Skip to content
/ systemd-service-iptables Public

Systemd iptables service - Persistent iptables rules with multi-instantiated iptables rules + docker support

License

MIT license
13 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

boTux-fr/systemd-service-iptables

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
etc
etc
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Systemd Iptables Rules Management

Persistent iptables rules with multi-instantiated iptables rulebooks.

Edit, load, change iptables rules whith systemd service using iptables-save rules formating.

Start, restart, reload, and stop firewall with systemd service.

System requirements

  • iptables
  • systemd

Instalation

On the linux system you wish to install the firewall sercice, run as root :

mkdir /opt/security/ && cd /opt/security
git clone 
cd systemd-service-iptables/
# Edit the rules in etc/iptables/base.rules as needed.
# and install the service
cp -Rv etc/. /etc/
systemctl daemon-reload
systemctl enable iptables.service
systemctl enable [email protected]
systemctl start [email protected]
# To start another rules config files : 
systemctl enable [email protected]
systemctl start [email protected]
# Check status :
systemctl status [email protected] [email protected]

Configuration

Add - Edit - Remove rulebook from /etc/iptables/ to allow a new sub-service to run.

Template included in the repository :

base.rules

Edit base.rules to add or edit the firewall restrictions.

We are using the FILTERS chain to add our rules.

Exemple

Open https port only for 1 ip/fqdn :

-A FILTERS -s 10.1.1.1/32 -p tcp -m tcp --dport 443 -j ACCEPT

Open https port :

-A FILTERS -p tcp -m tcp --dport 443 -j ACCEPT

Other rules

When we want to add another set of rules, we need to manually add an override on the new rule to set [email protected] as dependencie, then the new rules will be loaded after the base.

When we add another one, we need to map it to the second.

Exemple with docker-user.rules

docker-user.rules

Enable, start and configure the service :

systemctl enable [email protected]
systemctl start [email protected]
systemctl edit [email protected]

Add to the override :

[Unit]
[email protected]

And save. You can now reboot safely without risking COMMIT error with iptables-restore.

Requirements : docker

Works with docker automatic rules creation by user DOCKER-USER chain. More informations on Docker & Iptables.

The docker-user.rules rulebook is an exemple on how to limit docker port exposition on spécifique ip sources. We're using the ctorigdstport option with conntrack to restrict exposed ports.

Be carefull within every docker-user's rules, you have to set the external interface with -i ens192 (change WAN interface name).

Documentation

About

Systemd iptables service - Persistent iptables rules with multi-instantiated iptables rules + docker support

Topics

docker security firewall iptables docker-network systemd-service

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

13 stars

Watchers

3 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published