Iceditch functionality

From SaruWiki
Jump to navigation Jump to search

This page describes the functions that the Iceditch script can perform for you.

Rights and security

Since Iceditch calls IPtables, you need root rights to call it. We therefor have not implemented any mechanism to use Iceditch as a non-root user.

Invoking Iceditch

iceditch start | restart | reload
The most common invocation will be the automatic startup at boot time. To this end, the script understands being called with only the "start" parameter. iceditch start will setup the firewall quietly and completely.
iceditch stop | unload
We don't want anyone person or process to be able to stop the firewall, so this command is accepted, but does nothing except log the attempt.
iceditch clear
This clears all firewall rules, so essentially you're left with no firewall at all. Thus, you're also left without transparent proxy, NATting etcetera. Since this is inherently very unsafe, Iceditch will also disable forwarding between network interfaces.
iceditch backup
This will make Iceditch write a copy of the current configuration files. Used mainly to accommodate safestart.
iceditch safestart
This will have Iceditch start the firewall, but after five minutes, it will revert to the backup configuration. This enables you to backup the current configuration, change it, and test it. If it accidentally shuts you out, it will revert to the old configuration after five minutes. Good thinking, eh? Note: requires that you've made a backup confiuration; if none is present, safestart will clear the firewall upon the reversion time. Furthermore this option requires availability of the at command, where Iceditch will schedule the fallback to the old configuration.
iceditch restore
This will make Iceditch revert to the configuration it previously backed up. Note: this command can only be run interactively, since Iceditch will tell you at which time and date the backup configuration was made, and ask you if you really want to overwrite the current configuration with the old one.
iceditch noclear
This command will remove the fallback to the old configuration by clearing the at fallback.
iceditch halt
This is an emergency break: it will clear all firewall rules, and then block any network traffic going in or out of your machine over any network interface - with the exception of the lo internal network adapter. When you have reason to believe your system is in some way compromised, you can throw this emergency brake. For those who don't need or want it: the configuration file can disable this emergency break.

Special options

There are a number of options that Iceditch recognises, that are listed below. Note: options cannot be grouped. For example, Iceditch understands -d -e but not -de.
-d dummy run; prevents Iceditch to actually invoke IPtables at all. Used mainly with -e or -E, to check a configuration.
-e will make Iceditch echo all generated IPtables commands to the console. This can be useful to test a complex configuration. -e cannot be combined with -E
-E will make Iceditch echo all rules in Iceditch language. Only useful if your rulefile contains lots of conditional rules, flow control and other programming bling. -E cannot be combined with -e
-r <rulefile> will make Iceditch use <rulefile> instead of the default rulefile rules.conf. <rulefile> must be specified as a simple filename only (Iceditch expects the rulefile to live in /etc/iceditch)
-t <number> can be used only with safestart; it signifies the number of minutes (1-60) that safestart must wait before it reverts the configuration.
-v verbosity; will make Iceditch send the -v option to all commands it calls itself
-V print the version number and exit (overrides any other option or parameter)


Iceditch logs any (attempted) start or stop action to the syslog. When the Iceditch-built firewall runs, it can make use of the standard IPtables log facilities. These can be either logging packages to syslog, or using the ulogd logging daemon. This choice can be specified in the Iceditch configuration file, although you have to ensure yourself that ulogd actually exists on your system.