arno-iptables-firewall - Single- & multi-homed firewall script with DSL/ADSL
support.
arno-iptables-firewall start | restart | force-reload | stop | stop-block
| status | status-plugins | check-conf
arno-iptables-firewall is an iptables configuration script with support
for both IPv4 & IPv6. In general, it should not be called directly, but
rather should be invoked via
/etc/init.d/arno-iptables-firewall or
systemctl COMMAND arno-iptables-firewall.service,
depending on the init system in use. While it is extremely easy to set up a
basic firewall one can nevertheless configure it to meet quite complex
requirements.
All available options are explained in the extensively documented configuration
file.
As a bare minimum the external interface of the system needs to be set up
properly in the firewalls configuration (EXT_IF). The default behavior of the
firewall is to deny all incoming connections.
Instead of editing the main configuration file, it is recommended to put
configuration snippets into .conf files to be placed in the configuration
directory. These are sourced after the main configuration file has been read
and can be used to override previous (default) configurations.
For additional requirements not covered by the configuration file and not
coverable by configuration snippets custom iptables rules can be placed in a
custom rules file. This file is automatically parsed by the service script.
Logs are written to a dedicated log file if
rsyslogd is in use. The
arno-fwfilter script can be used to make the firewall logs more
readable for humans (see manpage).
Several plugins implementing advanced features come with the firewall script.
Each of them brings its own configuration file to be found in the plugins
configuration directory.
- /etc/arno-iptables-firewall/firewall.conf
- main configuration file
- /etc/arno-iptables-firewall/conf.d/
- firewall configuration directory
- /etc/arno-iptables-firewall/plugins/
- plugins configuration directory
- /etc/arno-iptables-firewall/custom-rules
- custom iptables rules file
- /etc/arno-iptables-firewall/blocked-hosts
- host blacklist. This file does not pre-exist and its use is
disabled in the main configuration file by default.
- /var/log/arno-iptables-firewall
- log file maintained by rsyslogd
iptables(8), arno-fwfilter(1),
/usr/share/doc/arno-iptables-firewall/README.gz,
https://rocky.eld.leidenuniv.nl/
arno-iptables-firewall was written by Arno van Amersfoort
<
[email protected]> and Lonnie Abelbeck
<
[email protected]>.
This manual page was initially written by Michael Hanke
<
[email protected]> and has been reworked by Sven Geuer
<
[email protected]>, for the Debian project (but may be used by
others).