LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-16-2009, 12:17 AM   #1
codenjanod
Member
 
Registered: Oct 2006
Posts: 38

Rep: Reputation: 15
IPTables - How do I create multiple zone files


Hi all,

I have successfully converted all our Redwall firewall entries into IPTables on CentOS 5.3

All the rules have been implemented into a script and tested fine on my VMWare testing server.

My only issue is that the script is more than 6000 lines.
Is it possible to break the huge script into multiple smaller files, for like a file for each zone, for example:

The main script file with the basic entries and variables being called, lets call it:
firewall.sh

Then the above script must call the following zone files and incorporate them into the IPTables:
trusted.zone
dmz.zone
lan.zone
etc ... etc

Is it possible to do something like this ??
And how would I go about it ??


Thank you
 
Old 10-16-2009, 01:22 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982Reputation: 1982
In terms of iptables structure itself, you'd presumably want to have a separate table for each zone. this way, your main iptables script would identify traffic relevant to a zone, presumably on source IP and then jump to that zone's table with the -j option. This then gives you a degree of isolation and abstraction from the base level iptables main tables.

as for actually implementing them, iptables is managed in different ways by different systems. if you wish to step outside of CentOS's own /etc/sysconfig/iptables script, then that's fine, and probably sounds advisable to scrap it altogether if you want a seriously fine detail of management. In which case, you can just write your own script whoever you see fit.

first define a new table:

iptables -N BLAH

then identify traffic to send to it

iptables -A INPUT -s 123.0.0.0/8 -j BLAH

then filter in that new table

iptables -A BLAH -d 192.168.1.2 -j REJECT

etc...

the first two parts I would probably have in the "main" script, the third in separate one. (or maybe the -N would be in the separate one too... and the 2nd and 3rd parts can be done either way round) but either way, define the table, then send stuff too it. how you really achieve that is up to you, and as long as you're comfortable with the quality of your rulebase, you don't need to stick to any distro specific framework in the slightest.

as for what a main script would look like then, i'd just set up variables, like the iptables path and the likes, then source all the files to execute in line:

Code:
IPTABLES=/sbin/iptables
. /etc/myfwscripts/this_zone
. /etc/myfwscripts/that_zone

$IPTABLES -A FORWARD -s 123.0.0.0/8 -j THIS_ZONE
etc...

Last edited by acid_kewpie; 10-16-2009 at 01:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Create a Multiple files by reading a input file and changing the contents bhargavkr Linux - Newbie 4 09-17-2009 12:37 AM
Create 1 csv file from multiple txt files richmur Programming 10 09-03-2008 01:28 PM
User tar to create multiple backup files Canmetal Linux - General 3 03-24-2006 03:56 PM
KDE: How do you create or modify a time zone? enik256 Linux - General 1 11-22-2004 06:15 PM
Create zone files by querying dns server kloppster Linux - Software 1 08-19-2004 05:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration