1IPTables::Parse(3)    User Contributed Perl Documentation   IPTables::Parse(3)
2
3
4

NAME

6       IPTables::Parse - Perl extension for parsing iptables and ip6tables
7       policies
8

SYNOPSIS

10         use IPTables::Parse;
11
12         my %opts = (
13             'use_ipv6' => 0,         # can set to 1 to force ip6tables usage
14             'ipt_rules_file' => '',  # optional file path from
15                                      # which to read iptables rules
16             'debug'    => 0,
17             'verbose'  => 0
18         );
19
20         my $ipt_obj = IPTables::Parse->new(%opts)
21             or die "[*] Could not acquire IPTables::Parse object";
22
23         my $rv = 0;
24
25         ### look for default DROP rules in the filter table INPUT chain
26         my ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT');
27         if ($rv) {
28             if (defined $ipt_hr->{'all'}) {
29                 print "The INPUT chain has a default DROP rule for all protocols.\n";
30             } else {
31                 my $found = 0;
32                 for my $proto (qw/tcp udp icmp/) {
33                     if (defined $ipt_hr->{$proto}) {
34                         print "The INPUT chain drops $proto by default.\n";
35                         $found = 1;
36                     }
37                 }
38                 unless ($found) {
39                     print "The INPUT chain does not have any default DROP rule.\n";
40                 }
41             }
42         } else {
43             print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy\n";
44         }
45
46         ### look for default LOG rules in the filter table INPUT chain
47         ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT');
48         if ($rv) {
49             if (defined $ipt_hr->{'all'}) {
50                 print "The INPUT chain has a default LOG rule for all protocols.\n";
51             } else {
52                 my $found = 0;
53                 for my $proto (qw/tcp udp icmp/) {
54                     if (defined $ipt_hr->{$proto}) {
55                         print "The INPUT chain logs $proto by default.\n";
56                         $found = 1;
57                     }
58                 }
59                 unless ($found) {
60                     print "The INPUT chain does not have any default LOG rule.\n";
61                 }
62             }
63         } else {
64             print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy\n";
65         }
66
67         ### print all chains in the filter table
68         for my $chain (@{$ipt_obj->list_table_chains('filter')}) {
69             print $chain, "\n";
70         }
71

DESCRIPTION

73       The "IPTables::Parse" package provides an interface to parse iptables
74       or ip6tables rules on Linux systems through the direct execution of
75       iptables/ip6tables commands, or from parsing a file that contains an
76       iptables/ip6tables policy listing. Note that the 'firewalld'
77       infrastructure on Fedora21 is also supported through execution of the
78       'firewall-cmd' binary.  By default, the path to iptables is assumed to
79       be '/sbin/iptables', but if the firewall is 'firewalld', then the
80       '/usr/bin/firewall-cmd' is used. Both of these paths are configurable
81       via the keys mentioned below.
82
83       With this module, you can get the current policy applied to a
84       table/chain, look for a specific user-defined chain, check for a
85       default DROP policy, or determine whether or not a default LOG rule
86       exists. Also, you can get a listing of all rules in a chain with each
87       rule parsed into its own hash.
88
89       Note that if you initialize the IPTables::Parse object with the
90       'ipt_rules_file' key, then all parsing routines will open the specified
91       file for iptables rules data. So, you can create this file with a
92       command like 'iptables -t filter -nL -v > ipt.rules', and then
93       initialize the object with IPTables::Parse->new('ipt_rules_file' =>
94       'ipt.rules'). Further, if you are running on a system without iptables
95       installed, but you have an iptables policy written to the ipt.rules
96       file, then you can pass in 'skip_ipt_exec_check=>1' in order to analyze
97       the file without having IPTables::Parse check for the iptables binary.
98
99       In summary, in addition to the hash keys mentioned above, optional keys
100       that can be passed to new() include 'iptables' (set path to iptables
101       binary), 'firewall_cmd' (set path to 'firewall-cmd' binary for systems
102       with 'firewalld'), 'fwd_args' (set 'firewall-cmd' usage args; defaults
103       to '--direct --passthrough ipv4'), 'ipv6' (set IPv6 mode for
104       ip6tables), 'iptout' (set path to temporary stdout file, defaults to
105       /tmp/ipt.out.XXXXXX), 'iptout_pat' (set pattern for temporary stdout
106       file in the 'tmpdir' directory), 'ipterr' (set path to temporary stderr
107       file, defaults to /tmp/ipt.err.XXXXXX), 'iptout_err' (set pattern for
108       temporary stderr file in the 'tmpdir' directory), 'tmpdir' (set path to
109       temporary file handling directory), 'debug', 'verbose', and
110       'lockless_ipt_exec' (disable usage of the iptables '-w' argument that
111       acquires an exclusive lock on command execution).
112

FUNCTIONS

114       The IPTables::Parse extension provides an object interface to the
115       following functions:
116
117       chain_policy($table, $chain)
118           This function returns the policy (e.g. 'DROP', 'ACCEPT', etc.) for
119           the specified table and chain:
120
121             print "INPUT policy: ",
122                   $ipt_obj->chain_policy('filter', 'INPUT'), "\n";
123
124       chain_rules($table, $chain)
125           This function parses the specified chain and table and returns an
126           array reference for all rules in the chain.  Each element in the
127           array reference is a hash with the following keys (that contain
128           values depending on the rule): "src", "dst", "protocol", "s_port",
129           "d_port", "target", "packets", "bytes", "intf_in", "intf_out",
130           "to_ip", "to_port", "state", "raw", and "extended".  The "extended"
131           element contains the rule output past the protocol information, and
132           the "raw" element contains the complete rule itself as reported by
133           iptables or ip6tables.  Here is an example of checking whether the
134           second rule in the INPUT chain (array index 1) allows traffic from
135           any IP to TCP port 80:
136
137             $rules_ar = $ipt_obj->chain_rules('filter', 'INPUT);
138
139             if ($rules_ar->[1]->{'src'} eq '0.0.0.0/0'
140                     and $rules_ar->[1]->{'protocol'} eq 'tcp'
141                     and $rules_ar->[1]->{'d_port'}   eq '80'
142                     and $rules_ar->[1]->{'target'}   eq 'ACCEPT') {
143
144                 print "traffic accepted to TCP port 80 from anywhere\n";
145             }
146
147       default_drop($table, $chain)
148           This function parses the running iptables or ip6tables policy in
149           order to determine if the specified chain contains a default DROP
150           rule.  Two values are returned, a hash reference whose keys are the
151           protocols that are dropped by default (if a global ACCEPT rule has
152           not accepted matching packets first), along with a return value
153           that tells the caller if parsing the iptables or ip6tables policy
154           was successful.  Note that if all protocols are dropped by default,
155           then the hash key 'all' will be defined.
156
157             ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT');
158
159       default_log($table, $chain)
160           This function parses the running iptables or ip6tables policy in
161           order to determine if the specified chain contains a default LOG
162           rule.  Two values are returned, a hash reference whose keys are the
163           protocols that are logged by default (if a global ACCEPT rule has
164           not accepted matching packets first), along with a return value
165           that tells the caller if parsing the iptables or ip6tables policy
166           was successful.  Note that if all protocols are logged by default,
167           then the hash key 'all' will be defined.  An example invocation is:
168
169             ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT');
170
171       list_table_chains($table)
172           This function parses the specified table for all chains that are
173           defined within the table. Data is returned as an array reference.
174           For example, if there are no user-defined chains in the 'filter'
175           table, then the returned array reference will contain the strings
176           'INPUT', 'FORWARD', and 'OUTPUT'.
177
178             for my $chain (@{$ipt_obj->list_table_chains('filter')}) {
179                 print $chain, "\n";
180             }
181

AUTHOR

183       Michael Rash, <mbr@cipherdyne.org>
184

SEE ALSO

186       The IPTables::Parse module is used by the IPTables::ChainMgr extension
187       in support of the psad and fwsnort projects to parse iptables or
188       ip6tables policies (see the psad(8), and fwsnort(8) man pages).  As
189       always, the iptables(8) and ip6tables(8) man pages provide the best
190       information on command line execution and theory behind iptables and
191       ip6tables.
192
193       Although there is no mailing that is devoted specifically to the
194       IPTables::Parse extension, questions about the extension will be
195       answered on the following lists:
196
197         The psad mailing list: http://lists.sourceforge.net/lists/listinfo/psad-discuss
198         The fwsnort mailing list: http://lists.sourceforge.net/lists/listinfo/fwsnort-discuss
199
200       The latest version of the IPTables::Parse extension can be found on
201       CPAN and also here:
202
203         http://www.cipherdyne.org/modules/
204
205       Source control is provided by git:
206
207         https://github.com/mrash/IPTables-Parse.git
208

CREDITS

210       Thanks to the following people:
211
212         Franck Joncourt <franck.mail@dthconnex.com>
213         Stuart Schneider
214         Grant Ferley
215         Fabien Mazieres
216         Miloslav Trmač
217

AUTHOR

219       The IPTables::Parse extension was written by Michael Rash
220       <mbr@cipherdyne.org> to support the psad and fwsnort projects.  Please
221       send email to this address if there are any questions, comments, or bug
222       reports.
223

VERSION

225       Version 1.6.1 (November, 2015)
226
228       Copyright (C) 2005-2015 Michael Rash.  All rights reserved.
229
230       This module is free software.  You can redistribute it and/or modify it
231       under the terms of the Artistic License 2.0.  More information can be
232       found here: http://www.perl.com/perl/misc/Artistic.html
233
234       This program is distributed "as is" in the hope that it will be useful,
235       but without any warranty; without even the implied warranty of
236       merchantability or fitness for a particular purpose.
237
238
239
240perl v5.32.1                      2021-01-27                IPTables::Parse(3)
Impressum