Linux Iptables Firewall Automation
-
Well it depends on several factors, like what exactly you want to automate. A very common approach for small shops is to simply maintain a master firewall config file and push it out via SCP/SFTP or, if you want, pull it in the same manner with a script on the Linux box. You can even pull it from a GIT repo like GitHub or BitBucket. Or SVN, or whatever. Even HTTP.
What the DevOps model would do is use a tool like Ansible, Chef, Puppet or SaltStack to maintain the firewall files on countless hosts at once.
I'm not aware of anyone using a firewall manager for this task, nor am I aware of any firewall managers in general. For IPTables itself, working directly with the configuration file is probably the easiest option.
-
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
-
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Yeah, traditional IPTables is SO much easier. I hate FirewallD so far.
-
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
-
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
That's the command, but where is the text file it is altering?
-
@scottalanmiller said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
That's the command, but where is the text file it is altering?
/etc/sysconfig/iptables right? I thought this was redundant
-
@wirestyle22 said in Linux Iptables Firewall Automation:
@scottalanmiller said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
That's the command, but where is the text file it is altering?
/etc/sysconfig/iptables right?
That's the one we were saying was so easy, the IPTables one. What one is FirewallD using, though?
-
@scottalanmiller said in Linux Iptables Firewall Automation:
@wirestyle22 said in Linux Iptables Firewall Automation:
@scottalanmiller said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
That's the command, but where is the text file it is altering?
/etc/sysconfig/iptables right?
That's the one we were saying was so easy, the IPTables one. What one is FirewallD using, though?
/usr/lib/firewalld/ or /etc/firewalld are the only things I know of.
-
I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.
-
@coliver said in Linux Iptables Firewall Automation:
I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.
I've read that but have never done it myself.
-
@wirestyle22 said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.
I've read that but have never done it myself.
I did when I was configuring a Mangos server. It's pretty easy and it, to me, was easier then editing IPTables commands. Although that's just because I'm not used to IPTables.
-
@coliver said in Linux Iptables Firewall Automation:
I know that you can add your own services by creating XML files. But overall I agree that IPtables is easier to manage.
yeah, that's nice and I've tried that a little. It's a neat idea but... really, IPTables is so easy, this adds so much complication.
-
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
-
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.
-
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
This is why im so excited for my incoming server (tomorrow fyi). I get to play with whatever I want. Super excited.
-
@wirestyle22 said in Linux Iptables Firewall Automation:
@scottalanmiller said in Linux Iptables Firewall Automation:
@wirestyle22 said in Linux Iptables Firewall Automation:
@scottalanmiller said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@travisdh1 said in Linux Iptables Firewall Automation:
@scottalanmiller Do you remember what file(s) firewalld uses for it's config off the top of your head yet? I'm drawing a blank.
Cloning iptables rules was/is so easy, just copy the /etc/sysconfig/iptables file to the new host.
Firewall-cmd I think.
That's the command, but where is the text file it is altering?
/etc/sysconfig/iptables right?
That's the one we were saying was so easy, the IPTables one. What one is FirewallD using, though?
/usr/lib/firewalld/ or /etc/firewalld are the only things I know of.
Found my current config in /etc/firewalld/zones/public.xml. If you have any sort of complex firewall, you'd need to move the entirety of /etc/firewalld
-
@coliver said in Linux Iptables Firewall Automation:
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.
I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.
-
@travisdh1 said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.
I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.
You can do zones with FirewallD pretty easily. When typing in your command just use --zone=zone to tell it what zone to work with.
-
@travisdh1 said in Linux Iptables Firewall Automation:
@coliver said in Linux Iptables Firewall Automation:
@dafyre said in Linux Iptables Firewall Automation:
I'm not really that familiar with IPtables ... but I've been toying with it more and more... I just wish it were easier.
The syntax takes a long time for to wrap my head around. Whereas with FirewallD it was pretty easy to do. I still think iptables is easier to manage though, especially when you can pull the files from one server to the next and it replicates the settings.
I think me and @scottalanmiller are still struggling to learn how to use firewall-cmd rather than editing /etc/sysconfig/iptables. So far I haven't had to do any fancy things with muliple zones or anything like that. I'm afraid the new system will make doing things easier to do things with it you're best leaving off to a real layer-3 router.
I can get it to work, but commands instead of just editing the config file.... how barbaric. That's way too wanna be PowerShell cmdlet for me.
-
Even the VyOS firewall I edit by hand!
