IPTables::Mangle - Manage iptables rules with Perl / YAML
Given a config file, produces rules for iptables-restore.
Example YAML file, for ease of viewing:
filter: forward: { default: drop } foo: rules: - src: 9.9.9.9 - src: 10.10.10.10 action: drop input: # by default, do not allow any connections unless authorized # in the rules below default: drop # by default, if no "action" is given to a rule below, accept it default_rule_action: accept rules: # Accept all traffic on loopback interface - in-interface: lo # Don't disconnect existing connections during a rule change. - { match: state, state: 'ESTABLISHED,RELATED' } # Allow for pings (no more than 10 a second) - { protocol: icmp, icmp-type: 8, match: limit, limit: 10/sec } # Allow these IPs, no matter what - src: 123.123.123.123 # example of blocking an IP - { action: drop, src: 8.8.8.8 } # example of allowing ip to connect to port 25 (smtp) (one-line) - { protocol: tcp, dport: 25, src: 4.2.2.2 } # jump to rules defined in "foo" above - action: foo # if there are no more rules, reject the connection with icmp, don't just let it hang - action: reject action_options: reject-with: icmp-admin-prohibited
This module allows for the management of iptables rules with Perl / YAML.
The top hashref is the table for iptables, this can be either mangle, nat, or filter.
The hashref under the top hashref is the chain name. For system chains the default chainrule can be set by setting a default hashref in the chain.
$VAR1->{filter}{input} would be the input chain for the filter table.
Chainrules live in a 'rules' arrayref under the chain, $VAR1->{filter}{input}{rules}, for example.
Every rule in the chain is a hashref which builds a rule. By default, the jump in the rules, referenced as 'action' in a rule, is set to accept. The default action can be modified by changing 'default_rule_action' in the chain. Every key in the rule's hashref represents a parameter prefixed by two dashes, '--', in an iptables rule. Two things to note here are that 'action' in a rule really maps to 'jump' in iptables, and a special action_options key exists, which references a hashref, which appends options after the iptables jump. This is useful for things like setting '--reject-with' after a jump to reject.
Examples of a chain rule:
# by default, allow this ip
$VAR1->{filter}{input}{rules}[0] = { src => '10.10.10.10' } ;
# allow this ip on port 25 tcp, using accept default
$VAR1->{filter}{input}{rules}[1] = { protocol: 'tcp', dport: 25, src => '10.10.10.10' } ;
# make it explicit
$VAR1->{filter}{input}{rules}[2] = { protocol: 'tcp', dport: 25, src => '10.10.10.10', action => 'accept' } ;
# blacklist an ip
$VAR1->{filter}{input}{rules}[3] = { src => '10.10.10.10', action => 'drop' } ;
# reject with icmp message
$VAR1->{filter}{input}{rules}[-1] = { action => 'reject', action_options => { reject-with: 'icmp-admin-prohibited', }, };
Given a hashref, produces rules usable by iptables-restore.
Returns one string.
Copyright 2011, 2012 Ohio-Pennsylvania Software, LLC.
This library is free software. You can redistribute it and/or modify it under the same terms as Perl itself.
Michael J. Flickinger, <mjflick@gnu.org>
<mjflick@gnu.org>
To install IPTables::Mangle, copy and paste the appropriate command in to your terminal.
cpanm
cpanm IPTables::Mangle
CPAN shell
perl -MCPAN -e shell install IPTables::Mangle
For more information on module installation, please visit the detailed CPAN module installation guide.