< Previous | Contents | Next >
7.4.3. Creating Rules
Each rule creation requires one invocation of iptables or ip6tables. Typing these commands manually can be tedious, so the calls are usually stored in a script so that the system is automati- cally configured the same way every time the machine boots. This script can be written by hand but it can also be interesting to prepare it with a high-level tool such as fwbuilder.
# apt install fwbuilder
# apt install fwbuilder
The principle is simple. In the first step, describe all the elements that will be involved in the actual rules:
• The firewall itself, with its network interfaces
• The networks, with their corresponding IP ranges
• The servers
• The ports belonging to the services hosted on the servers
Next, create the rules with simple drag-and-drop actions on the objects as shown in Figure 7.2, “Fwbuilder’s Main Window” [page 160]. A few contextual menus can change the condition (negat- ing it, for instance). Then the action needs to be chosen and configured.
As far as IPv6 is concerned, you can either create two distinct rulesets for IPv4 and IPv6, or create only one and let fwbuilder translate the rules according to the addresses assigned to the objects.
Figure 7.2 Fwbuilder’s Main Window
fwbuilder will generate a script configuring the firewall according to the rules that you have defined. Its modular architecture gives it the ability to generate scripts targeting different systems including iptables for Linux, ipf for FreeBSD, and pf for OpenBSD.