Ferm - IPtables The Right Way

Tue 14 October 2014

This is a small post but totally worth it. Just wanted to point out I've finally found the ultimate meta language for managing iptables: ferm.

To keep this brief let's say Ferm is to IPtables as C is to ASM. It gives you plenty of high level constructs to manage list of ports, ip addresses and so forth, heck you can even create functions with parameters and all.

Let's give it a try:

$ aptitude install ferm     # Debian/Ubuntu
$ yum install ferm          # Fedora/CentOS

Now you have two new commands in your path: ferm and import-ferm

Reading the man page and command help is a good start.

Basically ferm reads the rule file and compiles to iptables, then it loads everything to the system with iptables-restore, I recommend using ferm -nl rules.ferm and keep tuning the file until you get what you need.

The import-ferm command reads you current iptables rules and prints the equivalent ferm rules to stdout. Of course it will be too explicit, you should define arrays and use all the cool features ferm provides.

import-ferm > /etc/ferm/rules.ferm # this could be a starting point

On Debian the ferm package also provides a service (something like iptables-persistent), this makes possible to have the rules written only with ferm syntax, they will be parsed each time the ferm service is started.

Some simple rules to get you interested:

@def $TRUSTED = (;

table filter {
chain INPUT {
    policy DROP;

    # connection tracking
    mod state state (ESTABLISHED RELATED) ACCEPT;

    # allow local connections
    interface lo ACCEPT;

    # respond to ping
    proto icmp icmp-type echo-request ACCEPT;

    # allow SSH connections to trusted addresses
    saddr $TRUSTED {
        proto tcp dport ssh ACCEPT;

# outgoing connections are not limited
chain OUTPUT policy ACCEPT;

# this is not a router
chain FORWARD policy DROP;

Comments !