(CFC) Centralized firewall control provides a centralized way to manage the firewall on multiple servers or loadbalancers running iptables. This way you can quickly allow/block/del/search abuse ranges etc. with one command on several servers. It accesses those servers through ssh. It supports both IPv4 and IPv6.
Centralized Firewall Control
The following settings can be set in the config file:
* action: sets the action when adding a rule, default: DROP
* checkaggrbin: path to the checkaggr.py script, default: ./checkaggr.py
* cleanupconfirmation: asks for confirmation before running the clean command, set to false for cron usage, default: true
* date: set the date format for the firewall comments, default: $(date +%d%m%Y) -> 22062016
* dateipset: set the date format for the ipset firewall comments, leave this on the default to avoid breaking some of the functions, default: $(date +%Y%m%d) -> 20160622
* ipsetname: sets the IPSET list name, default: blockedips
* ipsetservers: sets the servers that use IPSET instead of iptables, default: “lvs05.example.com lvs06.example.com”
* fwchain: name of the firewall chain to add/del/search, default: INPUT
* masklimit: max size of the ip ranges that can be added, default: /21
* precheck: check if the ip that is about to be added is already in the firewall or part of a larger added range, might be a bit slow on large firewalls on IPv6 (~25 sec. for searching 500 ip ranges per server), default: true
* protected: enable the added protected ranges, default: true
* protectedranges: ip ranges that are excluded from the ‘add’ function, usually the ranges owned by the local network, default: “172.16.0.0/12 10.0.0.0/8 192.168.0.0/16”
* pythonbin: location of the used Python binary, default: /usr/bin/python3
* servers: sets the servers that use iptables only, default: “lvs01.example.com lvs02.example.com lvs03.example.com lvs04.example.com”
* The IPv6 functions are marked with the ‘6’ suffix
Prerequisites
+ python3-netaddr
+ ipset
Usage:
apt install python3-netaddr ipset git clone https://github.com/LeonBroseliske/CFC && cd CFC Copy the example config from cfc.cfg-example to cfc.cfg the first time. cfc.sh add n.n.n.n/NN '<optional comment>' cfc6.sh add <IPv6_address_range> '<optional comment>'