fwtree: Flexible Linux Tree-based Firewall

About fwtree

This project utilizes iptables and maps the entire iptables feature set into an easy to use directory structure. Over the years the Linux network packet filtering stack has gone through many revisions. From ipfwadm in 2.0, to ipchains in 2.2, and finally netfilter which is managed by iptables in 2.4 through today in 6.x. The latest netfilter release in Linux is extremely flexible and fwtree supports all configurations that can be made with iptables in a easy to use and organized way.

Installing fwtree

The fwtree project is supported on:

  • CentOS 6 and newer
  • Scientific Linux 6 and newer
  • Redhat (RHEL) 6 and newer
  • Oracle Linux 6 and newer
  • Debian 7 and newer
  • Ubuntu 14.04 and newer

YUM Repository

For yum-based distributions, you can install our repository as follows:

yum localinstall https://www.linuxglobal.com/static/repos/linuxglobal-public-repo.rpm
yum install fwtree

APT Repository

For apt-based distributions, such as Debian and Ubuntu, you can install our repository as follows:

wget -P /etc/apt/sources.list.d/ https://www.linuxglobal.com/static/apt/linuxglobal-public-wheezy.list
wget -O - https://www.linuxglobal.com/static/apt/signing.linuxglobal.com.key | apt-key add -
apt-get update
apt-get install fwtree

Replace “wheezy” if your distribution code name differs, such as “trusty” or “jessie”.

From Source

If you would like to install from source or contribute to the fwtree project, you may clone or browse our git repository here:

https://github.com/ewheelerinc/fwtree

Introduction to fwtree

There are many guides on the Internet on how to use iptables, and it is not our intention to duplicate those here—but let us provide an introduction:

Directory Structure of fwtree

Netfilter breaks the packet filter paths into a series of tables and chains. The common tables are filter, nat, and mangle. There exists other tables, but they are less commonly used. Even though other tables aren’t used, fwtree supports them implicitly in the structure. Within each table, there exists a series of chains (or targets). The fwtree project represents these in the following directory configuration:

/etc/fwtree.d/nat
/etc/fwtree.d/nat/POSTROUTING
/etc/fwtree.d/nat/PREROUTING
/etc/fwtree.d/nat/OUTPUT
/etc/fwtree.d/filter
/etc/fwtree.d/filter/INPUT
/etc/fwtree.d/filter/OUTPUT
/etc/fwtree.d/filter/FORWARD
/etc/fwtree.d/mangle
/etc/fwtree.d/mangle/POSTROUTING
/etc/fwtree.d/mangle/PREROUTING
/etc/fwtree.d/mangle/INPUT
/etc/fwtree.d/mangle/OUTPUT
/etc/fwtree.d/mangle/FORWARD

The directories noted above are the defaults that come with iptables. The default installation of fwtree provides a default deny firewall implementation with only port 22 open (so that you don’t lock yourself out). There are other chains in the filter table to facilitate logging and the default deny policy.

Allowing Access to Services and Networks

Every file in the leaf-most directories that ends in .rule is interpreted as a rule to be applied to the firewall. The content of that rule is written almost exactly as the invocation to iptables, however omitting the table and chain arguments. For example:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Would be written a file in /etc/fwtree.d/nat/POSTROUTING/outbound-nat.rule as follows:

-o eth1 -j MASQUERADE

This is much simplified since usually your rules are much richer and the table/chain definitions become redundant; only keep the iptables arguments that are not already described by the directory structure.

If you have an organization of hosts, you can trivially make a new chain by creating a directory and linking to it. For example:

mkdir /etc/fwtree.d/filter/ADMINS
echo "-j ACCEPT" > /etc/fwtree.d/filter/ADMINS/allow-all-of-the-admins.rule
echo "-p tcp --dport 22 -j ADMINS" > /etc/fwtree.d/filter/INPUT/10.1.2.3-admins.rule
# ipv4 specific rule:
echo "-s 10.1.2.3/32 -j ADMINS" > /etc/fwtree.d/filter/INPUT/10.1.2.3-admins.rule4

# ipv6 specific rule:
echo "-s ::1 -j ADMINS" > /etc/fwtree.d/filter/INPUT/10.1.2.3-admins.rule6

Note that the file name does not matter so long as it ends in .rule or .rule4 or .rule6; rules will execute in alphabetical (globbing) order.