-
- Distribution: Rex
- Module version: v1.7.0
- Source (raw)
- Browse (raw)
- Changes
- Homepage
- How to Contribute
- Repository (git clone)
- Issues (173)
- Testers (168 / 1 / 13)
- Kwalitee
- 48.19% Coverage
- License: apache_2_0
- 24 month
- Download (308.08Kb) 0
- MetaCPAN Explorer
- Permissions
- Subscribe to distribution
- This version
- Latest version
NAME
Rex::Commands::Iptables - Iptable Management Commands
DESCRIPTION
With this Module you can manage basic Iptables rules.
Version <= 1.0: All these functions will not be reported.
Only open_port and close_port are idempotent.
SYNOPSIS
use Rex::Commands::Iptables;
task "firewall", sub {
iptables_clear;
open_port 22;
open_port [22, 80] => {
dev => "eth0",
};
close_port 22 => {
dev => "eth0",
};
close_port "all";
redirect_port 80 => 10080;
redirect_port 80 => {
dev => "eth0",
to => 10080,
};
default_state_rule;
default_state_rule dev => "eth0";
is_nat_gateway;
iptables t => "nat",
A => "POSTROUTING",
o => "eth0",
j => "MASQUERADE";
# The 'iptables' function also accepts long options,
# however, options with dashes need to be quoted
iptables table => "nat",
accept => "POSTROUTING",
"out-interface" => "eth0",
jump => "MASQUERADE";
# Version of IP can be specified in the first argument
# of any function: -4 or -6 (defaults to -4)
iptables_clear -6;
open_port -6, [22, 80];
close_port -6, "all";
redirect_port -6, 80 => 10080;
default_state_rule -6;
iptables -6, "flush";
iptables -6,
t => "filter",
A => "INPUT",
i => "eth0",
m => "state",
state => "RELATED,ESTABLISHED",
j => "ACCEPT";
};EXPORTED FUNCTIONS
open_port($port, $option)
Open a port for inbound connections.
task "firewall", sub {
open_port 22;
open_port [22, 80];
open_port [22, 80],
dev => "eth1";
};
task "firewall", sub {
open_port 22,
dev => "eth1",
only_if => "test -f /etc/firewall.managed";
} ;close_port($port, $option)
Close a port for inbound connections.
task "firewall", sub {
close_port 22;
close_port [22, 80];
close_port [22, 80],
dev => "eth0",
only_if => "test -f /etc/firewall.managed";
};redirect_port($in_port, $option)
Redirect $in_port to another local port.
task "redirects", sub {
redirect_port 80 => 10080;
redirect_port 80 => {
to => 10080,
dev => "eth0",
};
};iptables(@params)
Write standard iptable comands.
Note that there is a short form for the iptables --flush option; when you pass the option of -F|"flush" as the only argument, the command iptables -F is run on the connected host. With the two argument form of flush shown in the examples below, the second argument is table you want to flush.
task "firewall", sub {
iptables t => "nat", A => "POSTROUTING", o => "eth0", j => "MASQUERADE";
iptables t => "filter", i => "eth0", m => "state", state => "RELATED,ESTABLISHED", j => "ACCEPT";
# automatically flushes all tables; equivalent to 'iptables -F'
iptables "flush";
iptables -F;
# flush only the "filter" table
iptables flush => "filter";
iptables -F => "filter";
};
# Note: options with dashes "-" need to be quoted to escape them from Perl
task "long_form_firewall", sub {
iptables table => "nat",
append => "POSTROUTING",
"out-interface" => "eth0",
jump => "MASQUERADE";
iptables table => "filter",
"in-interface" => "eth0",
match => "state",
state => "RELATED,ESTABLISHED",
jump => "ACCEPT";
};is_nat_gateway
This function creates a NAT gateway for the device the default route points to.
task "make-gateway", sub {
is_nat_gateway;
is_nat_gateway -6;
};default_state_rule(%option)
Set the default state rules for the given device.
task "firewall", sub {
default_state_rule(dev => "eth0");
};iptables_list
List all iptables rules.
task "list-iptables", sub {
print Dumper iptables_list;
print Dumper iptables_list -6;
};iptables_clear
Remove all iptables rules.
task "no-firewall", sub {
iptables_clear;
};
