NAME
Rex::Commands::Iptables - Iptable Management Commands
DESCRIPTION
With this Module you can manage basic Iptables rules.
Version <= 1.0: All these functions will not be reported.
Only open_port and close_port are idempotent.
SYNOPSIS
task
"firewall"
,
sub
{
iptables_clear;
open_port 22;
open_port [22, 80] => {
dev
=>
"eth0"
,
};
close_port
22
=> {
dev
=>
"eth0"
,
};
close_port
"all"
;
redirect_port
80
=> 10080;
redirect_port
80
=> {
dev
=>
"eth0"
,
to
=> 10080,
};
default_state_rule;
default_state_rule
dev
=>
"eth0"
;
is_nat_gateway;
iptables
t
=>
"nat"
,
A
=>
"POSTROUTING"
,
o
=>
"eth0"
,
j
=>
"MASQUERADE"
;
# The 'iptables' function also accepts long options,
# however, options with dashes need to be quoted
iptables
table
=>
"nat"
,
accept
=>
"POSTROUTING"
,
"out-interface"
=>
"eth0"
,
jump
=>
"MASQUERADE"
;
# Version of IP can be specified in the first argument
# of any function: -4 or -6 (defaults to -4)
iptables_clear -6;
open_port -6, [22, 80];
close_port -6,
"all"
;
redirect_port -6,
80
=> 10080;
default_state_rule -6;
iptables -6,
"flush"
;
iptables -6,
t
=>
"filter"
,
A
=>
"INPUT"
,
i
=>
"eth0"
,
m
=>
"state"
,
state
=>
"RELATED,ESTABLISHED"
,
j
=>
"ACCEPT"
;
};
EXPORTED FUNCTIONS
open_port($port, $option)
Open a port for inbound connections.
task
"firewall"
,
sub
{
open_port 22;
open_port [22, 80];
open_port [22, 80],
dev
=>
"eth1"
;
};
task
"firewall"
,
sub
{
open_port 22,
dev
=>
"eth1"
,
only_if
=>
"test -f /etc/firewall.managed"
;
} ;
close_port($port, $option)
Close a port for inbound connections.
task
"firewall"
,
sub
{
close_port 22;
close_port [22, 80];
close_port [22, 80],
dev
=>
"eth0"
,
only_if
=>
"test -f /etc/firewall.managed"
;
};
redirect_port($in_port, $option)
Redirect $in_port to another local port.
task
"redirects"
,
sub
{
redirect_port
80
=> 10080;
redirect_port
80
=> {
to
=> 10080,
dev
=>
"eth0"
,
};
};
iptables(@params)
Write standard iptable comands.
Note that there is a short form for the iptables --flush
option; when you pass the option of -F|"flush"
as the only argument, the command iptables -F
is run on the connected host. With the two argument form of flush
shown in the examples below, the second argument is table you want to flush.
task
"firewall"
,
sub
{
iptables
t
=>
"nat"
,
A
=>
"POSTROUTING"
,
o
=>
"eth0"
,
j
=>
"MASQUERADE"
;
iptables
t
=>
"filter"
,
i
=>
"eth0"
,
m
=>
"state"
,
state
=>
"RELATED,ESTABLISHED"
,
j
=>
"ACCEPT"
;
# automatically flushes all tables; equivalent to 'iptables -F'
iptables
"flush"
;
iptables -F;
# flush only the "filter" table
iptables
flush
=>
"filter"
;
iptables
-F
=>
"filter"
;
};
# Note: options with dashes "-" need to be quoted to escape them from Perl
task
"long_form_firewall"
,
sub
{
iptables
table
=>
"nat"
,
append
=>
"POSTROUTING"
,
"out-interface"
=>
"eth0"
,
jump
=>
"MASQUERADE"
;
iptables
table
=>
"filter"
,
"in-interface"
=>
"eth0"
,
match
=>
"state"
,
state
=>
"RELATED,ESTABLISHED"
,
jump
=>
"ACCEPT"
;
};
is_nat_gateway
This function creates a NAT gateway for the device the default route points to.
task
"make-gateway"
,
sub
{
is_nat_gateway;
is_nat_gateway -6;
};
default_state_rule(%option)
Set the default state rules for the given device.
task
"firewall"
,
sub
{
default_state_rule(
dev
=>
"eth0"
);
};
iptables_list
List all iptables rules.
task
"list-iptables"
,
sub
{
Dumper iptables_list;
Dumper iptables_list -6;
};
iptables_clear
Remove all iptables rules.
task
"no-firewall"
,
sub
{
iptables_clear;
};