Generate iptables rules via pyroman
Vincent Bernat blogged on using Netfilter rulesets, pointing out that
inserting the rules one-by-one using iptables
calls may leave your firewall temporarily incomplete, eventually half-working, and that this approach can be slow.
He’s right with that, but there are tools that do this properly. ;-)
Some years ago, for a multi-homed firewall, I wrote a tool called Pyroman. Using rules specified either in Python or XML syntax, it generates a firewall ruleset for you.
But it also adresses the points Vincent raised:
- It uses
iptables-restore
to load the firewall more efficiently than by callingiptables
a hundred times - It will backup the previous firewall, and roll-back on errors (or
lack of confirmation, if you are remote and use
--safe
)
It also has a nice feature for the use in staging: it can generate
firewall rule sets offline, to allow you reviewing them before use,
or transfer them to a different host. Not all functionality is supported
though (e.g. the Firewall.hostname
constant usable in python
conditionals will still be the name of the host you generate the rules on - you
may want to add a --hostname
parameter to pyroman)
pyroman --print-verbose
will generate a script readable by
iptables-restore
except for one problem: it contains both the
rules for IPv4 and for IPv6, separated by #### IPv6 rules
. It
will also annotate the origin of the rule, for example:
# /etc/pyroman/02_icmpv6.py:82
-A rfc4890f -p icmpv6 --icmpv6-type 255 -j DROP
indicates that this particular line was produced due to line 82 in file
/etc/pyroman/02_icmpv6.py
. This makes debugging easier. In particular
it allows pyroman to produce a meaningful error message if the rules are
rejected by the kernel: it will tell you which line caused the rule that
was rejected.
For the next version, I will probably add --output-ipv4
and
--output-ipv6
options to make this more convenient to use. So far,
pyroman is meant to be used on the firewall itself.
Note: if you have configured a firewall that you are happy with, you can
always use iptables-save
to dump the current firewall. But it will
not preserve comments, obviously.