Jan Rêkorajski PREAMBLE: Version 3.0.0 is a complete rewrite of old firewall-init package. The old style config sytnax was too painful to maintain and could not cope with all features of iptables. As of version 2.99.0 this package is distributed on GNU GPL, for all previous versions BSD license applies. firewall-init HOWTO I. What is it? Firewall-init provides a SysV-init style start-up script and /etc/sysconfig control over the available kernel IP packet filter using iptables(8). In other words, instead of having to write your own script to be run by init for firewalling or having to shove all of your rules in rc.local you can use the handy configuration files provided. II. What does it include? The base package comes with the following files: /etc/rc.d/init.d/firewall -- initscript that starts/stops firewalling. /etc/sysconfig/firewall -- main control file. /etc/sysconfig/firewall.d/functions -- shell functions library /etc/sysconfig/firewall.d/ipv4 -- directory holding 'direction policy' files. /etc/sysconfig/firewall.d/ipv6 -- directory holding 'direction policy' files. /usr/share/doc/firewall-init-*/README -- this file. III. /etc/rc.d/init.d/firewall This script controls starting and stopping the firewall and must be called with one option: start or stop. It runs after networking in start run-levels (to allow using rpcinfo (portmap) to detect some services not using fixed port number) and after networking in stop run-levels. First it checks whether or not firewalling should be turned on in /etc/sysconfig/firewall and if yes sets default polices from that files. Following that it sets any further policies as found in /etc/sysconfig/firewall.d/$proto/$table/$CHAIN. IV. /etc/sysconfig/firewall The format for this file is: # Controls if firewall should be started FIREWALL=(yes|no) # Location of programs/configuration files FIREWALL_DIR="/etc/sysconfig/firewall.d" iptables="/usr/sbin/iptables" ip6tables="/usr/sbin/ip6tables" # Which tables you want set up for IPv4 (filter, nat, mangle, drop) ipv4_TABLES="filter" # Which tables you want set up for IPv4 (filter, mangle) ipv6_TABLES= # Connetion tracking (defaults to yes as it's VERY usefull also on non-nat boxes) CONNTRACK="yes" # Which ports to track (FTP,IRC,Eggdrop) empty = defaults # May be needed by conntrack and NAT FTP_PORTS= IRC_PORTS= EGGDROP_PORTS= # FXP (direct FTP 2 FTP transport) support in conntrack_ftp FTP_FXP="yes" # Size (in KB) of hash tables for connection tracking and NAT # default is 1/16384 of memory CONNTRACK_HASHSIZE= NAT_HASHSIZE= # Policies for chains ($proto_$table_$CHAIN): # IPv4: ipv4_filter_INPUT="ACCEPT" ipv4_filter_OUTPUT="ACCEPT" ipv4_filter_FORWARD="DROP" ipv4_nat_OUTPUT="ACCEPT" ipv4_nat_PREROUTING="ACCEPT" ipv4_nat_POSTROUTING="ACCEPT" ipv4_mangle_OUTPUT="ACCEPT" ipv4_mangle_PREROUTING="ACCEPT" ipv4_drop_DROPPING="DROP" # IPv6: ipv6_filter_INPUT="ACCEPT" ipv6_filter_OUTPUT="ACCEPT" ipv6_filter_FORWARD="DROP" ipv6_mangle_OUTPUT="ACCEPT" ipv6_mangle_PREROUTING="ACCEPT" V. Firewalls: /etc/sysconfig/firewall.d/$proto/$table/$CHAIN NOTE: These files are shell scripts for POSIX compliant /bin/sh. Each of these files must contain a function that will be called by the main code, this function must be named like this: $proto_$table_$CHAIN_rules() { # Your rules here } where: $proto is ipv4 or ipv6 $table is the name of the table (ipv4: filter, nat, mangle, drop; ipv6: filter, mangle) $CHAIN is the chain name (depends on table) So, for example, function containing rules for IPv4 table filter for INPUT chain will look like this: ipv4_filter_INPUT_rules() { } VI. Example The files in /etc/sysconfig/firewall.d/ in the distribution contain commented out example rules. VII. Masquerading Masquerading an internal network through host is accomplished using the nat table and POSTROUTING chain. So in order to masquerade an internal network of 192.168.0.0/24 (one of the private addresses), the following lines should be placed in /etc/sysconfig/firewall.d/ipv4/nat/POSTROUTING: ipv4_nat_POSTROUTING_rules() { $iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE $iptables -t nat -A POSTROUTING -j DROP } Be warned that, unlike in ipchains, masquerading is done NOT ON FORWARD, but after the packet has been routed, so don't set FORWARD chain policy to DROP ;) VIII. Logging Errors from iptables(8) because of improper rules are logged to syslogd with a priority of user.notice. .