https://github.com/ctxswitch/shutter

Generate iptables rules from simple configuration files
https://github.com/ctxswitch/shutter

Last synced: 5 months ago
JSON representation

Generate iptables rules from simple configuration files

• Host: GitHub
• URL: https://github.com/ctxswitch/shutter
• Owner: ctxswitch
• License: mit
• Created: 2012-06-22T01:22:44.000Z (about 14 years ago)
• Default Branch: master
• Last Pushed: 2013-07-05T21:50:47.000Z (almost 13 years ago)
• Last Synced: 2026-01-14T11:21:17.058Z (5 months ago)
• Language: Ruby
• Size: 242 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Shutter

[![Build Status](https://secure.travis-ci.org/rlyon/shutter.png)](http://travis-ci.org/rlyon/shutter)

Shutter is a tool that gives system administrators the ability to manage 

iptables firewall settings through simple lists instead of complex iptables commands, making it

easier to define host and service firewall setting with configuration management tools.  Please note:

This application is currently only tested with Red Hat based distributions.  Ubuntu and Debian should 

work but are not supported.

## Installation

Instalation is through the gem package management program. 

    $ gem install shutter

## Upgrading from older versions

The base template will sometimes change with new versions to correct errors and add features.  To upgrade the base template and add any new configuration files that the new version may require, use the following command:

    $ shutter --upgrade

## Usage

#### Install the gem.

    

    $ gem install shutter

#### OPTIONAL: Create the initial configuration files.

Shutter automatically creates any missing configuration files anytime it is run, but you can create them prior to 

    $ shutter --init

#### Modify the files to meet your required settings.  

There are several files that you can modify:

* **base.ipt:**  The one file to rule them all.  Modifying this file is optional as

it is the template that is used to build the firewall. If you do modify the file,

just make sure you include the appropriate placeholder directives to allow

shutter to dynamically fill in the rules.  It is possible to leave out any unwanted

placeholders.  By default the files are will be found in the */etc/shutter.d* directory

* **iface.dmz:**  Enter any private interfaces that will be unprotected by the firewall.  One per line.

* **iface.forward:**  Enter any source and destination interfaces that forwarding will occur.

* **ip.allow:**  A list of IP addresses and ranges that are allowed to access the 'private' ports

* **ip.deny:**  A list of IP addresses and ranges that are denied access to both public and private ports. 

* **ports.private:**  A list of ports and protocols that are available to traffic that passes through the AllowIP chain

* **ports.public:**  A list of ports and protocols that are available publically to everyone except the 'Bastards' listed in ip.deny

Shutter was designed to work with the Fail2ban access monitoring/management tool.  It includes a 

special chain called 'Jail' which is used to insert the jump rules that fail2ban uses to deny 

access 'on-the-fly'.  To work correctly, you configure fail2ban to use the Jail chain instead of 

INPUT.  The dynamic rules that fail2ban has created in the jail chain remain persistant when 

shutter is 'restored' or reloaded.

#### To show your firewall rules you can run:

    $ shutter --save

This command mimics the 'iptables-save' command which prints the rules out to the screen.  

This does not modify the firewall settings.

#### To implement the changes, use:

    $ shutter --restore

This command uses 'iptables-restore' under the hood to update the firewall.  You can use the '--persist' option

to make the changes permanent and survive reboots.  Persist can optionally take an argument which defines the location of the

persist file if it is in a non-standard location.

#### To check your current firewall rules generated by 'iptables-save' against the ones shutter will generate, use:

    $ shutter --check

The command will return 'OK' if the rules and chains match and 'MISMATCH' if there is any variance.

#### Command line options

    Usage: shutter [options]

            --init                       Create the initial configuration files.

            --reinit                     Rereate the initial configuration files.

            --upgrade                    Upgrade the configuration files that have changes with a new version.

        -s, --save                       Output the firewall to stdout. This is the default behavior.

        -r, --restore                    Restore the firewall through iptables-restore.

        -p, --persist [FILE]             Write the firewall to the persistance file.  If an argument is given, it will be used as the persistance file

        -d, --dir DIR                    Set the directory for configuration files.  Default is /etc/shutter.d.

            --debug                      Turn on debugging for extra output.

        -h, --help                       Display help and exit.

            --version                    Display version and exit.

More documentation to come...

## Contributing

1. Fork it

2. Create your feature branch (`git checkout -b my-new-feature`)

3. Commit your changes (`git commit -am 'Added some feature'`)

4. Push to the branch (`git push origin my-new-feature`)

5. Create new Pull Request