levy is a perl script which generates a basic iptables rulesets based on a given external interface and a set of ports to open. Its design is to save folks some time in creating a skeleton ruleset to work from, though it can construct a fully functional firewall with NAT support.
features
Levy supports creating a restrictive firewall with specific 'public' services, defined subnets for NAT, and defined trusted networks.
Usage
levy has several run-time options to control what sorts of rulesets to generate: see levy.pl -h for a full list.
- Examples
I want a basic firewall which allows in ports 22, 80, 113 (matching their protocols), logs all dropped connections, aggressively defines reserved addresses, and provides NAT for 192.168.0.0/16. My interface to the internet is eth0 --
./levy.pl eth0 22 80 113 -l -r -m -n 192.168.0.0/16 > firewall.rules
After testing this ruleset, I decide it's fine, though I want to open https (443) and set the output as a shell script I can just run:
./levy.pl eth0 22 80 113 143 -e -l -r -m -n 192.168.0.0/16 > firewall.rc
notes
levy strictly generates rulesets; it is not "really" a firewall "script" -- you may well need to edit the output to suit your needs-- its design goal is to be as functionally minimalist as possible. If you are looking for a comprehensive firewall script for iptables which can handle multiple NATs, transparent proxying, port-forwards and whatnot, see gShield.