On 17 October 2012 09:21, Stuart Sears <stuart@sjsears.com> wrote:
On 16/10/12 20:22, Amar Sood wrote:
On 16 October 2012 20:04, Stuart Sears <stuart@sjsears.com> wrote:
On 16/10/12 14:07, Barry Watson wrote:

Hey there list,

I'd be grateful if someone could recommend please a front-end for
iptables?
Arno's iptables seems well-regarded.

okay, time to take this more seriously...

which distro are you running? many of them have their own tools already.
Do you want a graphical or CLI interface?
/me suspects CLI, but you never can tell


vim :)


He means emacs of course.
<shudders>
Surely noone ever *actually* means emacs? :) [fight! fight! fight!]

In all seriousness, though, I do write all my firewall rules in vim and load them before the network starts, using the 'iptables-restore' command

RH-type distros already have an init script that does this for you.

Netfilter syntax really isn't that complicated and understanding it does no harm. I would recommend learning it.


I've set up some basic iptables rules on my VPS that allow/block various
ports etc but want to be able to use iptable's state module too and would
like to use a script that's been proved through use.

How have you added the rules that you already use?

ip_conntrack state matching rules aren't particularly complicated
Most of those rules look a bit like the following

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

- This is a general "allow stuff in if it's part of an existing or related connection" rule (there are other options, like NEW or INVALID)
- it would be the first rule (because of the -I)

These rules can have protocol and port specifications, too.

It doesn't sound like you have very complex requirements.
My experience with netfilter frontends is they tend to err on the side of complexity, certainly in terms of the rules they generate, with multiple custom chains. I like my rules to be readable.

I also find that managing the rules with an editor allows me to add comments where necessary (and/or use a VCS to permit rollback)

Yes, I realise this wasn't exactly what you asked for, but it Works For Me (tm)


Thanks in advance for any help/ideas.

Barry

Regards,



Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users

Thanks for the replies all of you!

My VPS runs Debian Squeeze - I'm perfectly happy using the command line.

It's perfectly possible to write my own commands I suppose. It's just a question of practicality - it's something else I should learn but in the meantime (time is short) I'd be happy to use a script to configure a firewall that I know would do the job. 
 
Some good ideas here - I appreciate the help! 

Thanks again,

Barry