ipset_shorewall is a script for Shorewall firewall if you want to use it in conjunction with ipset.
BEFORE : Suppose you give access for clients (variable $ADMIN_PROJECT="10.144.123.36,10.144.123.36 etc..." in params)
$ADM_PROJECT0n as a server.
In file /etc/shorewall/rules
ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT01 all
ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT02 all
ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT03 all
ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT04 all
ACCEPT zone1:$ADMIN_PROJECT zone2:$ADM_PROJECT05 all
Indeed, you disassemble these lines to do (N client adresses in "$ADMIN_PROJECT" x M servers) iptables rules: for each client accessing one server.
=> Too much rules...Shorewall LOW restart !!)
In file /etc/shorewall/rules_ipset (created,non default Shorewall)
which is "script-written" in file /etc/shorewall/rules
(just a small part of what script does)
ACCEPT zone1 zone2:+ADM_PROJECT [dst,src]
One iptables rule and QUICK restart !
So,using the script : from 12 000 iptables rules, we manage to obtain only 400 iptables rules !!!!!
I made this doc to explain the script I made which allows to use ipset with Shorewall to dynamically filter access by IP (and later by port : if someone is interested ..).
- Shorewall (3.2 sh-based), I hope in the future, it can be integrated in Shorewall-perl series. (>4)
- Patch the kernel with ipset : http://ipset.netfilter.org/
All the modules :
- Arrays_tools (that I created : is in the above gzipped tarball)
- Data::Validate::IP which validates IP adresses.
- Tie::File which permits dynamic file modification.
- Acme-Comment which allows comments in perl files.
- Term::ANSIColor (to add color for terminal output)
For root, In your ~/.bash_profile (or other *profile), you put this :
(scripts : manageip_by_project, ipset_shorewall)
(module Arrays_tools.pm )
export PERL5LIB=< irectory_where_you_put_modules_Arrays_tools.pm