Brad Haywood > Bison > Bison

Download:
Bison-0.05.tar.gz

Dependencies

Annotate this POD

CPAN RT

Open  1
View/Report Bugs
Module Version: 0.05   Source  

NAME ^

Bison - IPTables Script generator

DESCRIPTION ^

Bison can be used to generate a firewall script for your Linux box. It doesn't run the commands for you but generates the needed commands for you to run based on the methods you pass. It's also a lot of fun to build them.

SYNOPSIS ^

The synopsis is basic. All the methods have been exported. So a simple firewall script would be:

    use Bison;
    
    override_global({ip_address => '10.1.1.5'});
    
    # drop everything by default
    default_policy({
        INPUT   => 'DROP',
        FORWARD => 'DROP'
        OUTPUT  => 'ACCEPT',
    });
    
    # filter bad tcp packets into a special chain
    drop_bad_tcp_flags();

    # create a custom chain and set default behaviour to drop
    chain ('new', {
        name => 'my_firewall',
        jump => 'DROP',
    });

    # setup logging for the new chain
    log_setup ('my_firewall', { time => 7, duration => 'minute', prefix => 'My Cool Firewall' });
    
    bison_finish(); 

Obviously the above script would lock you out of your system. But it shows it's a lot easier to write a bit of Perl than remember long-winded IPTables commands.

initfw

This function should be called before anything else. It sets up the default firewall chain and a catchall filter.

forward

Handles all forwarding related stuff. ie: Forward packets from an internal network (eth1) to the internet (eth0).

    # generate something like iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    forward({
        from => 'eth1',
        to => 'eth0',
        type => 'related'
    });

    # .. or simply just forward the packets from eth1 to eth0
    forward({ from => 'eth1', to => 'eth0' });

drop_bad_tcp_flags

Catches any malicious TCP packets into a badflags chain, then prefixes the log as that chain. Should help prevent force fragment and XMAS packets. Also checks to make sure new TCP connections are SYN packets. This section could do with a bit more work, but this is still a beta release :)

open_service

Open ports to a service by name (www, ssh, ftp). If no arguments are passed it will open access to everyone. If you pass a hash with to => then the port will be only available to that ip address.

    open_service('ssh', { to => '10.1.1.5' }); # open 22 to 10.1.1.5 only
    open_service('www'); # open port 80 to all

drop_icmp

Drops all ICMP requests, but opens a few by default. If you pass an array it will only allow what is requested

    drop_icmp( [qw/0 8 11/] );

chain_list

chain

Perform chain events.

    chain('new', { name => 'my_new_chain', jump => 'drop' });
    chain('list') # returns an array of chains you have created

drop_netbios

We don't necessarily want netbios packets, so here's the option to disable them. You can choose to log them silently, or loudly to the main firewall chain.

    drop_netbios();  # drop netbios silently
    drop_netbios(1); # drop packets loudly by logging to firewall

log_setup

Sets up logging for a chain. You can specify the time, duration and prefix.

    log_setup ('mychain', { time => 8, duration => 'minute', prefix => 'MyChain Log'});
    # 8 alerts per minute

source_nat

Sources everything going out the interface to be the given IP address.

    source_nat({ as => '10.1.1.5'});

override_global

Overrides any default settings, and allows you to create new ones.

    override_global({ iface => eth0, ip_address => '10.1.1.6'});

preroute

Preroute options. ie: route an incoming port to a specified IP in the nat

    preroute('ports', { ports => '22:25', proto => 'tcp', to => '10.1.1.9' });

enable_state_matching

Accept related and established connections so client side activities, ie: ftp, work correctly.

enable_ip_forwarding

Simply switches on IP forwarding in /proc/sys/net/ipv4/ip_forward, if your system supports it.

accept_local

Accept everything locally

accept_all_from

Accept all incoming connections from a specific IP, or locally. You can pass an array to allow multiple sources.

    accept_all_from('local');
    accept_all_from('10.1.1.5');
    accept_all_from([qw/10.1.1.4 10.1.1.5 10.1.2.7/]);

flush

Flushes specific chains, including nat and mangle.

    flush(); # flush everything
    flush([qw/INPUT FORWARD nat/])

default_policy

Sets the default policy for the specified chain.

default_policy({ INPUT => 'DROP', FORWARD => 'DROP', });

bison_finish

Call this method last, and don't forget. It cleans everything up and checks for errors. Also, it can print out a list of the IPTables commands you need to generate your firewall script

BUGS ^

Please e-mail brad@geeksware.net

AUTHOR ^

Brad Haywood <brad@geeksware.net>

COPYRIGHT & LICENSE ^

Copyright 2011 the above author(s).

This sofware is free software, and is licensed under the same terms as perl itself.

syntax highlighting: