NAME

IPTables::Mangle - Manage iptables rules with Perl / YAML

SYNOPSIS

Given a config file, produces rules for iptables-restore.

Example YAML file, for ease of viewing:

   filter:
       forward: { default: drop }
       foo:
           rules:
              - src: 9.9.9.9
              - src: 10.10.10.10
                action: drop
       input:
           # by default, do not allow any connections unless authorized
           # in the rules below
           default: drop

           # by default, if no "action" is given to a rule below, accept it
           default_rule_action: accept 

           rules:
               # Accept all traffic on loopback interface
               - in-interface: lo

               # Don't disconnect existing connections during a rule change.
               - { match: state, state: 'ESTABLISHED,RELATED' }

               # Allow for pings (no more than 10 a second)
               - { protocol: icmp, icmp-type: 8, match: limit, limit: 10/sec }

               # Allow these IPs, no matter what
               - src: 123.123.123.123

               # example of blocking an IP 
               - { action: drop, src: 8.8.8.8 }

               # example of allowing ip to connect to port 25 (smtp) (one-line)
               - { protocol: tcp, dport: 25, src: 4.2.2.2 }

               # jump to rules defined in "foo" above
               - action: foo

               # if there are no more rules, reject the connection with icmp, don't just let it hang
               - action: reject
                 action_options:
                     reject-with: icmp-admin-prohibited

DESCRIPTION

This module allows for the management of iptables rules with Perl / YAML.

TABLES

The top hashref is the table for iptables, this can be either mangle, nat, or filter.

CHAINS

The hashref under the top hashref is the chain name. For system chains the default chainrule can be set by setting a default hashref in the chain.

$VAR1->{filter}{input} would be the input chain for the filter table.

CHAIN RULES

Chainrules live in a 'rules' arrayref under the chain, $VAR1->{filter}{input}{rules}, for example.

Every rule in the chain is a hashref which builds a rule. By default, the jump in the rules, referenced as 'action' in a rule, is set to accept. The default action can be modified by changing 'default_rule_action' in the chain. Every key in the rule's hashref represents a parameter prefixed by two dashes, '--', in an iptables rule. Two things to note here are that 'action' in a rule really maps to 'jump' in iptables, and a special action_options key exists, which references a hashref, which appends options after the iptables jump. This is useful for things like setting '--reject-with' after a jump to reject.

Examples of a chain rule:

# by default, allow this ip

$VAR1->{filter}{input}{rules}[0] = { src => '10.10.10.10' } ;

# allow this ip on port 25 tcp, using accept default

$VAR1->{filter}{input}{rules}[1] = { protocol: 'tcp', dport: 25, src => '10.10.10.10' } ;

# make it explicit

$VAR1->{filter}{input}{rules}[2] = { protocol: 'tcp', dport: 25, src => '10.10.10.10', action => 'accept' } ;

# blacklist an ip

$VAR1->{filter}{input}{rules}[3] = { src => '10.10.10.10', action => 'drop' } ;

# reject with icmp message

$VAR1->{filter}{input}{rules}[-1] = { action => 'reject', action_options => { reject-with: 'icmp-admin-prohibited', }, };

METHODS

process_config

Given a hashref, produces rules usable by iptables-restore.

Returns one string.

AUTHORS

Bizowie <http://bizowie.com>

COPYRIGHT AND LICENSE

Copyright (C) 2013 Bizowie

This library is free software. You can redistribute it and/or modify it under the same terms as Perl itself.