firewall-compiler
文件大小: unknow
源码售价: 5 个金币 积分规则     积分充值
资源说明:Modular iptables rules.
=================
Firewall compiler
=================

.. contents::

Overview
========

Firewall-compiler allows you to modularize your netfilter firewall
configuration.  The goal is to be as simple as possible while still
providing a mechanism for individual software packages to describe
their own firewall requirements (and allow the system administrator a
convenient means of enabling and disabling particular firewall
rulesets).

Theory of operation
===================

Examples
========

Enabling ssh access
-------------------

This example demonstrates the basic operation of
``firewall-compiler``.

Create a file in ``/etc/firewall/rules.d`` called ``ssh.rules`` with
the following contents::

  *filter
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
  COMMIT

Running ``fwc-list`` will now show this as an available ruleset::

  # fwc-list
    ssh.rules

Enable this ruleset by running::

  # fwc-enable ssh

``fwc-list`` will now show this rule as being active::

  # fwc-list
  * ssh.rules

If you were to generate a new netfilter configuration (assuming you
have made no changes to the default template), your configuration
would look like this::

  # Generated at Mon Oct 25 15:21:45 2010 by fwc.
  # Changes made here will be lost when this file is
  # next generated.

  *nat
  :PREROUTING ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  COMMIT

  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]

  -A INPUT -i lo -j ACCEPT 
  -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
  -A INPUT -p esp -j ACCEPT 
  -A INPUT -p ah -j ACCEPT 
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # START OF GENERATED RULES
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
  # END OF GENERATED RULES

  # Ignore broadcast and multicast traffic so that we don't
  # clutter our firewall logs with junk.
  -A INPUT -m pkttype --pkt-type multicast -j DROP
  -A INPUT -m pkttype --pkt-type broadcast -j DROP

  # Log and reject everything else.  Limit rate of logged
  # packets to avoid DOS in case of high packet rates.
  -A INPUT -j LOG -m limit --limit 1/s
  -A INPUT -j REJECT --reject-with icmp-host-prohibited 
  COMMIT

A transparent proxy
-------------------

In this example, an system acting as a router will intercept traffic
on port 80 and redirect to local port 3128. Connections from host
192.168.1.10 will not be intercepted.

Create a file in ``/etc/firewall/rules.d`` called ``proxy.rules`` with
the following contents::

  *nat
  -A PREROUTING -s 192.168.1.10 -j ACCEPT
  -A PREROUTING -p tcp -m -state --state NEW --dport 80 -j REDIRECT --to-ports 3128
  COMMIT

  *filter
  -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT 
  -A INPUT -p tcp -m state --state NEW --dport 3128 -j ACCEPT 
  COMMIT

Running ``fwc-list`` will now show this as an available ruleset::

  # fwc-list
    proxy.rules
  * ssh.rules

Enable this ruleset by running::

  # fwc-enable proxy

``fwc-list`` will now show this rule as being active::

  # fwc-list
  * ssh.rules
  * proxy.rules

If you were to generate a new netfilter configuration (assuming you
have made no changes to the default template), your configuration
would look like this::

  # Generated at Mon Oct 25 15:27:49 2010 by fwc.
  # Changes made here will be lost when this file is
  # next generated.

  *nat
  :PREROUTING ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]

  # START OF GENERATED RULES
  -A PREROUTING -s 192.168.1.10 -j ACCEPT
  -A PREROUTING -p tcp -m -state --state NEW --dport 80 -j REDIRECT --to-ports 3128
  # END OF GENERATED RULES
  COMMIT

  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]

  -A INPUT -i lo -j ACCEPT 
  -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
  -A INPUT -p esp -j ACCEPT 
  -A INPUT -p ah -j ACCEPT 
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # START OF GENERATED RULES
  -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT 
  -A INPUT -p tcp -m state --state NEW --dport 3128 -j ACCEPT 
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
  # END OF GENERATED RULES

  # Ignore broadcast and multicast traffic so that we don't
  # clutter our firewall logs with junk.
  -A INPUT -m pkttype --pkt-type multicast -j DROP
  -A INPUT -m pkttype --pkt-type broadcast -j DROP

  # Log and reject everything else.  Limit rate of logged
  # packets to avoid DOS in case of high packet rates.
  -A INPUT -j LOG -m limit --limit 1/s
  -A INPUT -j REJECT --reject-with icmp-host-prohibited 
  COMMIT


Author
======

Lars Kellogg-Stedman 


本源码包内暂不包含可直接显示的源代码文件,请下载源码包。