NAME
IPTables::Rule - Perl extension for holding iptables rule information in objects.
SYNOPSIS
use IPTables::Rule;
my $ipt_rule = new IPTables::Rule ;
$ipt_rule->chain('INPUT');
$ipt_rule->source('192.168.0.0/24');
$ipt_rule->protocol('tcp');
$ipt_rule->dport('22');
$ipt_rule->target('ACCEPT');
$ipt_rule->comment('accept ssh from lan');
print $ipt_rule->generate;
DESCRIPTION
This package provides a way to build/store iptables rules in objects. It deals with ONLY individual rules; no attention it given to the overall structure of the ruleset (see IPTables::IPv4 or IPTables::IPv6 for that).
Once all your criteria has been set, you can call the generate
method to convert the set criteria into an iptables command line string.
METHODS
Methods return a value for success, or undef for failure. Errors are availabe using the errstr
method:
$ipt_rule->chain('INPUT') or print $ipt_rule->errstr;
new
Create a new object to hold a rule.
ip4binary
When you call "generate", the returned output will prefix with the generic string 'iptables'. Use ip4binary
method to change this to something more appropriate. For example, to use an absolute path:
$ipt_rule->ip4binary('/usr/bin/iptables');
ip6binary
When you call "generate", the returned output will prefix with the generic string 'ip6tables'. Use ip4binary
method to change this to something more appropriate. For example, to use an absolute path:
$ipt_rule->ip6binary('/usr/bin/ip6tables');
iptaction
The default action for a new rule is append (-A). Use this method to change this to any other valid iptables action. See "Options/Commands" in iptables(8) for valid actions.
Syntax is to supply the capitalized short flag:
$ipt_rule->iptaction('-I'); # Change iptables action to 'Insert'
$ipt_rule->iptaction('-Z'); # Change iptables action to 'Zero Counters'
dump
Returns a hash-ref of the current rule details.
my $hashref = $ipt_rule->dump();
ipversion
Defaults to IPv4 (ie, iptables). Valid options are '4' for IPv4/iptables, or '6' for IPv6/ip6tables.
$ipt_rule->ipversion('6');
table
Set the table this rule applies to. By default, this is the 'filter' table. Valid options depend on the ipversion:
IPv4: filter, nat, mangle or raw
IPv6: filter, mangle or raw
chain
Set which chain (within "Table") this rule applies to. Can be either an inbuilt (eg, INPUT, FORWARD, OUTPUT etc) for a user-created chain.
Remember that IPTables::Rule ONLY deals with individual rules so it is unable to validate what you provide here (ie, that the chain already exists)
target
The chain or action this rule should 'Jump' (-j) to if it is matched.
$ipt_rule->target('ACCEPT');
proto
Protocol to match against.
$ipt_rule->proto('tcp');
in
The input interface to match. Opposite of "out".
$ipt_rule->in('eth0');
out
The output interface to match. Opposite of "in".
$ipt_rule->out('eth1');
source
Source address this rule is to match. Opposite of "destination". See "VALID INET ADDRESSES" for valid values.
$ipt_rule->source('www.example.com');
$ipt_rule->source('192.168.1.0/24');
$ipt_rule->source('fe80::4dc1:e674:f5e4:a74f');
destination
Destination address this rule is to match. Opposite of "source". See "VALID INET ADDRESSES" for valid values.
$ipt_rule->destination('www.example.com');
$ipt_rule->destination('192.168.1.0/24');
$ipt_rule->destination('fe80::4dc1:e674:f5e4:a74f');
dpt
Destination Port to match. Opposite of "spt". See "VALID INET PORTS" for valid values.
Protocol must be set to either 'tcp' or 'udp' for this to be valid at "Generate" time.
$ipt_rule->dpt('http');
$ipt_rule->dpt('http,https');
$ipt_rule->dpt('20:21');
spt
Source Port to match. Opposite of "dpt". See "VALID INET PORTS" for valid values.
Protocol must be set to either 'tcp' or 'udp' for this to be valid at "Generate" time.
$ipt_rule->spt('http');
$ipt_rule->spt('http,https');
$ipt_rule->spt('20:21');
mac
Source MAC Address to match against.
$ipt_rule->mac('6c:f0:49:e8:64:2a');
state
Match the incoming packet against the state of the connection as tracked by the kernel connection tracking. Valid options are:
NEW
ESTABLISHED
RELATED
INVALID
UNTRACKED
$ipt_rule->state('new');
limit
Set a rate-limit for how often this rule will match. Syntax is number/period where number
is an integer for how often, and period
is the time period to count against. Valid options for period
are second
, minute
, hour
and day
.
$ipt_rule->limit('3/second');
$ipt_rule->limit('30/minute'); # average 1 every 2 seconds
$ipt_rule->limit('24/day'); # average 1 per hour
icmp_type
Specify the ICMP type (and optionally sub-type) to match against. Protocol must be set to 'icmp' (or 'icmpv6' for IPv6) to use this method. For valid types, run iptables -m icmp --help
Type and sub-type can be passed either numerically or named. If specifying a sub-type, it must be separated with a forward slash ('/').
$ipt_rule->icmp_type('echo-request');
$ipt_rule->icmp_type('redirect/host-redirect');
$ipt_rule->icmp_type('3');
$ipt_rule->icmp_type('3/1');
logprefix
When you set "target" to the inbuilt LOG target, use this method to define what the log entries will be prefixed with.
$ipt_rule->logprefix('[SSH PACKET] ');
comment
Add a comment to the rule to accompany it when viewing rules in iptables output
$ipt_rule->comment('This rule allows SSH traffic');
generate
Returns the "compiled" rule in iptables command line syntax after performing some validation on the rule criteria.
print $ipt_rule->generate();
VALID INET ADDRESSES
When passing addresses, valid input can be one of the following:
A Fully Qualified Domain Name (FQDN) (eg,
www.example.com
)An IPv4 Address (eg,
192.168.1.1
)An IPv4 Address and CIDR (eg,
192.168.1.0/24
)An IPv4 Address Range (eg,
192.168.1.1-192.168.1.9
)An IPv6 Address (eg,
fe80::4dc1:e674:f5e4:a74f
)An IPv6 Address and CIDR (eg,
fe80::4dc1:e674:f5e4:a74f/10
)An IPv6 Address Range (eg,
fe80::4dc1:e674:f5e4:0000-fe80::4dc1:e674:f5e4:ffff
)
VALID INET PORTS
When specifying destination or source ports, valid input can be one of the following:
A numeric port (eg, 80)
A named port (eg, http)
A numeric port range, colon separated (eg, 20:21)
A named port range, colon separated (eg, ftp-data:ftp)
A list of comma separated numeric ports (eg, 25,110,143)
A list of comma separated named ports (eg, smtp,pop3,imap)
NOTE: When using named ports, iptables/ip6tables will attempt to resolve them using the file /etc/services so valid named ports must exist within this file.
HISTORY
- 0.03
-
Add 'ip6binary' method, and fix bug in output with src/dst ports.
- 0.02
-
Allow multiple states to be used (comma-delimed). Typo fixed in function call.
- 0.01
-
Original version; created by h2xs 1.23
SEE ALSO
AUTHOR
Phillip Smith, <fukawi2@gmail.com>
COPYRIGHT AND LICENSE
Copyright (C) 2011-2016 by Phillip Smith
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.14.2 or, at your option, any later version of Perl 5 you may have available.