with names you can understand and remember easily. You then run the ipenrule command with the rule name as an argument and it will symlink the rule from the rules-available folder into /etc/iptables/rules-enabled . You then need to run iprules reload to build the iptables script (in /etc/iptables.rules ) and load it into iptables. You can use ipdisrule in the same manner to disable a rule.

It also uses a policy file (found in /etc/iptables/policy.rules ) to drop or accept by default (you likely want the former).

How to install

I have built a Debian package you can get from here (v1.1).

Otherwise you will have to clone this repo and install it manually. It's pretty straight forward, just copy all the folders (except for DEBIAN) to / and then run the DEBIAN/postinst script.

Examples

Here is how you would give access to your webserver and allow it to be pinged:

ipenrule http-in ipenrule ping-in iprules reload

Piece of pie.

Drop everything except for incoming SSH packets:

ipenrule ssh-in ippol drop iprules reload

Easy as cake.

You will probably want to do this by default:

ipenrule loopback http-out https-out dns-out ping-out ssh-out ssh-in ippol drop iprules reload

You can view the iptables rules before you reload them:

iprules show

Disable access to your webserver:

ipdisrule http-in https-in iprules reload

I have ommitted the script output for brevity above but it will let you know stuff:

$ ipenrule http-out hsdsd ssh-in dns-out Must be root. $ sudo ipenrule http-out hsdsd ssh-in dns-out http-out rules enabled ERROR: No such rule called: hsdsd ssh-in rules enabled dns-out rules enabled Remember to run 'iprules reload' to activate the configuration. $ sudo ippol drop WARNING: be sure remote access is allowed ( if needed ) before reloading Remember to run 'iprules reload' to activate the configuration. $ sudo iprules reload Rebuilt rules file. Reloaded rules.

Check out what rules are available...

$ sudo iprules av [ ail ] dns-out http-in http-out loopback synflood-protect

And whats enabled...

$ sudo iprules en [ abled ] dns-out http-out loopback

What rules come with it?

You can see the list of rules in the share folder in the source. If you have ideas for new ones, or see errors in the existing ones submit a patch or pull request and I will add them in.

As above, you can also run iprules avail to see what rules are installed.

Can I write my own rules?

You most certainly can. IPrules makes it easy to manage your iptables rules... if you know the iptables syntax... but you know how to use google right?

Just make your own file in /etc/iptables/rules-available (as root) and then you can use ipenrule and ipdisrule on it. If you change it when it's already enabled, simply run iprules reload again.

If you make an error in the syntax, iptables won't accept it and will fail to reload.

If you put comments in the file, they will be printed out when the rule is enabled:

$ ipenrule synflood-protect Notes from synflood-protect rules: * need to set net.ipv4.tcp_syncookies = 1 in /etc/sysctl.conf * need to set net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 30 in /etc/sysctl.conf synflood-protect rules enabled Remember to run 'iprules reload' to activate the configuration.

Enable the rules on boot

If you have the package iptables-persistent installed on Debian, it will already do this. RPM based distro's should do this out of the box but may use the file /etc/sysconfig/iptables instead. So delete that file and make a symlink to the rules file ( ln -s /etc/iptables.rules /etc/sysconfig/iptables .

If neither of these is the case, you can just add this line to /etc/rc.local :

` which iptables-restore ` < /etc/iptables.rules;

WARNING

Be very careful using the default drop policy ( ippol drop ) with remote systems. If you have not allowed SSH in then you will lock yourself out!

Todo