iptables — PyCI iptables Module

class Chain(name, table, policy=None, references=None, rules=None, packets=None, bytes=None)

Class to store IPTables chains

append_rule(rule)

Appends a Rule() object to self.rules

class IPTables(filepath='/etc/firewall.user')

Class to read and store iptables rules

parse_config_active()

Parses the output of ‘iptables -t <tables> -L -n -v -x –line-numbers’ and creates/assigns Chain objects to self.chains.

parse_config_file()

Reads self.filepath and returns a list of Chain objects (each containing Rule objects) representing the file.

reality_check()

Compares the configuration in self.filepath against the iptables rules set on the running host.

class Rule(table, chain, status_params=None, match=None, target=None, protocol=None, target_opts=None, source=None, source_port=None, destination=None, destination_port=None, in_interface=None, out_interface=None, packets=None, bytes=None, ruleno=None, state=None, modprobe=None, src_type=None, dst_type=None, limit_iface_in=None, limit_iface_out=None, ahspi=None, comment=None, connbytes=None, connbytes_dir=None, connlimit_above=None, connlimit_mask=None, mark=None, ctstate=None, ctproto=None, ctorigsrc=None, ctorigdst=None, ctreplsrc=None, ctrepldst=None, ctorigsrcport=None, ctorigdstport=None, ctreplsrcport=None, ctrepldstport=None, ctstatus=None, ctexpire=None, ctdir=None, source_ports=None, destination_ports=None, dccp_types=None, dccp_option=None, dscp=None, dscp_class=None, ecn_tcp_cwr=None, ecn_tcp_ece=None, ecn_ip_ect=None, espspi=None, hashlimit_upto=None, hashlimit_above=None, hashlimit_name=None, hashlimit_burst=None, hashlimit_mode=None, hashlimit_srcmask=None, hashlimit_dstmask=None, hashlimit_htable_size=None, hashlimit_htable_max=None, hashlimit_htable_expire=None, hashlimit_htable_gcinterval=None, helper=None, icmp_type=None, src_range=None, dst_range=None, length=None, limit=None, limit_burst=None, mac_source=None, ports=None, uid_owner=None, gid_owner=None, socket_exists=None, physdev_in=None, physdev_out=None, physdev_is_in=None, physdev_is_out=None, physdev_is_bridged=None, pkg_type=None, dir_=None, pol=None, strict=None, reqid=None, spi=None, proto=None, mode=None, tunnel_src=None, tunnel_dst=None, next=None, quota=None, realm=None, name=None, set_=None, rcheck=None, update=None, remove=None, seconds=None, hitcount=None, rttl=None, rsource=None, rdest=None, chunk_types=None, probability=None, every=None, packet=None, algo=None, from_=None, to=None, string=None, hex_string=None, tcp_flags=None, syn=None, tcp_option=None, mss=None, datestart=None, datestop=None, timestart=None, timestop=None, monthdays=None, weekdays=None, utc=None, localtz=None, tos=None, ttl_eq=None, ttl_gt=None, ttl_lt=None, u32=None, set_class=None, new=None, hashmode=None, clustermac=None, total_nodes=None, local_nodes=None, hash_init=None, set_xmark=None, save_mark=None, restore_mark=None, and_mark=None, or_mark=None, xor_mark=None, to_destination=None, random=None, set_dscp=None, set_dscp_class=None, ecn_tcp_remove=None, log_level=None, log_prefix=None, log_tcp_sequence=None, log_tcp_options=None, log_ip_options=None, log_uid=None, to_ports=None, nflog_group=None, nflog_prefix=None, nflog_range=None, nflog_threshold=None, queue_num=None, ratetest_name=None, ratetest_interval=None, ratetest_ewmalog=None, reject_with=None, nodst=None, selectx=None, add_set=None, del_set=None, to_source=None, set_mss=None, clamp_mss_to_pmtu=None, strip_options=None, set_tos=None, and_tos=None, or_tos=None, xor_tos=None, ttl_set=None, ttl_dec=None, ttl_inc=None, ulog_nlgroup=None, ulog_prefix=None, ulog_cprange=None, ulog_qthreshold=None, ipp2p=None, edonkey=None, kazaa=None, gnutella=None, bittorrent=None, apple=None, winmx=None, directconnect=None, soulseek=None, ares=None)

Class to store IPTables rules

iptables_line(output_template="n<%!ndef s(text):n return repr(unicode(text).encode('utf-8'))nndef optional(switch, value):n if value is not None:n if value == True:n return switchn else:n return '%s %s' % (switch, s(value))n return ''n%>n% for rule in rules:niptables -t filter \\n% if rule.ruleno:n-I ${rule.chain|s} ${rule.ruleno|s} \\n% else:n-A ${rule.chain|s} \\n% endifn% if isinstance(match, list):n % for item in rule.match:n${optional('--match', item)} \\n % endforn% else:n${optional('--match', rule.match)} \\n% endifn${optional('--source', rule.source)} \\n${optional('--destination', rule.destination)} \\n${optional('--protocol', rule.protocol)} \\n${optional('--interface', rule.in_interface)} \\n${optional('--out-interface', rule.out_interface)} \\n${optional('--rcheck', rule.rcheck)} \\n${optional('--modprobe', rule.modprobe)} \\n${optional('--src-type', rule.src_type)} \\n${optional('--dst-type', rule.dst_type)} \\n${optional('--limit-iface_in', rule.limit_iface_in)} \\n${optional('--limit-iface_out', rule.limit_iface_out)} \\n${optional('--ahspi', rule.ahspi)} \\n${optional('--comment', rule.comment)} \\n${optional('--connbytes', rule.connbytes)} \\n${optional('--connbytes-dir', rule.connbytes_dir)} \\n${optional('--connlimit-above', rule.connlimit_above)} \\n${optional('--connlimit-mask', rule.connlimit_mask)} \\n${optional('--mark', rule.mark)} \\n${optional('--ctstate', rule.ctstate)} \\n${optional('--ctproto', rule.ctproto)} \\n${optional('--ctorigsrc', rule.ctorigsrc)} \\n${optional('--ctorigdst', rule.ctorigdst)} \\n${optional('--ctreplsrc', rule.ctreplsrc)} \\n${optional('--ctrepldst', rule.ctrepldst)} \\n${optional('--ctorigsrcport', rule.ctorigsrcport)} \\n${optional('--ctorigdstport', rule.ctorigdstport)} \\n${optional('--ctreplsrcport', rule.ctreplsrcport)} \\n${optional('--ctrepldstport', rule.ctrepldstport)} \\n${optional('--ctstatus', rule.ctstatus)} \\n${optional('--ctexpire', rule.ctexpire)} \\n${optional('--ctdir', rule.ctdir)} \\n${optional('--source-port', rule.source_port)} \\n${optional('--source-ports', rule.source_ports)} \\n${optional('--destination-port', rule.destination_port)} \\n${optional('--destination-ports', rule.destination_ports)} \\n${optional('--dccp-types', rule.dccp_types)} \\n${optional('--dccp-option', rule.dccp_option)} \\n${optional('--dscp', rule.dscp)} \\n${optional('--dscp-class', rule.dscp_class)} \\n${optional('--ecn-tcp-cwr', rule.ecn_tcp_cwr)} \\n${optional('--ecn-tcp-ece', rule.ecn_tcp_ece)} \\n${optional('--ecn-ip-ect', rule.ecn_ip_ect)} \\n${optional('--espspi', rule.espspi)} \\n${optional('--hashlimit-upto', rule.hashlimit_upto)} \\n${optional('--hashlimit-above', rule.hashlimit_above)} \\n${optional('--hashlimit-name', rule.hashlimit_name)} \\n${optional('--hashlimit-burst', rule.hashlimit_burst)} \\n${optional('--hashlimit-mode', rule.hashlimit_mode)} \\n${optional('--hashlimit-srcmask', rule.hashlimit_srcmask)} \\n${optional('--hashlimit-dstmask', rule.hashlimit_dstmask)} \\n${optional('--hashlimit-htable_size', rule.hashlimit_htable_size)} \\n${optional('--hashlimit-htable_max', rule.hashlimit_htable_max)} \\n${optional('--hashlimit-htable_expire', rule.hashlimit_htable_expire)} \\n${optional('--hashlimit-htable_gcinterval', rule.hashlimit_htable_gcinterval)} \\n${optional('--helper', rule.helper)} \\n${optional('--icmp-type', rule.icmp_type)} \\n${optional('--src-range', rule.src_range)} \\n${optional('--dst-range', rule.dst_range)} \\n${optional('--length', rule.length)} \\n${optional('--limit', rule.limit)} \\n${optional('--limit-burst', rule.limit_burst)} \\n${optional('--mac-source', rule.mac_source)} \\n${optional('--ports', rule.ports)} \\n${optional('--uid-owner', rule.uid_owner)} \\n${optional('--gid-owner', rule.gid_owner)} \\n${optional('--socket-exists', rule.socket_exists)} \\n${optional('--physdev-in', rule.physdev_in)} \\n${optional('--physdev-out', rule.physdev_out)} \\n${optional('--physdev-is-in', rule.physdev_is_in)} \\n${optional('--physdev-is-out', rule.physdev_is_out)} \\n${optional('--physdev-is-bridged', rule.physdev_is_bridged)} \\n${optional('--pkg-type', rule.pkg_type)} \\n${optional('--dir', rule.dir_)} \\n${optional('--pol', rule.pol)} \\n${optional('--strict', rule.strict)} \\n${optional('--reqid', rule.reqid)} \\n${optional('--spi', rule.spi)} \\n${optional('--proto', rule.proto)} \\n${optional('--mode', rule.mode)} \\n${optional('--tunnel-src', rule.tunnel_src)} \\n${optional('--tunnel-dst', rule.tunnel_dst)} \\n${optional('--next', rule.next)} \\n${optional('--quota', rule.quota)} \\n${optional('--realm', rule.realm)} \\n${optional('--name', rule.name)} \\n${optional('--set', rule.set_)} \\n${optional('--rcheck', rule.rcheck)} \\n${optional('--update', rule.update)} \\n${optional('--remove', rule.remove)} \\n${optional('--seconds', rule.seconds)} \\n${optional('--hitcount', rule.hitcount)} \\n${optional('--rttl', rule.rttl)} \\n${optional('--rsource', rule.rsource)} \\n${optional('--rdest', rule.rdest)} \\n${optional('--chunk-types', rule.chunk_types)} \\n${optional('--state', rule.state)} \\n${optional('--probability', rule.probability)} \\n${optional('--every', rule.every)} \\n${optional('--packet', rule.packet)} \\n${optional('--algo', rule.algo)} \\n${optional('--from', rule.from_)} \\n${optional('--to', rule.to)} \\n${optional('--string', rule.string)} \\n${optional('--hex-string', rule.hex_string)} \\n${optional('--tcp-flags', rule.tcp_flags)} \\n${optional('--syn', rule.syn)} \\n${optional('--tcp-option', rule.tcp_option)} \\n${optional('--mss', rule.mss)} \\n${optional('--datestart', rule.datestart)} \\n${optional('--datestop', rule.datestop)} \\n${optional('--timestart', rule.timestart)} \\n${optional('--timestop', rule.timestop)} \\n${optional('--monthdays', rule.monthdays)} \\n${optional('--weekdays', rule.weekdays)} \\n${optional('--utc', rule.utc)} \\n${optional('--localtz', rule.localtz)} \\n${optional('--tos', rule.tos)} \\n${optional('--ttl-eq', rule.ttl_eq)} \\n${optional('--ttl-gt', rule.ttl_gt)} \\n${optional('--ttl-lt', rule.ttl_lt)} \\n${optional('--u32', rule.u32)} \\n${optional('--set-class', rule.set_class)} \\n${optional('--new', rule.new)} \\n${optional('--hashmode', rule.hashmode)} \\n${optional('--clustermac', rule.clustermac)} \\n${optional('--total-nodes', rule.total_nodes)} \\n${optional('--local-nodes', rule.local_nodes)} \\n${optional('--hash-init', rule.hash_init)} \\n${optional('--set-xmark', rule.set_xmark)} \\n${optional('--save-mark', rule.save_mark)} \\n${optional('--restore-mark', rule.restore_mark)} \\n${optional('--and-mark', rule.and_mark)} \\n${optional('--or-mark', rule.or_mark)} \\n${optional('--xor-mark', rule.xor_mark)} \\n${optional('--to-destination', rule.to_destination)} \\n${optional('--random', rule.random)} \\n${optional('--set-dscp', rule.set_dscp)} \\n${optional('--set-dscp-class', rule.set_dscp_class)} \\n${optional('--ecn-tcp-remove', rule.ecn_tcp_remove)} \\n${optional('--log-level', rule.log_level)} \\n${optional('--log-prefix', rule.log_prefix)} \\n${optional('--log-tcp-sequence', rule.log_tcp_sequence)} \\n${optional('--log-tcp-options', rule.log_tcp_options)} \\n${optional('--log-ip-options', rule.log_ip_options)} \\n${optional('--log-uid', rule.log_uid)} \\n${optional('--to-ports', rule.to_ports)} \\n${optional('--nflog-group', rule.nflog_group)} \\n${optional('--nflog-prefix', rule.nflog_prefix)} \\n${optional('--nflog-range', rule.nflog_range)} \\n${optional('--nflog-threshold', rule.nflog_threshold)} \\n${optional('--queue-num', rule.queue_num)} \\n${optional('--ratetest-name', rule.ratetest_name)} \\n${optional('--ratetest-interval', rule.ratetest_interval)} \\n${optional('--ratetest-ewmalog', rule.ratetest_ewmalog)} \\n${optional('--nodst', rule.nodst)} \\n${optional('--selectx', rule.selectx)} \\n${optional('--add-set', rule.add_set)} \\n${optional('--del-set', rule.del_set)} \\n${optional('--to-source', rule.to_source)} \\n${optional('--set-mss', rule.set_mss)} \\n${optional('--clamp-mss-to-pmtu', rule.clamp_mss_to_pmtu)} \\n${optional('--strip-options', rule.strip_options)} \\n${optional('--set-tos', rule.set_tos)} \\n${optional('--and-tos', rule.and_tos)} \\n${optional('--or-tos', rule.or_tos)} \\n${optional('--xor-tos', rule.xor_tos)} \\n${optional('--ttl-set', rule.ttl_set)} \\n${optional('--ttl-dec', rule.ttl_dec)} \\n${optional('--ttl-inc', rule.ttl_inc)} \\n${optional('--ulog-nlgroup', rule.ulog_nlgroup)} \\n${optional('--ulog-prefix', rule.ulog_prefix)} \\n${optional('--ulog-cprange', rule.ulog_cprange)} \\n${optional('--ulog-qthreshold', rule.ulog_qthreshold)} \\n${optional('--ipp2p', rule.ipp2p)} \\n${optional('--edk', rule.edonkey)} \\n${optional('--kazaa', rule.kazaa)} \\n${optional('--gnu', rule.gnutella)} \\n${optional('--dc', rule.directconnect)} \\n${optional('--bit', rule.bittorrent)} \\n${optional('--apple', rule.apple)} \\n${optional('--winmx', rule.winmx)} \\n${optional('--soul', rule.soulseek)} \\n${optional('--ares', rule.ares)} \\n-j ${rule.target|s} \\n${optional('--reject-with', rule.reject_with)}n## TODO: Finish writing all these switches (and figure out if they need to go in a certain order)n%endfor")

Returns the iptables command line that can be used to apply the rule. Takes ‘output_template’ as an argument which is the Mako template to be used when producing the iptables line.

Why use a different template? The default template has logic in it to cover just about every permutation of an iptables rule. If you know ahead of time that your rules will only contain a specific subset of command line switches you can use a template with less permutations to speed up the process considerably.

update(*dictionary)

Just an alias for self.__dict__.update()

class Table(name, chains=[])

Class to store Table() objects (one of ‘filter’, ‘nat’, ‘mangle’ or ‘raw’)

append_chain(chain)

Appends the given Chain object to self.chains

parse_iptables_args(args)

Parses iptables arguments, ‘args’ (which should be the equivalent to sys.argv[1:]). Returns options (as output by OptionParser).