Home / server / Questions / 835613
In Process
Evan
Asked: 2017-03-02 03:14:47 +0800 CST

Export fwbuilder rules to a file suitable to read with iptables-restore?

  • 772

fwbuilder seems to always want to write the firewall rules directly to the device that will run them, however I want to write them to a rules file that I can then maintain and update to the device via configuration management (ansible).

Clarification: Want the rules written out in a format suitable for consumption by iptables-restore.

Is this possible?

iptables fwbuilder

1 Answers

  1. fwbuilder does not generate "straight" iptables-restore compatible script out of the box but it is possible to do with some modifications. there are two parts to this:

    First, turn checkbox "Use iptables-restore to activate policy" in the tab "Script" in firewall settings dialog). Turn all other functions of the generated script off in the same tab.

    The rules are in iptables-restore format but since the default generated script wants to send them to the standard input of iptables-restore, they are generated like this:

        (

    echo '*filter'
    # ================ Table 'filter', automatic rules
    echo :INPUT DROP [0:0]
    echo :FORWARD DROP [0:0]
    echo :OUTPUT DROP [0:0]
    # accept established sessions
    echo "-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT "
    echo "-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT "
    echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT "
    # ================ Table 'filter', rule set Policy
    #
    # Rule  0 (global)
    echo ":Cid5468X36359.0 - [0:0]"

     . . . . . . . . 

    echo "-A POSTROUTING -o eth1   -s 10.0.18.0/24  -j SNAT --to-source 74.123.224.162 "
    echo "-A POSTROUTING -o eth1   -s 10.0.22.0/24  -j SNAT --to-source 74.123.224.162 "
    #
    echo COMMIT


    ) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$?

    you can replace the real iptables-restore with your own utility that will pick these rules up from stdin and store them in a file, which will be in the right iptables-restore format (this is what you want). The utility can be something simple, such as "tee file". To take over iptables-restore, open "Host OS Settings " dialog in the firewall properties, go to the tab "Paths" and change the path for iptables-restore, replacing it with a path and the name of your utility or a script.

    Since you do not use default script format fwbuilder expects, its built-in policy installer won't work anyway. So what you need to do is run generated script to generate proper iptables-restore file and then install it where it belongs. How you do the latter part is up to you.

    You can also change the format of the generated script to remove parts you do not need. Generated script is built using a template which you can modify. See chapter 13 "Configlets" of the Users Guide. The idea is to "dumb down" generated script to leave only iptables rules that should already be in the iptables-restore format and remove everything else. I think the rules will still be in the form of "echo -A INPUT ..." so you'll need to actually run generated script to get the rules in the format you need.

    • 2