Projects / Arno's IPTABLES Firewall Script

Arno's IPTABLES Firewall Script

Arno's IPTABLES Firewall Script is a secure stateful firewall for both single and multi-homed machines. It supports NAT and SNAT, port forwarding, ADSL ethernet modems with both static and dynamically assigned IPs, MAC address filtering, stealth port scan detection, DMZ support, protection against SYN/ICMP flooding, experimental IPv6 support, multi-interface/aliased-IP support, and extensive user definable logging with rate limiting to prevent log flooding. It has plugin support to add extra features (like SSH Brute Force protection and (Racoon) IPSEC support). It is easy to configure and highly customizable. A filter script that makes your firewall log more readable is also included.

Tags
Licenses
Operating Systems
Implementation
Translations

Recent releases

  •  14 Apr 2014 09:30

    Release Notes: arno-fwfilter and the Gentoo init script were updated. Some Gentoo specific stuff that isn't required anymore was removed. The TRACE option was removed. DMZ_INPUT_DENY_LOG and DMZ_OUTPUT_DENY_LOG variables were added. The DYNDNS and Traffic Accounting plugins were refactored. There were also miscellaneous tweaks and changes.

    •  19 Mar 2012 07:11

      Release Notes: This release fixes RESERVED_NET_DROP, which only worked when RESERVED_NET_LOG was enabled (regression), fixes the installation script, and updates/corrects documentation.

      •  13 Mar 2012 06:14

        Release Notes: The LAN_INET_OPEN_xxx, LAN_INET_HOST_OPEN_xxx, DMZ_INET_OPEN_xxx, and DMZ_INET_HOST_OPEN logic and handling was changed, and handling of some of the sysctl kernel settings was tweaked. It is now possible to disable setting/resetting of some settings (like forwarding). The default UDP connection timeout is now 60 seconds. Support for a new LOCAL_CONFIG_DIR variable was added. It defaults to "/etc/arno-iptables-firewall/conf.d". Documentation was improved. Miscellaneous tweaks were made for arno-fwfilter.

        •  23 Dec 2011 11:11

          Release Notes: This release removes DNS_FAST_FAIL and RESOLV_IPS, since they are both obsolete. It adds miscellaneous tweaks.

          •  14 Oct 2011 07:56

            Release Notes: This release fixes the kernel_ver_chk() function to properly handle kernel 3, fixes variables containing REJECT_UDP with IPv6 enabled (it should use "icmp6-addr-unreachable" for IPv6), parses AIF variables with a common function, and logs missing fields with a warning.

            Recent comments

            10 Jan 2011 12:19 jimmy06

            Thanks again for continued updates. I currently have native IPv6 but cannot use this script to firewall it. My firewall machine is CentOS 5.5 and when running your script with IPv6 connectivity turned on i get

            NOTE: Module "nf_conntrack_ipv6" failed to load. Assuming compiled-in-kernel.
            NOTE: Modules "xt_TCPMSS|ipt_TCPMSS,ip6t_TCPMSS" failed to load. Assuming compiled-in-kernel.

            these mod's dont exist in CentOS 5.5's ip6tables there for none of the rules apply

            ERROR (2): ip6tables v1.3.5: Unknown arg `--clamp-mss-to-pmtu'
            ERROR (2): ip6tables v1.3.5: Unknown arg `--set-tos'

            19 Jun 2009 22:30 t3kn0

            Back when iptables first came out i read for weeks trying to figure out how to rewrite my firewall scripts that i had done years before to take advantage of the new features iptables provides, it took me weeks to do that and have something i felt pretty good about. Over the years i had added on things as needed for various clients and it served me pretty well. Several years ago a client had a insanely crazy setup and after beating my head into the wall for a few hours trying to figure out how to make my script work i thought, "hey why not check around and see whats out there". So i found this little Gem.

            Back when iptables first came out there really wasn't many great examples so i wrote my own, now there are many and while i understand it way better now, this script kicks ass. Why write my own and end up with something probably not even 1/10 as good when you can start with what i feel is the best firewall script out there. Arnova, my hats off to you. Very well done, constantly updated and very well documented. Even 7 years later and your still improving it, now if that doesnt say something about his level of commitment i don't know what does. If your ever in the Bay Area Arno, look me up i owe you many beers!
            Tnt

            28 Sep 2005 12:11 kozaki

            Re: This Script Is The Best
            That's just true.

            As hgo I found this script combine power and clarity (configuration AND logs :).
            As jgionet, I configured it just logging into the gateway by SSH.

            I'm very happy i found Arno's IPtables script.

            Many thanks for his nice work :)

            19 Oct 2004 06:42 rizen

            This Script Is The Best
            I've tried a lot of firewall scripts from freshmeat. More than half don't seem to even work. Or I'm not bright enough to make them work (and I've been working with unix style operating systems for eight years).

            This script "just works". And it's got powerful configuration options to boot.

            24 Jun 2004 12:01 gossel

            Great!!
            After wasting hours to get my SuSE Firewall up and running I gave up on it. Then I found this script and I am extremely happy with it. Everything just worked fine after just following the instructions and rebooting the PC. Thank you!

            Screenshot

            Project Spotlight

            OpenStack4j

            A Fluent OpenStack client API for Java.

            Screenshot

            Project Spotlight

            TurnKey TWiki Appliance

            A TWiki appliance that is easy to use and lightweight.