This project utilizes iptables and maps the entire iptables feature set into an easy to use directory structure. Over the years the Linux network packet filtering stack has gone through many revisions. From ipfwadm in 2.0, to ipchains in 2.2, and finally netfilter which is managed by iptables in 2.4 through today in 4.x. The latest netfilter release in Linux is extremely flexible and fwtree supports all configurations that can be made with iptables in a easy to use and organized way.
The fwtree project is supported on:
- CentOS 6/7
- Scientific Linux 6/7
- Redhat (RHEL) 6/7
- Debian 7/8 (Wheezy/Jessie)
- Ubuntu 14.04/16.04 (Trusy/Xenial)
For yum-based distributions, you can install our repository as follows:
yum localinstall https://www.linuxglobal.com/static/repos/linuxglobal-public-repo.rpm yum install fwtree
For apt-based distributions, such as Debian and Ubuntu, you can install our repository as follows:
wget -P /etc/apt/sources.list.d/ https://www.linuxglobal.com/static/apt/linuxglobal-public-wheezy.list wget -O - https://www.linuxglobal.com/static/apt/signing.linuxglobal.com.key | apt-key add - apt-get update apt-get install fwtree
Replace “wheezy” if your distribution code name differs, such as “trusty” or “jessie”.
If you would like to install from source or contribute to the fwtree project, you may clone or browse our git repository here:
Introduction to fwtree
There are many guides on the Internet on how to use iptables, and it is not our intention to duplicate those here—but let us provide an introduction:
Directory Structure of fwtree
Netfilter breaks the packet filter paths into a series of tables and chains. The common tables are filter, nat, and mangle. There exists other tables, but they are less commonly used. Even though other tables aren’t used, fwtree supports them implicitly in the structure. Within each table, there exists a series of chains (or targets). The fwtree project represents these in the following directory configuration:
/etc/fwtree.d/nat /etc/fwtree.d/nat/POSTROUTING /etc/fwtree.d/nat/PREROUTING /etc/fwtree.d/nat/OUTPUT /etc/fwtree.d/filter /etc/fwtree.d/filter/INPUT /etc/fwtree.d/filter/OUTPUT /etc/fwtree.d/filter/FORWARD /etc/fwtree.d/mangle /etc/fwtree.d/mangle/POSTROUTING /etc/fwtree.d/mangle/PREROUTING /etc/fwtree.d/mangle/INPUT /etc/fwtree.d/mangle/OUTPUT /etc/fwtree.d/mangle/FORWARD
The directories noted above are the defaults that come with iptables. The default installation of fwtree provides a default deny firewall implementation with only port 22 open (so that you don’t lock yourself out). There are other chains in the filter table to facilitate logging and the default deny policy.
Allowing Access to Services and Networks
Every file in the leaf-most directories that ends in .rule is interpreted as a rule to be applied to the firewall. The content of that rule is written almost exactly as the invocation to iptables, however omitting the table and chain arguments. For example:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Would be written a file in /etc/fwtree.d/nat/POSTROUTING/outbound-nat.rule as follows:
-o eth1 -j MASQUERADE
This is much simplified since usually your rules are much richer and the table/chain definitions become redundant; only keep the iptables arguments that are not already described by the directory structure.
If you have an organization of hosts, you can trivially make a new chain by creating a directory and linking to it. For example:
mkdir /etc/fwtree.d/filter/ADMINS echo "-j ACCEPT" > /etc/fwtree.d/filter/ADMINS/allow-all-of-the-admins.rule echo "-s 10.1.2.3/32 -j ADMINS" > /etc/fwtree.d/filter/INPUT/10.1.2.3-admins.rule
Note that the file name does not matter so long as it ends in .rule; rules will execute in alphabetical (globbing) order.