Shutter is a tool that gives system administrators the ability to manage iptables firewall settings through simple lists instead of complex iptables commands, making it easier to define host and service firewall setting with configuration management tools. Please note: This application is currently only tested with Red Hat based distributions. Ubuntu and Debian should work but are not supported.
Instalation is through the gem package management program.
$ gem install shutter
The base template will sometimes change with new versions to correct errors and add features. To upgrade the base template and add any new configuration files that the new version may require, use the following command:
$ shutter --upgrade
$ gem install shutter
Shutter automatically creates any missing configuration files anytime it is run, but you can create them prior to
$ shutter --init
There are several files that you can modify:
- base.ipt: The one file to rule them all. Modifying this file is optional as it is the template that is used to build the firewall. If you do modify the file, just make sure you include the appropriate placeholder directives to allow shutter to dynamically fill in the rules. It is possible to leave out any unwanted placeholders. By default the files are will be found in the /etc/shutter.d directory
- iface.dmz: Enter any private interfaces that will be unprotected by the firewall. One per line.
- iface.forward: Enter any source and destination interfaces that forwarding will occur.
- ip.allow: A list of IP addresses and ranges that are allowed to access the 'private' ports
- ip.deny: A list of IP addresses and ranges that are denied access to both public and private ports.
- ports.private: A list of ports and protocols that are available to traffic that passes through the AllowIP chain
- ports.public: A list of ports and protocols that are available publically to everyone except the 'Bastards' listed in ip.deny
Shutter was designed to work with the Fail2ban access monitoring/management tool. It includes a special chain called 'Jail' which is used to insert the jump rules that fail2ban uses to deny access 'on-the-fly'. To work correctly, you configure fail2ban to use the Jail chain instead of INPUT. The dynamic rules that fail2ban has created in the jail chain remain persistant when shutter is 'restored' or reloaded.
$ shutter --save
This command mimics the 'iptables-save' command which prints the rules out to the screen.
This does not modify the firewall settings.
$ shutter --restore
This command uses 'iptables-restore' under the hood to update the firewall. You can use the '--persist' option to make the changes permanent and survive reboots. Persist can optionally take an argument which defines the location of the persist file if it is in a non-standard location.
To check your current firewall rules generated by 'iptables-save' against the ones shutter will generate, use:
$ shutter --check
The command will return 'OK' if the rules and chains match and 'MISMATCH' if there is any variance.
Usage: shutter [options]
--init Create the initial configuration files.
--reinit Rereate the initial configuration files.
--upgrade Upgrade the configuration files that have changes with a new version.
-s, --save Output the firewall to stdout. This is the default behavior.
-r, --restore Restore the firewall through iptables-restore.
-p, --persist [FILE] Write the firewall to the persistance file. If an argument is given, it will be used as the persistance file
-d, --dir DIR Set the directory for configuration files. Default is /etc/shutter.d.
--debug Turn on debugging for extra output.
-h, --help Display help and exit.
--version Display version and exit.
More documentation to come...
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request