iptables management tools for large scale environment

Question

The environment I'm operating in is a large-scale web hosting operation (several hundred servers under management, almost-all-public addressing, etc -- so anything that talks about managing ADSL links is unlikely to work well), and we're looking for something that will be comfortable managing both the core ruleset (around 12,000 entries in iptables at current count) plus the host-based rulesets we manage for customers. Our core router ruleset changes a few times a day, and the host-based rulesets would change maybe 50 times a month (across all the servers, so maybe one change per five servers per month).

We're currently using filtergen (which is balls in general, and super-balls at our scale of operation), and I've used shorewall in the past at other jobs (which would be preferable to filtergen, but I figure there's got to be something out there that's better than that).

The "musts" we've come up with for any replacement system are:

• Must generate a ruleset fairly quickly (a filtergen run on our ruleset takes 15-20 minutes; this is just insane) -- this is related to the next point:
• Must generate an iptables-restore style file and load that in one hit, not call iptables for every rule insert
• Must not take down the firewall for an extended period while the ruleset reloads (again, this is a consequence of the above point)
• Must support IPv6 (we aren't deploying anything new that isn't IPv6 compatible)
• Must be DFSG-free
• Must use plain-text configuration files (as we run everything through revision control, and using standard Unix text-manipulation tools are our SOP)
• Must support both RedHat and Debian (packaged preferred, but at the very least mustn't be overtly hostile to either distro's standards)
• Must support the ability to run arbitrary iptables commands to support features that aren't part of the system's "native language"

Anything that doesn't meet all these criteria will not be considered. The following are our "nice to haves":

• Should support config file "fragments" (that is, you can drop a pile of files in a directory and say to the firewall "include everything in this directory in the ruleset"; we use configuration management extensively and would like to use this feature to provide service-specific rules automatically)
• Should support raw tables
• Should allow you to specify particular ICMP in both incoming packets and REJECT rules
• Should gracefully support hostnames that resolve to more than one IP address (we've been caught by this one a few times with filtergen; it's a rather royal pain in the butt)
• The more optional/weird iptables features that the tool supports (either natively or via existing or easily-writable plugins) the better. We use strange features of iptables now and then, and the more of those that "just work", the better for everyone.

Answer 1

If you're perhaps wanting to make a move from a rule-driven approach to a "describe the final state required" way of doing things, have a look at fwbuilder.

Pros:

• multiple firewalls supported - your core + host-based rules - from 1 set of objects
• SQL-esque "tell me what you want" rather than "tell me how to do it" approach (NB I'm not saying there's any SQL in there! Just that it's descriptive Vs procedural :-)
• It's a GUI, kinda like commercial hardware f/w vendors' interfaces, so it's possible to push some tasks down the employee/skills stack
• supports most "wierd' usage I've tried
• can generate rules for a variety of f/w implementations - BSD/cicso/iptables/etc
• seperates front-end from rule-compiler, which makes me hopeful that speed is a concern to the authors. NB I've nothing near the scale to which you're alluding
• File format isn't binary
• does IPv6
• Creates an iptables-save stylee config for atomic and quick loading

Cons:

• It's a GUI
• Moving your existing ruleset is unlikely to be pain-free
• Whilst GPL and in Debian, Windows+OSX clients are 30-day eval, as no-one's cross-compiled a Free version yet for those OS; hence the commercial arm of the devs has a monopoly on those binaries
• File format is technically XML; NB don't let this put you off: take a look at the tools that they provide (you can use the gui binary to manipulate it via the CLI for example), the CLI XML tools that already exist, and remember that - at your scale - some semblance of meta-data + structure ain't a /bad/ thing! It diffs quite nicely across edits, IIRC.

Link : http://www.fwbuilder.org

Answer 2

write your own. seriously - at this scale it is reasonable.

use ipset and/or plenty of iptable tables / subtables. whenever possible reload only some subtables / some sets of ipset - this will speed up reconfiguration.

probably you already do it, but still it's worth mentioning - use nested tables to decrease load on the router and average number of lookups needed for packets setting up new connections. obviously -A FORWARD -m state --state ESTABLISHED,RELATED is your topmost rule.

Answer 3

holy balls (keepin' the theme alive!) man...12,000 core rules?

I'm assuming you've considered all the easy options like simply dropping the sets into CVS? Puppet or CFengine?

Honestly, from the broad overview you've given, I'd strongly suggest re-evaluating your network design. I'm probably a little too simplistic, but I simply cannot fathom a design that would necessitate 12k iptables rules. This really sounds like something that would benefit more from an SLB type solution than a better way to manage the firewall rules.

On a side note, how does one add a comment versus adding an "answer"?

Answer 4

12000 rules? are you insane? Do you not suffer performance problems with this amount of filtering going on? I can't see why you would need 12,000 rules? How do you verify that you rules set is actually enforcing the policy?

What is the policy?

How do you test your policy?

12,000 rules possibly breaks every security rule in the book.

Answer 5

you can also try a SAAS solution for managing iptables -> https://www.efw.io/Forum it can do AWS cloud integration also.