Easily Manage IPTables Across Multiple Nodes with Firewall Manager
Streamline IPTables management across multiple nodes with Firewall Manager, seamlessly integrating with SIEM and SOAR for enhanced security and automation.
TL;DR
Managing IPTables manually on multiple nodes was a tedious and inefficient process. Each time a threat was detected, I had to log in to individual servers to apply firewall rules manually. This approach was not scalable and introduced delays in threat response.
To address this, I developed Firewall Manager, a centralized tool that integrates with SIEM through SOAR. With Firewall Manager, security teams can automate firewall rule enforcement across multiple nodes, improving efficiency and response time.
Why Firewall Manager?
Traditional firewall management on distributed infrastructures often requires administrators to configure IPTables manually on each server. This method has several challenges:
β
Time-consuming: Manually updating IPTables on multiple nodes can be slow, especially during active incidents.
β
Error-prone: Manual configurations increase the risk of misconfigurations, potentially leaving security gaps.
β
Lack of centralization: Without a unified dashboard, monitoring and managing firewall rules across multiple servers is difficult.
β
Delayed threat mitigation: Threat actors can exploit the time gap between detection and response.
Firewall Manager solves these problems by automating and centralizing firewall management, ensuring faster and more accurate responses to security threats.
How It Works
Firewall Manager acts as an intermediary between SIEM, SOAR, and individual nodes running IPTables. The workflow consists of the following steps:
1. Event Detection
- SIEM continuously monitors network traffic and logs security events.
- When a suspicious or malicious activity is detected, an event is generated and sent to SOAR.
2. Threat Analysis & Decision Making
- SOAR forwards the detected event to Firewall Manager via API.
- Security analysts can review the event and choose to either ignore or block the detected IP.
- If blocking is selected, Firewall Manager automatically propagates the blocking rule to the affected nodes.
3. IP Blocking Mechanism
- Firewall Manager uses a client-server model to distribute firewall rules:
- Firewall-Server: The central control unit that manages firewall rules and communicates with SIEM and SOAR.
- Firewall-Client: Runs on each server and enforces blocking rules received from the Firewall-Server.
- This ensures that every node updates its IPTables configuration instantly when a threat is identified.
4. Continuous Monitoring & Logging
- Every action taken (ignored or blocked) is logged for security auditing.
- Analysts can review past logs to analyze attack patterns and improve defensive strategies.
Key Features
π IP Region Detection
Firewall Manager can detect the geographical origin of an IP address using threat intelligence databases. This allows security teams to:
β
Identify patterns of attacks originating from specific regions.
β
Block traffic from high-risk countries or regions based on policies.
β
Gain deeper insights into attack sources for better defensive measures.
π Automatic IP Blocking
Instead of relying on manual intervention, Firewall Manager automatically blocks malicious and suspicious IPs based on real-time events from SIEM. This ensures:
β
Faster response times, reducing potential attack damage.
β
Consistent rule enforcement across all nodes.
β
Minimized human error by automating repetitive firewall tasks.
π Threat Intelligence Enrichment with OpenCTI
Firewall Manager integrates with OpenCTI to enrich detected threats with contextual data. When an IP is flagged as suspicious, it is cross-checked against:
β
Global threat intelligence feeds.
β
Known attack patterns and previously observed malicious activities.
β
Reputation scores to assess the risk level before taking action.
This enrichment helps analysts make informed decisions and reduces false positives.
π Comprehensive Event Logging
All processed events are logged in detail, providing a complete security audit trail. Logged data includes:
β
Source IP address and region information.
β
Actions taken (ignored, blocked, or whitelisted).
β
Timestamp and event metadata for forensic analysis.
With detailed logs, security teams can analyze past attacks, fine-tune security policies, and ensure compliance with regulatory requirements.
Download Firewall Manager
π Get started with Firewall Manager now!
- Firewall Manager API: GitHub Repository
- Firewall Manager Frontend: GitHub Repository
- Firewall Manager Client (Debian Package): Download
.deb
π Note: This tool is still in development, and I will be adding more features and support for additional package formats like
.rpmsoon! Stay tuned for updates!
Benefits of Using Firewall Manager
Using Firewall Manager provides several key benefits for security teams and IT administrators:
π Rapid Threat Mitigation β Automatically blocks malicious IPs in real time, reducing response time from minutes to seconds.
π Centralized Firewall Management β No need to log in to multiple servers; manage everything from one control panel.
π Better Visibility β Gain insights into attack sources, patterns, and high-risk regions.
π Audit-Ready Logging β Maintain comprehensive logs for compliance and incident analysis.
π§ Seamless Integration β Works with existing SIEM & SOAR solutions without disrupting operations.
Conclusion
Managing IPTables across multiple nodes manually is inefficient and risky. Firewall Manager solves this problem by automating and centralizing firewall rule management, ensuring a faster and more effective security response.
By integrating with SIEM, SOAR, and OpenCTI, Firewall Manager enables security teams to:
β
Automate firewall rule enforcement across multiple servers.
β
Enrich threat data for better decision-making.
β
Improve visibility and auditing capabilities.
With real-time blocking, threat intelligence integration, and comprehensive logging, Firewall Manager enhances cyber defense capabilities for modern IT infrastructures.
If youβre looking for a scalable, automated, and efficient way to manage IPTables across multiple nodes, Firewall Manager is the solution you need! π
Images
Agent List: 
Event Listing: 
Detail Events: 
Blocked Lists: 
Sponsor This Project
If you find this project helpful, consider supporting me through GitHub Sponsors:
