IPTables bash script

gsloop · January 4, 2012, 9:48pm

I’m very new to ROS, and I’d probably like to maintain and generate all my iptables rules via something like FWBuilder.

Is there some way to bring in those rules (via bash script) into ROS?

TIA
-Greg

smarco · May 26, 2012, 1:22pm

Hi!

Is it FWBuilder compatible with Mikrotik devices?

Thanks

gsloop · May 28, 2012, 5:05am

In short, no.

While it’s less than the best solution, I suspect, I’ve created a excel spreadsheet that will generate all my rules.
[At least filter and dst-nat rules.]

Not every option is there, but the most common used fields: src-addr, dst-addr etc.

Essentially each column allows me to specify things like input/output/forward Type:[tcp/udp/icmp] - then I have a hokey formula that strings everything together into the ROS script code to use in a SSH session to “paste” it in. [So shoot me, it was the best I could come up with at the time, and try as I might, I’ve not been bright enough to come up with something better…]

I’d much prefer to use FWBuilder, but this is the best I’ve come up with.

One other upside is that if I use it for all the rules, they’re “documented” and portable to another firewall if needed. [Say a hot-swap replacement.]

I can also use those rules for a template for another installation.

So, all-in-all it works reasonably well, and it’s better than just cranking out ROS script code to put them in, or using winbox/webfig.

-Greg

Stril · February 13, 2014, 1:53pm

Hello!

I know, that this thread is quite old, but i am searching for a similar solution.

FWBuilder is great to maintain firewall-rules.
Mikrotik offers great hardware.

It would be perfect, if both solutions could be combined. FWBuilder is open-source, now.
Would anybody be interested in developing a fwbuilder-plugin for mikrotik-ROS? I would support that!

Best wishes,
Stril

Stril · July 5, 2017, 6:47am

Hi!

I just want to reactivate that threat.

How do you config large firewall-rulesets?

I think, the concept of fwbuilder is great with its way to work with “objects”.

Regards,
Stril

vasilaos · July 5, 2017, 10:05am

i think is up to FWBuilder developers but what is the real advantage of this?

Stril · July 5, 2017, 1:48pm

Hi!

The real advantage is to be able to easily maintain rulesets with objects for many firewalls.

My example:
I have 50 branch-offices and I have to setup an additional Active Directory Domain Controller.
In FWBuilder, I just need to add the DC to the group of “Domain Controllers” and the full set of firewall rules will be updated on ALL the firewalls of the branch Offices.

Second Example:
I have 50 branch-offices and I have to change the IP of an Active Directory Domain Controller.
In FWBuilder, I change the IP of one object and the config will be written to all the firewalls.

If I want to do this with mikrotik, I need to use Address-Lists for every rule and need to write scripts to update all the address-lists, if an ip changes and a script that can add rules and address-lists to all the firewalls.

Regards,
Stril