Fina is a simple, robust shell script that loads iptables rules from a rules directory. As such, it isn't concerned with creating rules for you, it just helps you load them in a robust way.
If something fails, Fina will load your old ruleset. The Fina project also allows richer commenting in the rules files than iptables. Still, it can handle anything that iptables-restore can.
Fina is the result of working with various attempts at wrapping iptables
(rather: Netfilter) with scripts and other infrastructure in order to
make daily administration of rules easier.
Due to my job, I've always needed a script that can easily be automated
remotely. No matter how great a script is, if it takes ages to update
fourteen web servers of a cluster, it's useless to me.
Another basic need for such a script is that it has to be secure by
default - without getting into the admins way too much. That is to say,
it only creates rules that the admin expressly configures. Of course, a
sensible set of configuration /examples/ is provided.
The third hard requirement is that the script should be capable of doing
everything Netfilter can. That means that no matter how complicated your
NAT and prerouting magic needs are, the script must be able to handle
it. One side effect of this is, that it must handle huge filter sets at
least as easily as Netfilter itself.
The fourth requirement is a bit complicated. Sometimes, it may be
necessary to change variables in /proc after modules have been loaded
but before rules referring to those modules are added. Also, sometimes
it might be necessary, to do stuff after the packet filter has been
loaded. To this end, /etc/fina may contain two scripts called
"pre-up.sh" and "post-up.sh". If those files exist and are executable,
they are executed at the corresponding times.
Finally, the script should be lightweight, having as few external
dependencies as possible. Also, the script itself should be as simple
and small as possible. This is because simple things have fewer ways in
which they can fail.
Due to the four hard requirements mentioned above, the script doesn't
actually "know" all that much about Netfilter. This way, it easily
incorporates everything Netfilter can do - without having a moving
target of specs to adhere to.
Basically, Fina assembles an iptables-restore compatible rule dump from
snippets configure/edited by the admin of the machine. It then tries to
load the whole set. If this fails in any way, the old rule set is
Naturally, this means that Fina does next to nothing for the admin
when it comes to /generating/ rules on the machine. This is a conscious
decision. For one, whoever uses/configures a packet filter should be
aware of all the consequences of his actions. This includes for example
knowing why it is bad to drop all ICMP traffic.
Another reason is that providing examples or even recipes for packet
filters is something /documentation/ should do. It's not a good idea to
have a black box do "simply the right thing". Usually, there is a
non-trivial amount of users for which The Right Thing can't be easily
How it works
If fina is started via the init script, one critical extra step is
taken: the script tries to load /etc/fina/minimal.rules with
iptables-restore. This comes in handy if you've updated the kernel and
forgotten parts of the iptables modules - your nice big config file
probably won't load and your machine is either vulnerable or
inaccessible to you. Usually, you'll want to have a very simple rule set
in here (without conntracking) that allows access from your management
IPs. You can load this ruleset using the -m commandline switch. This can
be handy in emergency situations (think of it as a PANIC button).
Fina expects one configuration file, /etc/fina/fina.cfg. This is
actually simply a shell script that is sourced from the main Fina
script. It contains (by default) one variable that specify one
additional location, that of the rule directory. First, fina checks if
/etc/fina/pre-up.sh exists and is executable and if so runs it. This is
the place to load modules or change stuff in proc if the need arises.
The second location is more important. It specifies the directory which
contains the rule snippets that Fina should assemble. Usually, this is
located at /etc/fina/rules.d/. Fina then proceeds to load all files from
said directory (and its sub-directories) that end in .rules. In order to
have reliable order when assembling, the files are usually prefixed with
two- or three-digit numbers.
The expected format of the files is of no concern to Fina. Fina itself
will only assemble them in order into one file. After this, it will make
a backup of the current rule set (using iptables-save) and put it in a
location specified in /etc/fina/fina.cfg. Then, Fina will try to load
the generated file using iptables-restore. If this fails for whatever
reason, it will try to load the old rule set and exhibit an appropriate
error message plus whatever message it got from the failing
Finally, fina will execute /etc/fina/post-up.sh if it exists and is
In addition to generating and then directly loading a rule set, Fina can
also simply dump the file it would load to stdout ("pretend mode", which
is the default). This is useful if you suspect a bug in your Netfilter
snippets and want to take a look at the set before trying to load it.
Fina adds a plethora of comments to the generated file to make debugging
easier. Using Finas pretend mode, you can also ensure that Fina can read
all the files it should.
Also, this way you can create diffs between your currently running rules
and the rules Fina would generate. This way, you can easily spot if the
changes in the rules snippets have the expected results.
Keep in mind though that in this mode, Fina has no way of telling if
what it generates can actually be loaded with iptables-restore.
Unfortunately, the kernel interface does not provide a means to see if a
rule set could be loaded without actually activating it (if I'm wrong
here, I'd be glad to hear about such functionality).
In order to aid in debugging, all lines generated by Fina itself are
prefixed with "#Fina#", so you can tell which lines are from Fina and
which ones come from your files.
· GNU bash (>=v2)
· GNU find (anything recent)
· GNU grep (ditto)
· GNU sed (ditto)
· iptables (whatever works with your kernel)
What's New in This Release: [ read full changelog ]
· A show-stopping bug in the error handling of the generic init scripts was fixed.