Scriptable Iptables Firewall Tool 









Version 2.0 

Copyright © 2006-2007 by B.B. 

This document is released under the terms of the GPL FDL. 






This document gives an overview of SIFT: Scriptable Iptables Firewall Tool.  


Table of Contents 






SIFT is an iptables firewall script generator. Iptables is the default administration tool for IPv4/6 filtering (and rewriting – NAT) on a Linux/GNU platform. The output of SIFT can be used to run as the “ /etc/init.d/iptables start ” script on a Linux/GNU platform.


Less is more. And, personally, I hate to write documents that other people don’t read. But fear not. There are several documents about SIFT available in this release. In


There are also some public documents in the doc/www/ folder.


This document gives an overview of SIFT, release v2.0. SIFT has been used to create iptables firewall scripts for several sites. It is  reliable software.



SIFT generates a packet filter firewall script. Packet filtering firewalls are fast and reliable.


A firewall/packet filter must (at least) be able to: 


SIFT uses the terminology borrowed from iptables by using drop for blocked traffic, accept for traffic that is allowed to pass the firewall, and log to monitor and log specific traffic.


But how to drop or accept traffic? Well, a firewall is basically some hardware box with interfaces on the outside and inside running some software that determines if IP traffic with specific IP characteristics: 


Illustration 1: Zones, interfaces and subnets

The most obvious IP characteristic is of course its IP address or IP address range (t.i. a subnet). And that is why we decided to build the firewall configuration on the concept of zones. A zone is the combination of an interface and a list of IP address ranges (subnets). And the configuration of a firewall must then only specify what zone to zone traffic is accepted (called a policy), and all other traffic will automatically be dropped.


Illustration 2 depicts our example setup. The firewall is placed between the internal network/DMZ and the external network. In this setup, we can identify the two networks with several zones:

Illustration 2: Typical firewall setup


External network: 


Internal network: 




The firewall should enforce policies on the traffic that is allowed to pass through the firewall. These policies are formulated as zone to zone traffic. In Illustration 2, there are only two policies visualized: ZONE1 -> INTERNET, and INTERNET -> DMZ. Note that all policies are directed. A policy identifies the services that are allowed between two zones.




A firewall must be able to pass allowed or block unwanted generic traffic, where generic traffic means that it is not based on zones or policies. For example, you might always want to block certain types of ICMP traffic. These are called shields by SIFT. Shields are attached to interfaces, and support pre-filtering, post-filtering, rewriting and mangling on both input, output and forward traffic.




Well, that's about it (I will skip logging here). Let us look in the next chapter on how to use SIFT. 



Writing iptables scripts can be quite difficult. SIFT does most of the difficult work, but it requires information about the setup of the firewall. This information is contained in a configuration file that specifies: 


We will take the above mentioned typical firewall setup as an example here. 




Some definitions: 

A   network  =  a binding of interfaces, zones, shields and policies

An interface =  a unique name for a physical network device of the host (e.g. eth0)

A   zone =  a unique name for a binding of an interface and a set of IP addresses/ranges

A   policy =  a binding of services between two zones

A   shield =  a binding of filters to an interface

A   service =  a unique friendly textual name for an internet service

A   filter =  a unique friendly textual name for a method to pass, block or rewrite traffic


Before you can run SIFT, you must therefore make an inventory of: 




The main object of a configuration file is called Sift. It contains all the networks. In our example, we have an external and an internal network. This would look like: 


firewall := Sift create(“example”) do( 


 // firewall IP address should be fixed

 HOST_IP := “”


 // networks

 Network create doFile(“networks/”)

 Network create doFile(“networks/”)

firewall print 


A Firewall should have a fixed IP address (no DHCP). Here, we have chosen to put the configurations for both networks in separate files, which makes the top level configuration file short and tidy. 

The output is printed by calling the print method of the Sift object.

Next, we must configure both networks. First, let us start with the internal network. We must make an inventory of all:


all physical interfaces of the firewall host 

=> loopback interface lo

=> for example, the ethernet device eth0 is connected to the internal interface (LAN)

=> for example, the ethernet device eth1 is connected to the DMZ


all zones, and all IP addresses/ranges belonging to these zones 

=> we have a zone  connected to lo with:

        LOC                as

=> we have zones  connected to eth0 with:

        ZONE1        as
        ZONE2        as

=> we have a zone connected to eth1 with:

        DMZ                as


all policies for allowed zone to zone traffic 

=> from ZONE1 and ZONE2 to DMZ 

        POP,  SMTP,  HTTP, HTTPS

=> from ZONE1 to ZONE2 (if connected through the firewall) 



all shields bound to interface(s) 

=> default shields on eth0 and  eth1


The configuration looks like:

// fixed IP address 

ETH0_IP := “” 

ETH1_IP := “” 


// interfaces 

lo   := Interface(“lo”)   ip(“”)

eth0 := Interface(“eth0”) ip(ETH0_IP) 

eth1 := Interface(“eth1”) ip(ETH1_IP) 


// default shields 

lo   add shield filter(FILTERS LOOPBACK)

eth0 add shield filter(FILTERS INTERFACE) 

eth1 add shield filter(FILTERS INTERFACE) 


// zones 

LOC   := Zone create(“loc”  ) interface(lo  ) subnet(lo ip)

ZONE1 := Zone create(“zone1”) interface(eth0) subnet(“”) 

ZONE2 := Zone create(“zone2”) interface(eth0) subnet(“”) 

DMZ   := Zone create(“dmz”  ) interface(eth1) subnet(“”)


// anti-spoof 

LOC add zone interface(eth0) subnet(eth0 ip) 

LOC add zone interface(eth1) subnet(eth1 ip) 


// policies 



Policy create from(LOC)   to(LOC)   services(ANY)

Policy create from(ZONE1) to(DMZ)   services(SRV_DMZ)

Policy create from(ZONE2) to(DMZ)   services(SRV_DMZ)

Policy create from(ZONE1) to(ZONE2) services(PRINTER) 




Next, the external network. We must make an inventory of all:


all physical interfaces of the firewall host 

=> for example, the ethernet device eth2 is connected to the external interface


all zones, and all IP addresses/ranges belonging to these zones 

=> we have zones connected to eth2 with:

        INTERNET        as
        ISP                as


all policies for allowed zone to zone traffic 

=> from INTERNET and ISP to DMZ 


=> from ZONE1, ZONE2 to ISP 

        ISP (e.g. DNS)

=> from ZONE1, ZONE2 to INTERNET 

        WAN (e.g. HTTP, HTTPS, FTP, ...)


all shields bound to interface(s) 

=> forward shield on eth2 ( eth2 will forward traffic from eth0 and eth1)

=> NAT from eth0 to eth2


The configuration looks like:

// fixed IP address 



// interfaces 

eth2 := Interface(“eth2”) ip(ETH2_IP) 


// default shields 

eth2 add shield filter(FILTERS INTERFACE) 


// zones 

INTERNET := Zone create(“wan”) interface(eth2) subnet(“”) 

ISP      := Zone create(“isp”) interface(eth2) subnet(“”)


// anti-spoof 

LOC add zone interface(eth2) subnet(eth2 ip) 


// policies 





Policy create from(ZONE1,ZONE2)  to(INTERNET,ISP) services(SRV_WAN)

Policy create from(ZONE1,ZONE2)  to(ISP)          services(SRV_ISP)

Policy create from(INTERNET,ISP) to(DMZ)          services(SRV_DMZ)


// NAT 

eth2 add shield nat(HOST_IP) subnets(”,””) 

eth2 add shield interfaces(eth0,eth1) filter(FILTERS FORWARD) 




If all networks, interfaces, z ones , policies, shields, services and filters are specified in the firewall configuration file, then you can generate and install the firewall script (roughly) as follows:


For other examples, look at some of the firewall configuration files in the sites/ folder.


SIFT is well designed. It provides an excellent framework for managing iptables rules in an intuitive and straightforward way. And although the architecture is based on the functionality of iptables, it adds a lot of assurance and ease of use in stead of writing iptables rules directly. 


Note that packet filters offer only limited filtering possibilities. A packet filter does not look at the packet data inside a packet. This means that tunneling (masquerading as an allowed protocol, such as HTTP) can be used to bypass filtering rules. There are extensions to the Linux/GNU firewall tools that support such application level filtering (OSI layer 7), but these are based on pattern matching (just like most virus scanners). SIFT has only rudimentary support for OSI layer 7 filtering.