Standardizing the IPtables Spaghetti

It seems like shortly after learning IPtables, every command line cowboy starts slamming it on everything and wrangling each config file one-by-one.

In one sense, I can understand how IPtables is a godsend, particularly in environments where network admins are slow to make necessary firewall changes or are (understandably) reticent about giving others access to networking equipment. On the other hand, ad hoc configuration kludges everywhere can get insanely unwieldy, and should the sysadmin leave unexpectedly (which I see all the time, particularly in high pressure data center environments), the next sysadmin who takes his place (and more importantly, the company!) is stuck with some major firewall craziness to sort out.

To deal address both of these problems, here are some solutions I have been testing in hosting environments:

• KISS My Firewall: a free iptables script designed for a typical web server (stateful packet inspection, connection tracking, some preventative measures for port scanning, DoS attacks, IP spoofing, etc). It is one simply one file, can be installed with stock installations of Ensim WEBppliance Basic & Pro, Plesk, and Webmin, and automatically leaves open FTP, SSH, SMTP, DNS, HTTP, POP3, IMAP, HTTPS, MySQL, Secure IMAP, Secure POP3, Ensim WEBppliance Basic/Pro, Webmin, and Plesk. Open ports on the OUTPUT chain include: FTP, SSH, SMTP, RDATE, WHOIS, DNS, HTTP, HTTPS, and OPENSRS. A few quick changes, and you can quickly close any of the defaulted open ports.
• APF: Also IPtables-based and with an intelligent modular architecture and detailed usage information (made available with the apf command). (A great HOWTO here)
• BFD: a shell script that parses application logs authentication failures. (Another great tutorial)

My friend Jeff uses these successfully more in his hosting business with great success, and I’m curious as to what other similar tools admins use to standardize their LAMP boxes.