/systemd-service-iptables

Systemd iptables service - Persistent iptables rules with multi-instantiated iptables rules + docker support

MIT LicenseMIT

Systemd Iptables Rules Management

Persistent iptables rules with multi-instantiated iptables rulebooks.

Edit, load, change iptables rules whith systemd service using iptables-save rules formating.

Start, restart, reload, and stop firewall with systemd service.

System requirements

  • iptables
  • systemd

Instalation

On the linux system you wish to install the firewall sercice, run as root :

mkdir /opt/security/ && cd /opt/security
git clone 
cd systemd-service-iptables/
# Edit the rules in etc/iptables/base.rules as needed.
# and install the service
cp -Rv etc/. /etc/
systemctl daemon-reload
systemctl enable iptables.service
systemctl enable iptables@base.service
systemctl start iptables@base.sercice
# To start another rules config files : 
systemctl enable iptables@docker-user.service
systemctl start iptables@docker-user.service
# Check status :
systemctl status iptables@base.service iptables@docker-user.service

Configuration

Add - Edit - Remove rulebook from /etc/iptables/ to allow a new sub-service to run.

Template included in the repository :

base.rules

Edit base.rules to add or edit the firewall restrictions.

We are using the FILTERS chain to add our rules.

Exemple

Open https port only for 1 ip/fqdn :

-A FILTERS -s 10.1.1.1/32 -p tcp -m tcp --dport 443 -j ACCEPT

Open https port :

-A FILTERS -p tcp -m tcp --dport 443 -j ACCEPT

Other rules

When we want to add another set of rules, we need to manually add an override on the new rule to set After=iptables@base.service as dependencie, then the new rules will be loaded after the base.

When we add another one, we need to map it to the second.

Exemple with docker-user.rules

docker-user.rules

Enable, start and configure the service :

systemctl enable iptables@docker-user.service
systemctl start iptables@docker-user.service
systemctl edit iptables@docker-user.service

Add to the override :

[Unit]
After=iptables@base.service

And save. You can now reboot safely without risking COMMIT error with iptables-restore.


Requirements : docker

Works with docker automatic rules creation by user DOCKER-USER chain. More informations on Docker & Iptables.

The docker-user.rules rulebook is an exemple on how to limit docker port exposition on spécifique ip sources. We're using the ctorigdstport option with conntrack to restrict exposed ports.

Be carefull within every docker-user's rules, you have to set the external interface with -i ens192 (change WAN interface name).

Documentation