IPTables::Rule - Perl extension for holding iptables rule information in objects.
use IPTables::Rule; my $ipt_rule = new IPTables::Rule ; $ipt_rule->chain('INPUT'); $ipt_rule->source('192.168.0.0/24'); $ipt_rule->protocol('tcp'); $ipt_rule->dport('22'); $ipt_rule->target('ACCEPT'); $ipt_rule->comment('accept ssh from lan'); print $ipt_rule->generate;
This package provides a way to build/store iptables rules in objects. It deals with ONLY individual rules; no attention it given to the overall structure of the ruleset (see IPTables::IPv4 or IPTables::IPv6 for that).
Once all your criteria has been set, you can call the generate method to convert the set criteria into an iptables command line string.
generate
Methods return a value for success, or undef for failure. Errors are availabe using the errstr method:
errstr
$ipt_rule->chain('INPUT') or print $ipt_rule->errstr;
Create a new object to hold a rule.
When you call "generate", the returned output will prefix with the generic string 'iptables'. Use ip4binary method to change this to something more appropriate. For example, to use an absolute path:
ip4binary
$ipt_rule->ip4binary('/usr/bin/iptables');
When you call "generate", the returned output will prefix with the generic string 'ip6tables'. Use ip4binary method to change this to something more appropriate. For example, to use an absolute path:
$ipt_rule->ip6binary('/usr/bin/ip6tables');
The default action for a new rule is append (-A). Use this method to change this to any other valid iptables action. See "Options/Commands" in iptables(8) for valid actions.
Syntax is to supply the capitalized short flag:
$ipt_rule->iptaction('-I'); # Change iptables action to 'Insert' $ipt_rule->iptaction('-Z'); # Change iptables action to 'Zero Counters'
Returns a hash-ref of the current rule details.
my $hashref = $ipt_rule->dump();
Defaults to IPv4 (ie, iptables). Valid options are '4' for IPv4/iptables, or '6' for IPv6/ip6tables.
$ipt_rule->ipversion('6');
Set the table this rule applies to. By default, this is the 'filter' table. Valid options depend on the ipversion:
IPv4: filter, nat, mangle or raw
IPv6: filter, mangle or raw
Set which chain (within "Table") this rule applies to. Can be either an inbuilt (eg, INPUT, FORWARD, OUTPUT etc) for a user-created chain.
Remember that IPTables::Rule ONLY deals with individual rules so it is unable to validate what you provide here (ie, that the chain already exists)
The chain or action this rule should 'Jump' (-j) to if it is matched.
$ipt_rule->target('ACCEPT');
Protocol to match against.
$ipt_rule->proto('tcp');
The input interface to match. Opposite of "out".
$ipt_rule->in('eth0');
The output interface to match. Opposite of "in".
$ipt_rule->out('eth1');
Source address this rule is to match. Opposite of "destination". See "VALID INET ADDRESSES" for valid values.
$ipt_rule->source('www.example.com'); $ipt_rule->source('192.168.1.0/24'); $ipt_rule->source('fe80::4dc1:e674:f5e4:a74f');
Destination address this rule is to match. Opposite of "source". See "VALID INET ADDRESSES" for valid values.
$ipt_rule->destination('www.example.com'); $ipt_rule->destination('192.168.1.0/24'); $ipt_rule->destination('fe80::4dc1:e674:f5e4:a74f');
Destination Port to match. Opposite of "spt". See "VALID INET PORTS" for valid values.
Protocol must be set to either 'tcp' or 'udp' for this to be valid at "Generate" time.
$ipt_rule->dpt('http'); $ipt_rule->dpt('http,https'); $ipt_rule->dpt('20:21');
Source Port to match. Opposite of "dpt". See "VALID INET PORTS" for valid values.
$ipt_rule->spt('http'); $ipt_rule->spt('http,https'); $ipt_rule->spt('20:21');
Source MAC Address to match against.
$ipt_rule->mac('6c:f0:49:e8:64:2a');
Match the incoming packet against the state of the connection as tracked by the kernel connection tracking. Valid options are:
NEW
ESTABLISHED
RELATED
INVALID
UNTRACKED
$ipt_rule->state('new');
Set a rate-limit for how often this rule will match. Syntax is number/period where number is an integer for how often, and period is the time period to count against. Valid options for period are second, minute, hour and day.
number
period
second
minute
hour
day
$ipt_rule->limit('3/second'); $ipt_rule->limit('30/minute'); # average 1 every 2 seconds $ipt_rule->limit('24/day'); # average 1 per hour
Specify the ICMP type (and optionally sub-type) to match against. Protocol must be set to 'icmp' (or 'icmpv6' for IPv6) to use this method. For valid types, run iptables -m icmp --help
iptables -m icmp --help
Type and sub-type can be passed either numerically or named. If specifying a sub-type, it must be separated with a forward slash ('/').
$ipt_rule->icmp_type('echo-request'); $ipt_rule->icmp_type('redirect/host-redirect'); $ipt_rule->icmp_type('3'); $ipt_rule->icmp_type('3/1');
When you set "target" to the inbuilt LOG target, use this method to define what the log entries will be prefixed with.
$ipt_rule->logprefix('[SSH PACKET] ');
Add a comment to the rule to accompany it when viewing rules in iptables output
$ipt_rule->comment('This rule allows SSH traffic');
Returns the "compiled" rule in iptables command line syntax after performing some validation on the rule criteria.
print $ipt_rule->generate();
When passing addresses, valid input can be one of the following:
A Fully Qualified Domain Name (FQDN) (eg, www.example.com)
www.example.com
An IPv4 Address (eg, 192.168.1.1)
192.168.1.1
An IPv4 Address and CIDR (eg, 192.168.1.0/24)
192.168.1.0/24
An IPv4 Address Range (eg, 192.168.1.1-192.168.1.9)
192.168.1.1-192.168.1.9
An IPv6 Address (eg, fe80::4dc1:e674:f5e4:a74f)
fe80::4dc1:e674:f5e4:a74f
An IPv6 Address and CIDR (eg, fe80::4dc1:e674:f5e4:a74f/10)
fe80::4dc1:e674:f5e4:a74f/10
An IPv6 Address Range (eg, fe80::4dc1:e674:f5e4:0000-fe80::4dc1:e674:f5e4:ffff)
fe80::4dc1:e674:f5e4:0000-fe80::4dc1:e674:f5e4:ffff
When specifying destination or source ports, valid input can be one of the following:
A numeric port (eg, 80)
A named port (eg, http)
A numeric port range, colon separated (eg, 20:21)
A named port range, colon separated (eg, ftp-data:ftp)
A list of comma separated numeric ports (eg, 25,110,143)
A list of comma separated named ports (eg, smtp,pop3,imap)
NOTE: When using named ports, iptables/ip6tables will attempt to resolve them using the file /etc/services so valid named ports must exist within this file.
Add 'ip6binary' method, and fix bug in output with src/dst ports.
Allow multiple states to be used (comma-delimed). Typo fixed in function call.
Original version; created by h2xs 1.23
iptables
Phillip Smith, <fukawi2@gmail.com>
Copyright (C) 2011-2016 by Phillip Smith
This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.14.2 or, at your option, any later version of Perl 5 you may have available.
To install IPTables::Rule, copy and paste the appropriate command in to your terminal.
cpanm
cpanm IPTables::Rule
CPAN shell
perl -MCPAN -e shell install IPTables::Rule
For more information on module installation, please visit the detailed CPAN module installation guide.