Remote firewall as a web service. REST API for iptables.
Project description
Remote firewall as a web service.
rfw is the RESTful server which applies iptables rules to block or allow IP addresses on request from a remote client. rfw maintains the list of blocked IP addresses which may be updated on the fly from many sources. rfw also solves the problem of concurrent modifications to iptables since the requests are serialized.
Typical use cases
You manage a group of machines which are deployed/controlled/monitored from a central server or admin panel. You need to react quickly/automatically to abuse/DDOS with the rules generated by the intelligence/analytics/geolocation-aware server. You push the IP blocklist updates to other machines in real time.
You build the Peer-to-Peer network of servers or Distributed Autonomous Organization (see Ethereum). The DAO, apart from running contracts on Ethereum, may need to run a P2P network. The servers cannot rely on the centralized firewall. With rfw the peer servers can share info about botnet IP sets and current sources of abuse to more efficiently protect against DDOS and other attacks.
Features
block/allow IP addresses with iptables on request from remote host
handle individual IP or CIDR ranges (xx.xx.xx.xx/mask)
apply action permanently or with expiry timeout
keep IP/range whitelist - actions related to whitelisted IPs are ignored what prevents locking out the legitmate clients
serialize requests to prevent concurrency issues with iptables
REST API
secured with SSL
authenticated with basic authentication over SSL and by client source IP
idempotent - actions resulting in duplicate entries are ignored
do not interfere with more general iptables rules
Examples:
rfw REST API |
iptables command |
|---|---|
PUT /drop/input/eth0/11.22.33.44 |
Block incoming packets from 11.22.33.44 on eth0. In other words: Insert the DROP rule on INPUT chain to drop packets with source IP 11.22.33.44 on network interface eth0. Translates to the command: iptables -I INPUT -i eth0 -s 11.22.33.44 -j DROP |
DELETE /drop/input/eth0/11.22.33.44 |
Delete the above rule. Translates to: iptables -D INPUT -i eth0 -s 11.22.33.44 -j DROP |
PUT /accept/output/any/192.168.0.0/24 |
Allow outgoing traffic to 192.168.0.0/24 subnet on any interface. Translates to: iptables -I OUTPUT -d 192.168.0.0/24 -j ACCEPT |
PUT /accept/forward/ppp/1.2.3.0/24/eth0/5.5.5.5 |
Allow forwarding packets with source address in subnet 1.2.3.0/24 and destination address 5.5.5.5 from any ppp interface to eth0. Translates to: iptables -I FORWARD -i ppp+ -o eth0 -s 1.2.3.0/24 -d 5.5.5.5 -j ACCEPT |
PUT /drop/input/any/11.22.33.44/?expire=600 |
Block incoming packets from 11.22.33.44 on any interface for 10 minutes: iptables -I INPUT -s 11.22.33.44 -j DROP |
GET /list/input |
Return the list of existing rules in JSON format. Sample output: [{"chain": "INPUT", "num": "1", "pkts": "0",
"bytes": "0", "target": "DROP", "prot": "all",
"opt": "--", "inp": "*", "out": "*",
"source": "22.22.22.0/24",
"destination": "0.0.0.0/0", "extra": ""},
{"chain": "INPUT", "num": "2", "pkts": "0",
"bytes": "0", "target": "DROP", "prot": "all",
"opt": "--", "inp": "*", "out": "*",
"source": "11.22.33.44",
"destination": "0.0.0.0/0", "extra": ""}]
|
Deployment
Install from PyPI:
pip install rfw
or from tarball:
tar xf rfw-X.X.X.tar.gz cd rfw-X.X.X ./setup.py install
Generate keys and certificates with config/deploy/rfwgen:
./rfwgen <server_ip>
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
