1Rex::Commands::IptablesU(s3e)r Contributed Perl DocumentaRteixo:n:Commands::Iptables(3)
2
3
4
6 Rex::Commands::Iptables - Iptable Management Commands
7
9 With this Module you can manage basic Iptables rules.
10
11 Version <= 1.0: All these functions will not be reported.
12
13 Only open_port and close_port are idempotent.
14
16 use Rex::Commands::Iptables;
17
18 task "firewall", sub {
19 iptables_clear;
20
21 open_port 22;
22 open_port [22, 80] => {
23 dev => "eth0",
24 };
25
26 close_port 22 => {
27 dev => "eth0",
28 };
29 close_port "all";
30
31 redirect_port 80 => 10080;
32 redirect_port 80 => {
33 dev => "eth0",
34 to => 10080,
35 };
36
37 default_state_rule;
38 default_state_rule dev => "eth0";
39
40 is_nat_gateway;
41
42 iptables t => "nat",
43 A => "POSTROUTING",
44 o => "eth0",
45 j => "MASQUERADE";
46
47 # The 'iptables' function also accepts long options,
48 # however, options with dashes need to be quoted
49 iptables table => "nat",
50 accept => "POSTROUTING",
51 "out-interface" => "eth0",
52 jump => "MASQUERADE";
53
54 # Version of IP can be specified in the first argument
55 # of any function: -4 or -6 (defaults to -4)
56 iptables_clear -6;
57
58 open_port -6, [22, 80];
59 close_port -6, "all";
60 redirect_port -6, 80 => 10080;
61 default_state_rule -6;
62
63 iptables -6, "flush";
64 iptables -6,
65 t => "filter",
66 A => "INPUT",
67 i => "eth0",
68 m => "state",
69 state => "RELATED,ESTABLISHED",
70 j => "ACCEPT";
71 };
72
74 open_port($port, $option)
75 Open a port for inbound connections.
76
77 task "firewall", sub {
78 open_port 22;
79 open_port [22, 80];
80 open_port [22, 80],
81 dev => "eth1";
82 };
83
84 task "firewall", sub {
85 open_port 22,
86 dev => "eth1",
87 only_if => "test -f /etc/firewall.managed";
88 } ;
89
90 close_port($port, $option)
91 Close a port for inbound connections.
92
93 task "firewall", sub {
94 close_port 22;
95 close_port [22, 80];
96 close_port [22, 80],
97 dev => "eth0",
98 only_if => "test -f /etc/firewall.managed";
99 };
100
101 redirect_port($in_port, $option)
102 Redirect $in_port to another local port.
103
104 task "redirects", sub {
105 redirect_port 80 => 10080;
106 redirect_port 80 => {
107 to => 10080,
108 dev => "eth0",
109 };
110 };
111
112 iptables(@params)
113 Write standard iptable comands.
114
115 Note that there is a short form for the iptables "--flush" option; when
116 you pass the option of "-F|"flush"" as the only argument, the command
117 "iptables -F" is run on the connected host. With the two argument form
118 of "flush" shown in the examples below, the second argument is table
119 you want to flush.
120
121 task "firewall", sub {
122 iptables t => "nat", A => "POSTROUTING", o => "eth0", j => "MASQUERADE";
123 iptables t => "filter", i => "eth0", m => "state", state => "RELATED,ESTABLISHED", j => "ACCEPT";
124
125 # automatically flushes all tables; equivalent to 'iptables -F'
126 iptables "flush";
127 iptables -F;
128
129 # flush only the "filter" table
130 iptables flush => "filter";
131 iptables -F => "filter";
132 };
133
134 # Note: options with dashes "-" need to be quoted to escape them from Perl
135 task "long_form_firewall", sub {
136 iptables table => "nat",
137 append => "POSTROUTING",
138 "out-interface" => "eth0",
139 jump => "MASQUERADE";
140 iptables table => "filter",
141 "in-interface" => "eth0",
142 match => "state",
143 state => "RELATED,ESTABLISHED",
144 jump => "ACCEPT";
145 };
146
147 is_nat_gateway
148 This function creates a NAT gateway for the device the default route
149 points to.
150
151 task "make-gateway", sub {
152 is_nat_gateway;
153 is_nat_gateway -6;
154 };
155
156 default_state_rule(%option)
157 Set the default state rules for the given device.
158
159 task "firewall", sub {
160 default_state_rule(dev => "eth0");
161 };
162
163 iptables_list
164 List all iptables rules.
165
166 task "list-iptables", sub {
167 print Dumper iptables_list;
168 print Dumper iptables_list -6;
169 };
170
171 iptables_clear
172 Remove all iptables rules.
173
174 task "no-firewall", sub {
175 iptables_clear;
176 };
177
178
179
180perl v5.28.1 2017-03-01 Rex::Commands::Iptables(3)