CFC - Centralized Firewall Control script.

CFC – Centralized Firewall Control script.

(CFC) Centralized firewall control provides a centralized way to manage the firewall on multiple servers or loadbalancers running iptables. This way you can quickly allow/block/del/search abuse ranges etc. with one command on several servers. It accesses those servers through ssh. It supports both IPv4 and IPv6.

Centralized Firewall Control

The following settings can be set in the config file:
* action: sets the action when adding a rule, default: DROP
* checkaggrbin: path to the script, default: ./
* cleanupconfirmation: asks for confirmation before running the clean command, set to false for cron usage, default: true
* date: set the date format for the firewall comments, default: $(date +%d%m%Y) -> 22062016
* dateipset: set the date format for the ipset firewall comments, leave this on the default to avoid breaking some of the functions, default: $(date +%Y%m%d) -> 20160622
* ipsetname: sets the IPSET list name, default: blockedips
* ipsetservers: sets the servers that use IPSET instead of iptables, default: “”
* fwchain: name of the firewall chain to add/del/search, default: INPUT
* masklimit: max size of the ip ranges that can be added, default: /21
* precheck: check if the ip that is about to be added is already in the firewall or part of a larger added range, might be a bit slow on large firewalls on IPv6 (~25 sec. for searching 500 ip ranges per server), default: true
* protected: enable the added protected ranges, default: true
* protectedranges: ip ranges that are excluded from the ‘add’ function, usually the ranges owned by the local network, default: “”
* pythonbin: location of the used Python binary, default: /usr/bin/python3
* servers: sets the servers that use iptables only, default: “”
* The IPv6 functions are marked with the ‘6’ suffix

+ python3-netaddr
+ ipset