Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 12-08-2008, 02:10 PM   #1
LQ Newbie
Registered: Dec 2008
Posts: 2

Rep: Reputation: 0
Central management of iptables

What are my choices for centrally managing iptabels?

Thanks in advance and sorry if it has been posted before.
Old 12-08-2008, 02:48 PM   #2
Registered: Mar 2005
Location: Cambodia
Distribution: suse
Posts: 36
Blog Entries: 1

Rep: Reputation: 16
You give rather little information about what you EXACTLY plan to do. how many servers / computers do you need to centralize in the iptables ? LAN / or www ?
here you see a rather comprehensive online tutorial that might help you

Last edited by hans51; 12-09-2008 at 01:31 AM.
Old 12-09-2008, 01:26 AM   #3
LQ Newbie
Registered: Dec 2008
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for the reply. I need to be able to manage IPTABLES running on over 1000 hosts from a central server. I have heard this can be done with tools like puppet. I would like to know what others use when they have to manage 1000s of hosts running IPTABLES on web, app and db tiers.
Old 12-09-2008, 01:52 AM   #4
Registered: Mar 2005
Location: Cambodia
Distribution: suse
Posts: 36
Blog Entries: 1

Rep: Reputation: 16
I understand
that's a little beyond7above my knowledge
I have only 3 servers

there always are multiple approaches to each problem
one I use would be:

I personally care/manage ONE iptables set
iptables-save >iptables.conf
then rsync to my other servers and
iptables-restore <iptables.conf

on my newest server-config I am going to use in a short while ( servers waiting ) I do most/all automatically

a basic set of rules for all - for example similar as the one from
further down the page the sample script.

then each server has a number of different security related tools installed
such as:
and if needed a cron updated black list for iptables from

and thus several of a.m. security tools update new rules / auto-creates NEW rules as needed - example:

if you have for fail2ban installed with an individualized/adapted jail.conf
then fail2ban will append new rules on the fly as needed and also auto-delete them after a predefined time/days.

however this method is based on individual and optimized security tool-configuration to autocreate new rules as needed and auto-delete them if wished so to free IP-blocks.

this may be one of the many solutions.
one single complete security installation of all a.m. tools can easily be transferred / rsync-ed to all servers once it's tested and working.

other experts here may have better ideas for iptables admin tools for your situation.

personally I love the auto-creation of iptables on-the-fly to prevent too many IP-blocks being entirely blocked for all traffic. currently I have most of China blocked due to the abundance of hacker and fake traffic from there. however such solutions also block all generic traffic.

the ONE server manually cared - solution
of course works with any number of servers - IF - you install on each server a small cron-job to rsync newest iptables.conf from mother-server and then flush local iptables

iptables -F
and restore the newest imported iptables as mentioned above.

this is no tool - but an automated mechanism to synchronize all iptables with the one you personally care/maintain.

of course above solutions would require that you want all servers with same iptables set ...
Old 12-09-2008, 10:04 AM   #5
Registered: Apr 2007
Location: Sunny Florida, USA
Distribution: CentOS, RHEL, U/X/Kubuntu
Posts: 36

Rep: Reputation: 15
one suggestion would be to get a sound set of iptables rules working on a 'core' server, then hourly/nightly rsync them to the others, followed by a reload of the rules.

personally, I use apf to manage iptables.




Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
syslog-ng no iptables at central logserver saavik Linux - Server 0 10-20-2008 09:42 AM
Linux Enterprise Distribution and Central Patch Management jpa9058 Linux - Enterprise 4 02-15-2008 08:16 AM
squid management with IPtables shamza Linux - Networking 1 07-08-2005 03:13 PM
central desktop management tools dukeinlondon Linux - Enterprise 1 08-31-2004 04:13 PM
Central Userid and Password management in Linux sx10 Linux - Networking 3 09-06-2003 03:06 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:51 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration