Bison - IPTables Script generator
Bison can be used to generate a firewall script for your Linux box. It doesn't run the commands for you but generates the needed commands for you to run based on the methods you pass. It's also a lot of fun to build them.
The synopsis is basic. All the methods have been exported. So a simple firewall script would be:
use Bison; override_global({ip_address => '10.1.1.5'}); # drop everything by default default_policy({ INPUT => 'DROP', FORWARD => 'DROP' OUTPUT => 'ACCEPT', }); # filter bad tcp packets into a special chain drop_bad_tcp_flags(); # create a custom chain and set default behaviour to drop chain ('new', { name => 'my_firewall', jump => 'DROP', }); # setup logging for the new chain log_setup ('my_firewall', { time => 7, duration => 'minute', prefix => 'My Cool Firewall' }); bison_finish();
Obviously the above script would lock you out of your system. But it shows it's a lot easier to write a bit of Perl than remember long-winded IPTables commands.
This function should be called before anything else. It sets up the default firewall chain and a catchall filter.
Handles all forwarding related stuff. ie: Forward packets from an internal network (eth1) to the internet (eth0).
# generate something like iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT forward({ from => 'eth1', to => 'eth0', type => 'related' }); # .. or simply just forward the packets from eth1 to eth0 forward({ from => 'eth1', to => 'eth0' });
Catches any malicious TCP packets into a badflags chain, then prefixes the log as that chain. Should help prevent force fragment and XMAS packets. Also checks to make sure new TCP connections are SYN packets. This section could do with a bit more work, but this is still a beta release :)
Open ports to a service by name (www, ssh, ftp). If no arguments are passed it will open access to everyone. If you pass a hash with to => then the port will be only available to that ip address.
open_service('ssh', { to => '10.1.1.5' }); # open 22 to 10.1.1.5 only open_service('www'); # open port 80 to all
Drops all ICMP requests, but opens a few by default. If you pass an array it will only allow what is requested
drop_icmp( [qw/0 8 11/] );
Perform chain events.
chain('new', { name => 'my_new_chain', jump => 'drop' }); chain('list') # returns an array of chains you have created
We don't necessarily want netbios packets, so here's the option to disable them. You can choose to log them silently, or loudly to the main firewall chain.
drop_netbios(); # drop netbios silently drop_netbios(1); # drop packets loudly by logging to firewall
Sets up logging for a chain. You can specify the time, duration and prefix.
log_setup ('mychain', { time => 8, duration => 'minute', prefix => 'MyChain Log'}); # 8 alerts per minute
Sources everything going out the interface to be the given IP address.
source_nat({ as => '10.1.1.5'});
Overrides any default settings, and allows you to create new ones.
override_global({ iface => eth0, ip_address => '10.1.1.6'});
Preroute options. ie: route an incoming port to a specified IP in the nat
preroute('ports', { ports => '22:25', proto => 'tcp', to => '10.1.1.9' });
Accept related and established connections so client side activities, ie: ftp, work correctly.
Simply switches on IP forwarding in /proc/sys/net/ipv4/ip_forward, if your system supports it.
Accept everything locally
Accept all incoming connections from a specific IP, or locally. You can pass an array to allow multiple sources.
accept_all_from('local'); accept_all_from('10.1.1.5'); accept_all_from([qw/10.1.1.4 10.1.1.5 10.1.2.7/]);
Flushes specific chains, including nat and mangle.
flush(); # flush everything flush([qw/INPUT FORWARD nat/])
Sets the default policy for the specified chain.
default_policy({ INPUT => 'DROP', FORWARD => 'DROP', });
Call this method last, and don't forget. It cleans everything up and checks for errors. Also, it can print out a list of the IPTables commands you need to generate your firewall script
Please e-mail brad@geeksware.net
Brad Haywood <brad@geeksware.net>
Copyright 2011 the above author(s).
This sofware is free software, and is licensed under the same terms as perl itself.
To install Bison, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Bison
CPAN shell
perl -MCPAN -e shell install Bison
For more information on module installation, please visit the detailed CPAN module installation guide.