iptables management tools for large scale environment
- by womble
The environment I'm operating in is a large-scale web hosting operation (several hundred servers under management, almost-all-public addressing, etc -- so anything that talks about managing ADSL links is unlikely to work well), and we're looking for something that will be comfortable managing both the core ruleset (around 12,000 entries in iptables at current count) plus the host-based rulesets we manage for customers. Our core router ruleset changes a few times a day, and the host-based rulesets would change maybe 50 times a month (across all the servers, so maybe one change per five servers per month).
We're currently using filtergen (which is balls in general, and super-balls at our scale of operation), and I've used shorewall in the past at other jobs (which would be preferable to filtergen, but I figure there's got to be something out there that's better than that).
The "musts" we've come up with for any replacement system are:
Must generate a ruleset fairly quickly (a filtergen run on our ruleset takes 15-20 minutes; this is just insane) -- this is related to the next point:
Must generate an iptables-restore style file and load that in one hit, not call iptables for every rule insert
Must not take down the firewall for an extended period while the ruleset reloads (again, this is a consequence of the above point)
Must support IPv6 (we aren't deploying anything new that isn't IPv6 compatible)
Must be DFSG-free
Must use plain-text configuration files (as we run everything through revision control, and using standard Unix text-manipulation tools are our SOP)
Must support both RedHat and Debian (packaged preferred, but at the very least mustn't be overtly hostile to either distro's standards)
Must support the ability to run arbitrary iptables commands to support features that aren't part of the system's "native language"
Anything that doesn't meet all these criteria will not be considered. The following are our "nice to haves":
Should support config file "fragments" (that is, you can drop a pile of files in a directory and say to the firewall "include everything in this directory in the ruleset"; we use configuration management extensively and would like to use this feature to provide service-specific rules automatically)
Should support raw tables
Should allow you to specify particular ICMP in both incoming packets and REJECT rules
Should gracefully support hostnames that resolve to more than one IP address (we've been caught by this one a few times with filtergen; it's a rather royal pain in the butt)
The more optional/weird iptables features that the tool supports (either natively or via existing or easily-writable plugins) the better. We use strange features of iptables now and then, and the more of those that "just work", the better for everyone.
