Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews


LINUX CATEGORIES:



GLOBAL PAGES >>
NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
WEEK'S BEST
  • Linux Kernel 3.9.3 / 3....
  • LibreOffice 3.6.6 / 4.0.3
  • MPlayer 1.1.1
  • systemd 204
  • Arch Linux 2013.05.01
  • Blender 2.67
  • KDE Software Compilatio...
  • CrunchBang Linux Stable...
  • Elementary OS 0.1 / 0.2...
  • SystemRescueCd 3.6.0
    		•
    Home > Linux > System > Networking

    ipset_shorewall -
    Download button

    Downloads: 646  View global page NEW!  Tell us about an update
    User Rating:
    Rated by:    		 Fair (2.8/5)
    16 user(s)
    Developer:

    License / Price:

    Last Updated:

    Category:         		BALLO Ismael | More programs
    GPL / FREE
    November 2nd, 2007, 10:05 GMT
    ROOT / System / Networking

     Read user reviews (0)  Refer to a friend  Subscribe

    ipset_shorewall description

    ipset_shorewall is a script for Shorewall firewall if you want to use it in conjunction with ipset.

    ipset_shorewall is a script for Shorewall firewall if you want to use it in conjunction with ipset.

    BEFORE : Suppose you give access for clients (variable $ADMIN_PROJECT="10.144.123.36,10.144.123.36 etc..." in params)
    $ADM_PROJECT0n as a server.

    In file /etc/shorewall/rules

    ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT01 all
    ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT02 all
    ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT03 all
    ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT04 all
    ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT05 all

    Indeed, you disassemble these lines to do (N client adresses in "$ADMIN_PROJECT" x M servers) iptables rules: for each client accessing one server.
    => Too much rules...Shorewall LOW restart !!)

    AFTER :

    In file /etc/shorewall/rules_ipset (created,non default Shorewall)
    zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT


    which is "script-written" in file /etc/shorewall/rules
    (just a small part of what script does)
    ACCEPT zone1 zone2:+ADM_PROJECT [dst,src]

    One iptables rule and QUICK restart !

    So,using the script : from 12 000 iptables rules, we manage to obtain only 400 iptables rules !!!!!

    I made this doc to explain the script I made which allows to use ipset with Shorewall to dynamically filter access by IP (and later by port : if someone is interested ..).

    Requirements:

    - Shorewall (3.2 sh-based), I hope in the future, it can be integrated in Shorewall-perl series. (>4)
    - Patch the kernel with ipset : http://ipset.netfilter.org/

    All the modules :

    - Arrays_tools (that I created : is in the above gzipped tarball)
    - File::Basename
    - Data::Validate::IP which validates IP adresses.
    - Tie::File which permits dynamic file modification.
    - Acme-Comment which allows comments in perl files.
    - Term::ANSIColor (to add color for terminal output)

    For root, In your ~/.bash_profile (or other *profile), you put this :

    (scripts : manageip_by_project, ipset_shorewall)
    PATH=$PATH:< irectory_where_you_put_scripts
    (module Arrays_tools.pm )
    export PERL5LIB=< irectory_where_you_put_modules_Arrays_tools.pm



    Product's homepage

      


    TAGS:

    		 network firewall | Shorewall firewall | ipset Shorewall | Shorewall | ipset | network

    Go to top

    WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

    SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
    © 2001 - 2013 Softpedia. All rights reserved.
    Softpedia® and the Softpedia® logo are
    registered trademarks of SoftNews NET SRL.    		 Copyright Information | Privacy Policy | Terms of Use