The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


IPTables::Mangle - Manage iptables rules with Perl / YAML


Given a config file, produces rules for iptables-restore.

Example YAML file, for ease of viewing:

       forward: { default: drop }
              - src:
              - src:
                action: drop
           # by default, do not allow any connections unless authorized
           # in the rules below
           default: drop

           # by default, if no "action" is given to a rule below, accept it
           default_rule_action: accept 

               # Accept all traffic on loopback interface
               - in-interface: lo

               # Don't disconnect existing connections during a rule change.
               - { match: state, state: 'ESTABLISHED,RELATED' }

               # Allow for pings (no more than 10 a second)
               - { protocol: icmp, icmp-type: 8, match: limit, limit: 10/sec }

               # Allow these IPs, no matter what
               - src:

               # example of blocking an IP 
               - { action: drop, src: }

               # example of allowing ip to connect to port 25 (smtp) (one-line)
               - { protocol: tcp, dport: 25, src: }

               # jump to rules defined in "foo" above
               - action: foo

               # if there are no more rules, reject the connection with icmp, don't just let it hang
               - action: reject
                     reject-with: icmp-admin-prohibited


This module allows for the management of iptables rules with Perl / YAML.


The top hashref is the table for iptables, this can be either mangle, nat, or filter.


The hashref under the top hashref is the chain name. For system chains the default chainrule can be set by setting a default hashref in the chain.

$VAR1->{filter}{input} would be the input chain for the filter table.


Chainrules live in a 'rules' arrayref under the chain, $VAR1->{filter}{input}{rules}, for example.

Every rule in the chain is a hashref which builds a rule. By default, the jump in the rules, referenced as 'action' in a rule, is set to accept. The default action can be modified by changing 'default_rule_action' in the chain. Every key in the rule's hashref represents a parameter prefixed by two dashes, '--', in an iptables rule. Two things to note here are that 'action' in a rule really maps to 'jump' in iptables, and a special action_options key exists, which references a hashref, which appends options after the iptables jump. This is useful for things like setting '--reject-with' after a jump to reject.

Examples of a chain rule:

# by default, allow this ip

$VAR1->{filter}{input}{rules}[0] = { src => '' } ;

# allow this ip on port 25 tcp, using accept default

$VAR1->{filter}{input}{rules}[1] = { protocol: 'tcp', dport: 25, src => '' } ;

# make it explicit

$VAR1->{filter}{input}{rules}[2] = { protocol: 'tcp', dport: 25, src => '', action => 'accept' } ;

# blacklist an ip

$VAR1->{filter}{input}{rules}[3] = { src => '', action => 'drop' } ;

# reject with icmp message

$VAR1->{filter}{input}{rules}[-1] = { action => 'reject', action_options => { reject-with: 'icmp-admin-prohibited', }, };



Given a hashref, produces rules usable by iptables-restore.

Returns one string.


Bizowie <>


Copyright (C) 2013 Bizowie

This library is free software. You can redistribute it and/or modify it under the same terms as Perl itself.