17

I have a lot of rules for my iptables setup (routing, ssh bans etc) I also picked up a list of IP's to ban from here http://blacklist.linuxadmin.org and now its getting really complicated.

My /etc/sysconfig/iptables is really long. Is there a way to manage the rules by including rules from external files?

For example:

#include "pre_routing_rules"
#include "ssh_bans"

This will include the rules added in the files "pre_routing_rules" and "ssh_bans" This way I can easily manage my rules without hunting around in cat /etc/sysconfig/iptables.

peterh
  • 4,953
  • 13
  • 30
  • 44

5 Answers5

11

Try iptables' ipsets. ipsets are configured separately, and these are also faster if you have enough ip addresses to manage.

iptables rule can refer to ipset like this:

iptables -A FORWARD -m set --set blocklist src,dst -j DROP

Alexey Naidyonov
  • 111
  • 3
  • My biggest problem is with IP-address so I can use this. –  Sep 16 '08 at 07:45
  • I'm using this feature. My blacklist/white list IPs are the largest, so they can go in an ipset. I think the pre-routing stuff can stay in the main config list –  Sep 16 '08 at 07:51
  • This forum thread has a few examples of scripts using ipsets: http://forums.gentoo.org/viewtopic-t-863121.html – mivk Nov 16 '13 at 12:49
3

One simple solution is to use multiple bash scripts for each section something like: 

iptables-routing.sh
iptables-ssh-bans.sh
iptables-blacklist.sh

And run this files from a master script.

Andrei Savu
  • 131
  • 3
  • Well yeah that's what I do. But if I have to view the list of iptables rules (eg. cat /etc/sysconfig/iptables), it will show me all of the rules which were added via iptables-routing.sh iptables-blacklist.sh –  Sep 16 '08 at 07:48
2

iptables does not read the file directly, that is done by a program called iptables-restore. This is usually called from one of your init scripts.

You could add extra input files to your iptables-restore line. You'll have to find where this line is on your system but on my Debain box, it is in /etc/init.d/nat

The line currently reads like this:

/sbin/iptables-restore < /etc/network/iptables

Perhaps it could be changed to something like this:

cat /etc/network/iptables \
    /etc/network/pre_routing_tables \
    /etc/network/ssh_bans | /sbin/iptables-restore
Adam Pierce
  • 129
  • 3
2

I tend to use one of the many on-top-of-iptables firewalling scripts/tools, like Firestarter or Shorewall, they come with many files, separated by purpose, add interesting rules to protect against certain types of bogus packets and they usually work well.

Vinko Vrsalovic
  • 1,523
  • 2
  • 15
  • 20
  • Are these usable via command line ? My server is a remote one and i really dont prefer todo X over SSH –  Sep 16 '08 at 07:49
  • Shorewall is a set of flat text files that generate iptables rules. It is very usable from the command line and has great documentation and diagnostic tools. – Paul Gear Feb 21 '14 at 08:43
0

I'm not sure which distro you're running, since mine doesn't posses the file you refer to - but typically files which contain iptables rules are just shell scripts - so you should be able to do what you want by having a line such as :

. /etc/sysconfig/pre_routing_rules

or such like at the top of the iptables file you refer to.

GodEater
  • 560
  • 1
  • 6
  • 12