Arno's IPTABLES Firewall Script
Arno's IPTABLES Firewall Script is a secure stateful firewall for both single and multi-homed machines. It supports NAT and SNAT, port forwarding, ADSL ethernet modems with both static and dynamically assigned IPs, MAC address filtering, stealth port scan detection, DMZ support, protection against SYN/ICMP flooding, experimental IPv6 support, multi-interface/aliased-IP support, and extensive user definable logging with rate limiting to prevent log flooding. It has plugin support to add extra features (like SSH Brute Force protection and (Racoon) IPSEC support). It is easy to configure and highly customizable. A filter script that makes your firewall log more readable is also included.
| Tags | Networking Firewalls |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX Linux |
| Implementation | Unix Shell |
Recent releases
- 28 Jun 2009 14:35
Changes: A problem in which the DSL plugin caused errors on restart was fixed. Detected iptables errors are now reported as WARNING rather than ERROR when the script finishes. The IPSEC-VPN plugin was updated. The .aif_active_plugins were moved to /var/tmp/. Plugins on stop() that have their priority number changed are detected.
- 09 Jun 2009 10:08
Changes: A problem where check_binary failed on dash-based systems (like Ubuntu) was fixed. Some bashisms were fixed along with DMZ_LAN_HOST_OPEN_IP, which didn't work.
- 20 May 2009 12:35
Changes: A problem in which DMZ_LAN_HOST_OPEN_xxx source hosts weren't parsed properly was fixed. A LOG_HOST_OUTPUT_xxx format error was fixed. Local DNAT redirect support was added. An experimental DMZ-NAT plugin was added. DMZ_IF_TRUST and INT_IF_TRUST were replaced with the new IF_TRUSTS variable. A problem that kept NAT_FORWARD_IP from working was fixed. Many tweaks, fixes, and cleanups were made.
- 03 Mar 2009 10:02
Changes: Some security issues concerning firewall restart were fixed. An invalid EOL causing blocked hosts to fail was fixed. Invalid sed syntax that caused blocked hosts to fail was corrected. The MAC filter was moved from the main script into a separate plugin. An issue where the OUTPUT policy didn't get applied was fixed. LOG_xxx_INPUT was changed to LOG_INPUT_xxx in the config file. Several plugins were updated.
- 08 Jan 2009 18:21
Changes: Several fixes in the install script.
- All comments
Recent commentsBack when iptables first came out i read for weeks trying to figure out how to rewrite my firewall scripts that i had done years before to take advantage of the new features iptables provides, it took me weeks to do that and have something i felt pretty good about. Over the years i had added on things as needed for various clients and it served me pretty well. Several years ago a client had a insanely crazy setup and after beating my head into the wall for a few hours trying to figure out how to make my script work i thought, "hey why not check around and see whats out there". So i found this little Gem.
Back when iptables first came out there really wasn't many great examples so i wrote my own, now there are many and while i understand it way better now, this script kicks ass. Why write my own and end up with something probably not even 1/10 as good when you can start with what i feel is the best firewall script out there. Arnova, my hats off to you. Very well done, constantly updated and very well documented. Even 7 years later and your still improving it, now if that doesnt say something about his level of commitment i don't know what does. If your ever in the Bay Area Arno, look me up i owe you many beers!
Tnt
Re: This Script Is The Best
That's just true.
As hgo I found this script combine power and clarity (configuration AND logs :).
As jgionet, I configured it just logging into the gateway by SSH.
I'm very happy i found Arno's IPtables script.
Many thanks for his nice work :)
This Script Is The Best
I've tried a lot of firewall scripts from freshmeat. More than half don't seem to even work. Or I'm not bright enough to make them work (and I've been working with unix style operating systems for eight years).
This script "just works". And it's got powerful configuration options to boot.
Great!!
After wasting hours to get my SuSE Firewall up and running I gave up on it. Then I found this script and I am extremely happy with it. Everything just worked fine after just following the instructions and rebooting the PC. Thank you!
EXCELLENT!
what can I say, this is by far one of the BEST scripts I've loaded in many years! I was able to install and apply this script REMOTLY connected via SSH and had no issues at all. (after applying a new Redhat Kernel & rebooting) Great instructions and very well documented/orginized. I was using MonMotha's script before (which was also excellent) however there hadn't been any updates in a quite a while. Keep up the GREAT work! thxs :)