1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-01-20 04:59:27 +02:00
dockerfiles/ferm/README.md

63 lines
2.1 KiB
Markdown
Raw Normal View History

2015-07-06 08:35:53 +08:00
ferm - for Easy Rule Making
===========================
2015-07-06 08:46:13 +08:00
![](https://badge.imagelayers.io/vimagick/ferm:latest.svg)
2015-07-06 08:35:53 +08:00
[`ferm`][1] is a frontend for iptables, providing a way to write manageable
rulesets without sacrificing flexibility.
## Tutorial
```
$ alias ferm='docker run -i --rm vimagick/ferm'
$ cat > iptables.rules <<_EOF_
chain INPUT {
policy DROP;
mod state state (RELATED ESTABLISHED) ACCEPT;
proto tcp dport (http ftp ssh) ACCEPT;
}
_EOF_
$ ferm -h
Usage:
ferm *options* *inputfiles*
Options:
-n, --noexec Do not execute the rules, just simulate
-F, --flush Flush all netfilter tables managed by ferm
-l, --lines Show all rules that were created
-i, --interactive Interactive mode: revert if user does not confirm
-t, --timeout s Define interactive mode timeout in seconds
--remote Remote mode; ignore host specific configuration.
This implies --noexec and --lines.
-V, --version Show current version number
-h, --help Look at this text
2015-07-06 10:18:43 +08:00
--slow Slow mode, do not use iptables-restore
2015-07-06 08:35:53 +08:00
--shell Generate a shell script which calls iptables-restore
--domain {ip|ip6} Handle only the specified domain
--def '$name=v' Override a variable
$ ferm < iptables.rules
# Generated by ferm 2.2 on Mon Jul 6 00:32:04 2015
*filter
:INPUT DROP [0:0]
-A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
-A INPUT --protocol tcp --dport http --jump ACCEPT
-A INPUT --protocol tcp --dport ftp --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
COMMIT
$ ferm --slow - < iptables.rules
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport http --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ftp --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT
```
[1]: http://ferm.foo-projects.org/