NAME

Bison - IPTables Script generator

DESCRIPTION

Bison can be used to generate a firewall script for your Linux box. It doesn't run the commands for you but generates the needed commands for you to run based on the methods you pass. It's also a lot of fun to build them.

SYNOPSIS

The synopsis is basic. All the methods have been exported. So a simple firewall script would be:

use Bison;

override_global({ip_address => '10.1.1.5'});

# drop everything by default
default_policy({
    INPUT   => 'DROP',
    FORWARD => 'DROP'
    OUTPUT  => 'ACCEPT',
});

# filter bad tcp packets into a special chain
drop_bad_tcp_flags();

# create a custom chain and set default behaviour to drop
chain ('new', {
    name => 'my_firewall',
    jump => 'DROP',
});

# setup logging for the new chain
log_setup ('my_firewall', { time => 7, duration => 'minute', prefix => 'My Cool Firewall' });

bison_finish();

Obviously the above script would lock you out of your system. But it shows it's a lot easier to write a bit of Perl than remember long-winded IPTables commands.

initfw

This function should be called before anything else. It sets up the default firewall chain and a catchall filter.

forward

Handles all forwarding related stuff. ie: Forward packets from an internal network (eth1) to the internet (eth0).

# generate something like iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
forward({
    from => 'eth1',
    to => 'eth0',
    type => 'related'
});

# .. or simply just forward the packets from eth1 to eth0
forward({ from => 'eth1', to => 'eth0' });

drop_bad_tcp_flags

Catches any malicious TCP packets into a badflags chain, then prefixes the log as that chain. Should help prevent force fragment and XMAS packets. Also checks to make sure new TCP connections are SYN packets. This section could do with a bit more work, but this is still a beta release :)

open_service

Open ports to a service by name (www, ssh, ftp). If no arguments are passed it will open access to everyone. If you pass a hash with to => then the port will be only available to that ip address.

open_service('ssh', { to => '10.1.1.5' }); # open 22 to 10.1.1.5 only
open_service('www'); # open port 80 to all

drop_icmp

Drops all ICMP requests, but opens a few by default. If you pass an array it will only allow what is requested

drop_icmp( [qw/0 8 11/] );

chain_list

chain

Perform chain events.

chain('new', { name => 'my_new_chain', jump => 'drop' });
chain('list') # returns an array of chains you have created

drop_netbios

We don't necessarily want netbios packets, so here's the option to disable them. You can choose to log them silently, or loudly to the main firewall chain.

drop_netbios();  # drop netbios silently
drop_netbios(1); # drop packets loudly by logging to firewall

log_setup

Sets up logging for a chain. You can specify the time, duration and prefix.

log_setup ('mychain', { time => 8, duration => 'minute', prefix => 'MyChain Log'});
# 8 alerts per minute

source_nat

Sources everything going out the interface to be the given IP address.

source_nat({ as => '10.1.1.5'});

override_global

Overrides any default settings, and allows you to create new ones.

override_global({ iface => eth0, ip_address => '10.1.1.6'});

preroute

Preroute options. ie: route an incoming port to a specified IP in the nat

preroute('ports', { ports => '22:25', proto => 'tcp', to => '10.1.1.9' });

enable_state_matching

Accept related and established connections so client side activities, ie: ftp, work correctly.

enable_ip_forwarding

Simply switches on IP forwarding in /proc/sys/net/ipv4/ip_forward, if your system supports it.

accept_local

Accept everything locally

accept_all_from

Accept all incoming connections from a specific IP, or locally. You can pass an array to allow multiple sources.

accept_all_from('local');
accept_all_from('10.1.1.5');
accept_all_from([qw/10.1.1.4 10.1.1.5 10.1.2.7/]);

flush

Flushes specific chains, including nat and mangle.

flush(); # flush everything
flush([qw/INPUT FORWARD nat/])

default_policy

Sets the default policy for the specified chain.

default_policy({ INPUT => 'DROP', FORWARD => 'DROP', });

bison_finish

Call this method last, and don't forget. It cleans everything up and checks for errors. Also, it can print out a list of the IPTables commands you need to generate your firewall script

BUGS

Please e-mail brad@geeksware.net

AUTHOR

Brad Haywood <brad@geeksware.net>

COPYRIGHT & LICENSE

This sofware is free software, and is licensed under the same terms as perl itself.

To install Bison, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Bison

CPAN shell

perl -MCPAN -e shell
install Bison

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)