Fina Fina is a simple, robust shell script that loads iptables rules from a rules directory.
Download

Fina Ranking & Summary

Fina Tags

network firewall iptables network firewall iptables rules load firewall rules

Fina Description

Fina is a simple, robust shell script that loads iptables rules from a rules directory. Fina is a simple, robust shell script that loads iptables rules from a rules directory. As such, it isn't concerned with creating rules for you, it just helps you load them in a robust way.If something fails, Fina will load your old ruleset. The Fina project also allows richer commenting in the rules files than iptables. Still, it can handle anything that iptables-restore can.Fina is the result of working with various attempts at wrapping iptables(rather: Netfilter) with scripts and other infrastructure in order tomake daily administration of rules easier. Due to my job, I've always needed a script that can easily be automatedremotely. No matter how great a script is, if it takes ages to updatefourteen web servers of a cluster, it's useless to me.Another basic need for such a script is that it has to be secure bydefault - without getting into the admins way too much. That is to say,it only creates rules that the admin expressly configures. Of course, asensible set of configuration /examples/ is provided.The third hard requirement is that the script should be capable of doingeverything Netfilter can. That means that no matter how complicated yourNAT and prerouting magic needs are, the script must be able to handleit. One side effect of this is, that it must handle huge filter sets atleast as easily as Netfilter itself.The fourth requirement is a bit complicated. Sometimes, it may benecessary to change variables in /proc after modules have been loadedbut before rules referring to those modules are added. Also, sometimesit might be necessary, to do stuff after the packet filter has beenloaded. To this end, /etc/fina may contain two scripts called"pre-up.sh" and "post-up.sh". If those files exist and are executable,they are executed at the corresponding times.Finally, the script should be lightweight, having as few externaldependencies as possible. Also, the script itself should be as simpleand small as possible. This is because simple things have fewer ways inwhich they can fail.DesignDue to the four hard requirements mentioned above, the script doesn'tactually "know" all that much about Netfilter. This way, it easilyincorporates everything Netfilter can do - without having a movingtarget of specs to adhere to.Basically, Fina assembles an iptables-restore compatible rule dump fromsnippets configure/edited by the admin of the machine. It then tries toload the whole set. If this fails in any way, the old rule set isrestored.Naturally, this means that Fina does next to nothing for the adminwhen it comes to /generating/ rules on the machine. This is a consciousdecision. For one, whoever uses/configures a packet filter should beaware of all the consequences of his actions. This includes for exampleknowing why it is bad to drop all ICMP traffic.Another reason is that providing examples or even recipes for packetfilters is something /documentation/ should do. It's not a good idea tohave a black box do "simply the right thing". Usually, there is anon-trivial amount of users for which The Right Thing can't be easilyguessed.How it worksIf fina is started via the init script, one critical extra step istaken: the script tries to load /etc/fina/minimal.rules withiptables-restore. This comes in handy if you've updated the kernel andforgotten parts of the iptables modules - your nice big config fileprobably won't load and your machine is either vulnerable orinaccessible to you. Usually, you'll want to have a very simple rule setin here (without conntracking) that allows access from your managementIPs. You can load this ruleset using the -m commandline switch. This canbe handy in emergency situations (think of it as a PANIC button).Fina expects one configuration file, /etc/fina/fina.cfg. This isactually simply a shell script that is sourced from the main Finascript. It contains (by default) one variable that specify one additional location, that of the rule directory. First, fina checks if/etc/fina/pre-up.sh exists and is executable and if so runs it. This isthe place to load modules or change stuff in proc if the need arises.The second location is more important. It specifies the directory whichcontains the rule snippets that Fina should assemble. Usually, this islocated at /etc/fina/rules.d/. Fina then proceeds to load all files fromsaid directory (and its sub-directories) that end in .rules. In order tohave reliable order when assembling, the files are usually prefixed withtwo- or three-digit numbers. The expected format of the files is of no concern to Fina. Fina itselfwill only assemble them in order into one file. After this, it will makea backup of the current rule set (using iptables-save) and put it in alocation specified in /etc/fina/fina.cfg. Then, Fina will try to loadthe generated file using iptables-restore. If this fails for whateverreason, it will try to load the old rule set and exhibit an appropriateerror message plus whatever message it got from the failingiptables-restore command. Finally, fina will execute /etc/fina/post-up.sh if it exists and isexecutable.Other functionalityIn addition to generating and then directly loading a rule set, Fina canalso simply dump the file it would load to stdout ("pretend mode", whichis the default). This is useful if you suspect a bug in your Netfiltersnippets and want to take a look at the set before trying to load it.Fina adds a plethora of comments to the generated file to make debuggingeasier. Using Finas pretend mode, you can also ensure that Fina can readall the files it should.Also, this way you can create diffs between your currently running rulesand the rules Fina would generate. This way, you can easily spot if thechanges in the rules snippets have the expected results.Keep in mind though that in this mode, Fina has no way of telling ifwhat it generates can actually be loaded with iptables-restore.Unfortunately, the kernel interface does not provide a means to see if arule set could be loaded without actually activating it (if I'm wronghere, I'd be glad to hear about such functionality).In order to aid in debugging, all lines generated by Fina itself areprefixed with "#Fina#", so you can tell which lines are from Fina andwhich ones come from your files. Requirements: · GNU bash (>=v2) · GNU find (anything recent) · GNU grep (ditto) · GNU sed (ditto) · iptables (whatever works with your kernel) What's New in This Release: · A show-stopping bug in the error handling of the generic init scripts was fixed.

Fina Related Software