1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2024-12-23 01:39:27 +02:00
dockerfiles/ferm/README.md
2015-07-06 10:18:43 +08:00

2.1 KiB

ferm - for Easy Rule Making

ferm is a frontend for iptables, providing a way to write manageable rulesets without sacrificing flexibility.

Tutorial

$ alias ferm='docker run -i --rm vimagick/ferm'

$ cat > iptables.rules <<_EOF_
chain INPUT {
    policy DROP;
    mod state  state (RELATED ESTABLISHED)  ACCEPT;
    proto tcp  dport (http ftp ssh)  ACCEPT;
}
_EOF_

$ ferm -h
Usage:
    ferm *options* *inputfiles*

Options:
     -n, --noexec      Do not execute the rules, just simulate
     -F, --flush       Flush all netfilter tables managed by ferm
     -l, --lines       Show all rules that were created
     -i, --interactive Interactive mode: revert if user does not confirm
     -t, --timeout s   Define interactive mode timeout in seconds
     --remote          Remote mode; ignore host specific configuration.
                       This implies --noexec and --lines.
     -V, --version     Show current version number
     -h, --help        Look at this text
     --slow            Slow mode, do not use iptables-restore
     --shell           Generate a shell script which calls iptables-restore
     --domain {ip|ip6} Handle only the specified domain
     --def '$name=v'   Override a variable

$ ferm < iptables.rules
# Generated by ferm 2.2 on Mon Jul  6 00:32:04 2015
*filter
:INPUT DROP [0:0]
-A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
-A INPUT --protocol tcp --dport http --jump ACCEPT
-A INPUT --protocol tcp --dport ftp --jump ACCEPT
-A INPUT --protocol tcp --dport ssh --jump ACCEPT
COMMIT

$ ferm --slow - < iptables.rules
iptables -t filter -P INPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport http --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ftp --jump ACCEPT
iptables -t filter -A INPUT --protocol tcp --dport ssh --jump ACCEPT