(C) Martin Väth (martin at mvath.de). This project is under a BSD type license, meaning that you can do almost anything with it except removing my name.
A collection of POSIX shell scripts to initialize iptables and net-related sysctl variables of Linux.
These POSIX scripts set some typical iptables commands for a dialup PC,
optionally including a simple portknocking solution and router functionality.
The usage is somewhat similar to SuSEfirewall2, but the approach has
some essential differences. In particular, packets are usually not
REJECT-ed until a rate-limit is reached. It is not necessary to restart
the firewall after a connection is established.
Currently, IPv6 is practically not supported (except for closing everything).
The setting of the kernel variables is done with a separate script sysctl.net
By default, firewall makes use of the functions from
which allow a "scripted" use of
This means that all iptables rules are created in one command.
This has not only the advantage that it is much faster, but, moreover,
it avoids race conditions when creating the rules,see
See the instruction at the end how to use
To install this project easily, run
make install as root).
For manual installation, copy the scripts from
sbin/ into your
etc/firewall.config can be copied into
/lib/firewall (if it is readable in a former directory, it is used;
thus, the latter can be used to provide distribution-wide defaults).
You should modify
firewall.config to your needs (for the default, copy
etc/firewall.d to the
/etc directory and follow
For zsh completion support copy the content of zsh into your
You also need
push.sh from https://github.com/vaeth/push (v2.0 or newer)
Before you run firewall, please edit
firewall.config to your needs:
You have to create it in
/etc/firewall.config to override the sample default
firewall.config sets the default based on the existence of some
magic files in
/etc. It assumes that the original
eth* interfaces have
been renamed to
net* (e.g. by eudev or udev rules).
The firewall script reads your
firewall.config and then
(by default) runs
sysctl.net and initializes iptables according
to the content of
sysctl.net initializes some net-related Linux sysctl variables.
To get help, run
firewall -h or
sysctl.net -h, respectively.
If you use systemd, you can copy the content of
systemd into your
systemd system folder and (after
systemctl daemon-reload) enable the
systemctl enable firewall.service
For openrc (the Gentoo init system) there are some scripts provided in
the openrc folder. Copy these scripts and their configs to
/etc/conf.d, respectively and edit
To activate the firewall with openrc, call e.g.
(the runlevels might depend on your configuration):
rc-config add fireclose boot rc-config add firewall default
Instead of adding
fireclose to your boot runlevel, you might also want to
add to your relevant
To load the required kernel modules with systemd or openrc, copy e.g. the
/usr/lib/modules-load.d/ and edit it for your needs.
Systemd and openrc-0.21.7 (or newer) automatically support
For older versions of openrc, you can use the
conf.d/modules file to get
at least some rudimentary support of these directories.
For Gentoo, there is an ebuild in the mv overlay (available by layman) (but you might still have to configure the firewall.config, see above).
Instructions for firewall-scripted.sh:
Evaluate the output of firewall-scripted.sh in a POSIX compliant shell, e.g.
if SOME_VARIABLE=`firewall-scripted.sh 2>/dev/null` then eval "$SOME_VARIABLE" else echo "firewall-scripted.sh not installed" >&2 fi
Remark: An obsoleted method was to use instead
The latter works for older versions of firwall-mv or if one installs manually, but unless an appropriate PATH before sourcing is set, it fails when firewall-scripted.sh is replaced by a wrapper script which happens with the provided Makefile. Moreover, if firwell-scripted.sh is not available it stops the script.
All functions and variables used internally by firewall-scripted.sh have the form Fwmv[A-Z]* or fwmv_*, respectively, so do not use these. All these variables are cleaned up by firewall-scripted.sh when possible.
FwmvTable 4 or
FwmvTable 6 instead of
respectively. You can pass most options of
ip6tables in exactly
the same form; if you use the option
-t, it must be the first one.
When you are done, you can execute the "stored" commands in one step using
FwmvSet 4 or
FwmvSet 6, respectively.
If you pass additionally the parameter
Echo (possibly combined with
the command is printed instead (and only executed if you also passed
In this case,
firewall-scripted.sh requires the
push.sh script (and uses
the functions/variables used by
push.sh in addition to those from Step 1.)
After Step 3 all variables are reset so that you can start over with Step 2.
Not all options for
firewall-scripted.sh are tested;
essentially only those used by the
firewall script are tested.
ip6tables is not tested at all with