mirror of
https://github.com/vimagick/dockerfiles.git
synced 2025-01-22 05:09:36 +02:00
ferm - for Easy Rule Making
ferm
is a frontend for iptables, providing a way to write manageable
rulesets without sacrificing flexibility.
Tutorial
$ alias ferm='docker run -i --rm vimagick/ferm'
$ cat > iptables.rules <<_EOF_
chain INPUT {
policy DROP;
mod state state (RELATED ESTABLISHED) ACCEPT;
proto tcp dport (http ftp ssh) ACCEPT;
}
_EOF_
$ ferm -h
Usage:
ferm *options* *inputfiles*
Options:
-n, --noexec Do not execute the rules, just simulate
-F, --flush Flush all netfilter tables managed by ferm
-l, --lines Show all rules that were created
-i, --interactive Interactive mode: revert if user does not confirm
-t, --timeout s Define interactive mode timeout in seconds
--remote Remote mode; ignore host specific configuration.
This implies --noexec and --lines.
-V, --version Show current version number
-h, --help Look at this text
--slow Slow mode, do not use iptables-restore
--shell Generate a shell script which calls iptables-restore
--domain {ip|ip6} Handle only the specified domain
--def '$name=v' Override a variable
$ ferm < iptables.rules
# Generated by ferm 2.2 on Mon Jul 6 00:32:04 2015
*filter
:INPUT DROP [0:0]
-A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
-A INPUT --protocol tcp --dport http --jump ACCEPT
-A INPUT --protocol tcp --dport ftp --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
COMMIT
$ ferm --slow - < iptables.rules
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport http --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ftp --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT