Ruined (stands for RUby Iptables NEtwork Displayer) has been written to help administrators, security managers, technical managers to understand better the underlying firewall. And the best is graphicaly. Instead of reading tons of iptables lines, you get the whole picture. Associated with color schemes you quickly see what is allowed or not.
It also provides and API to read and dig deeper in your firewall configuration so that you can write custom tools on top of it.
In this configuration, we are having a workstation where users are only allowed to run ssh client to connect to a remote host, irc to talk to geeks and a http browser.
First of all, we write those rules using iptables :
iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A OUTPUT -p tcp -m tcp --dport ssh -m state --state ! INVALID -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport ssh -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport ircd -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport ircd -m state --state ! INVALID -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport http -m state --state ! INVALID -j ACCEPT iptables -A INPUT -p tcp -m tcp --sport http -m state --state RELATED,ESTABLISHED -j ACCEPTAfter that, you run the command "iptables-save"
# Generated by iptables-save v1.3.5 on Mon Feb 19 09:39:34 2007 *filter :INPUT DROP [114:14216] :FORWARD DROP [0:0] :OUTPUT DROP [60:7008] -A INPUT -p tcp -m tcp --sport 6667 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 6667 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED,UNTRACKED -j ACCEPT COMMIT # Completed on Mon Feb 19 09:39:34 2007The easiest is to save it in a file using "iptables-save > iptables-in"
The following colors are used:
Yellow | TCP |
---|---|
Blue | UDP |
Aqua | ICMP |
Green | ACCEPT |
---|---|
Red | DROP |
Blue | QUEUE |