1IPTables::Parse(3) User Contributed Perl Documentation IPTables::Parse(3)
2
3
4
6 IPTables::Parse - Perl extension for parsing iptables and ip6tables
7 policies
8
10 use IPTables::Parse;
11
12 my %opts = (
13 'use_ipv6' => 0, # can set to 1 to force ip6tables usage
14 'ipt_rules_file' => '', # optional file path from
15 # which to read iptables rules
16 'debug' => 0,
17 'verbose' => 0
18 );
19
20 my $ipt_obj = IPTables::Parse->new(%opts)
21 or die "[*] Could not acquire IPTables::Parse object";
22
23 my $rv = 0;
24
25 ### look for default DROP rules in the filter table INPUT chain
26 my ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT');
27 if ($rv) {
28 if (defined $ipt_hr->{'all'}) {
29 print "The INPUT chain has a default DROP rule for all protocols.\n";
30 } else {
31 my $found = 0;
32 for my $proto (qw/tcp udp icmp/) {
33 if (defined $ipt_hr->{$proto}) {
34 print "The INPUT chain drops $proto by default.\n";
35 $found = 1;
36 }
37 }
38 unless ($found) {
39 print "The INPUT chain does not have any default DROP rule.\n";
40 }
41 }
42 } else {
43 print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy\n";
44 }
45
46 ### look for default LOG rules in the filter table INPUT chain
47 ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT');
48 if ($rv) {
49 if (defined $ipt_hr->{'all'}) {
50 print "The INPUT chain has a default LOG rule for all protocols.\n";
51 } else {
52 my $found = 0;
53 for my $proto (qw/tcp udp icmp/) {
54 if (defined $ipt_hr->{$proto}) {
55 print "The INPUT chain logs $proto by default.\n";
56 $found = 1;
57 }
58 }
59 unless ($found) {
60 print "The INPUT chain does not have any default LOG rule.\n";
61 }
62 }
63 } else {
64 print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy\n";
65 }
66
67 ### print all chains in the filter table
68 for my $chain (@{$ipt_obj->list_table_chains('filter')}) {
69 print $chain, "\n";
70 }
71
73 The "IPTables::Parse" package provides an interface to parse iptables
74 or ip6tables rules on Linux systems through the direct execution of
75 iptables/ip6tables commands, or from parsing a file that contains an
76 iptables/ip6tables policy listing. Note that the 'firewalld'
77 infrastructure on Fedora21 is also supported through execution of the
78 'firewall-cmd' binary. By default, the path to iptables is assumed to
79 be '/sbin/iptables', but if the firewall is 'firewalld', then the
80 '/usr/bin/firewall-cmd' is used. Both of these paths are configurable
81 via the keys mentioned below.
82
83 With this module, you can get the current policy applied to a
84 table/chain, look for a specific user-defined chain, check for a
85 default DROP policy, or determine whether or not a default LOG rule
86 exists. Also, you can get a listing of all rules in a chain with each
87 rule parsed into its own hash.
88
89 Note that if you initialize the IPTables::Parse object with the
90 'ipt_rules_file' key, then all parsing routines will open the specified
91 file for iptables rules data. So, you can create this file with a
92 command like 'iptables -t filter -nL -v > ipt.rules', and then
93 initialize the object with IPTables::Parse->new('ipt_rules_file' =>
94 'ipt.rules'). Further, if you are running on a system without iptables
95 installed, but you have an iptables policy written to the ipt.rules
96 file, then you can pass in 'skip_ipt_exec_check=>1' in order to analyze
97 the file without having IPTables::Parse check for the iptables binary.
98
99 In summary, in addition to the hash keys mentioned above, optional keys
100 that can be passed to new() include 'iptables' (set path to iptables
101 binary), 'firewall_cmd' (set path to 'firewall-cmd' binary for systems
102 with 'firewalld'), 'fwd_args' (set 'firewall-cmd' usage args; defaults
103 to '--direct --passthrough ipv4'), 'ipv6' (set IPv6 mode for
104 ip6tables), 'iptout' (set path to temporary stdout file, defaults to
105 /tmp/ipt.out.XXXXXX), 'iptout_pat' (set pattern for temporary stdout
106 file in the 'tmpdir' directory), 'ipterr' (set path to temporary stderr
107 file, defaults to /tmp/ipt.err.XXXXXX), 'iptout_err' (set pattern for
108 temporary stderr file in the 'tmpdir' directory), 'tmpdir' (set path to
109 temporary file handling directory), 'debug', 'verbose', and
110 'lockless_ipt_exec' (disable usage of the iptables '-w' argument that
111 acquires an exclusive lock on command execution).
112
114 The IPTables::Parse extension provides an object interface to the
115 following functions:
116
117 chain_policy($table, $chain)
118 This function returns the policy (e.g. 'DROP', 'ACCEPT', etc.) for
119 the specified table and chain:
120
121 print "INPUT policy: ",
122 $ipt_obj->chain_policy('filter', 'INPUT'), "\n";
123
124 chain_rules($table, $chain)
125 This function parses the specified chain and table and returns an
126 array reference for all rules in the chain. Each element in the
127 array reference is a hash with the following keys (that contain
128 values depending on the rule): "src", "dst", "protocol", "s_port",
129 "d_port", "target", "packets", "bytes", "intf_in", "intf_out",
130 "to_ip", "to_port", "state", "raw", and "extended". The "extended"
131 element contains the rule output past the protocol information, and
132 the "raw" element contains the complete rule itself as reported by
133 iptables or ip6tables. Here is an example of checking whether the
134 second rule in the INPUT chain (array index 1) allows traffic from
135 any IP to TCP port 80:
136
137 $rules_ar = $ipt_obj->chain_rules('filter', 'INPUT);
138
139 if ($rules_ar->[1]->{'src'} eq '0.0.0.0/0'
140 and $rules_ar->[1]->{'protocol'} eq 'tcp'
141 and $rules_ar->[1]->{'d_port'} eq '80'
142 and $rules_ar->[1]->{'target'} eq 'ACCEPT') {
143
144 print "traffic accepted to TCP port 80 from anywhere\n";
145 }
146
147 default_drop($table, $chain)
148 This function parses the running iptables or ip6tables policy in
149 order to determine if the specified chain contains a default DROP
150 rule. Two values are returned, a hash reference whose keys are the
151 protocols that are dropped by default (if a global ACCEPT rule has
152 not accepted matching packets first), along with a return value
153 that tells the caller if parsing the iptables or ip6tables policy
154 was successful. Note that if all protocols are dropped by default,
155 then the hash key 'all' will be defined.
156
157 ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT');
158
159 default_log($table, $chain)
160 This function parses the running iptables or ip6tables policy in
161 order to determine if the specified chain contains a default LOG
162 rule. Two values are returned, a hash reference whose keys are the
163 protocols that are logged by default (if a global ACCEPT rule has
164 not accepted matching packets first), along with a return value
165 that tells the caller if parsing the iptables or ip6tables policy
166 was successful. Note that if all protocols are logged by default,
167 then the hash key 'all' will be defined. An example invocation is:
168
169 ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT');
170
171 list_table_chains($table)
172 This function parses the specified table for all chains that are
173 defined within the table. Data is returned as an array reference.
174 For example, if there are no user-defined chains in the 'filter'
175 table, then the returned array reference will contain the strings
176 'INPUT', 'FORWARD', and 'OUTPUT'.
177
178 for my $chain (@{$ipt_obj->list_table_chains('filter')}) {
179 print $chain, "\n";
180 }
181
183 Michael Rash, <mbr@cipherdyne.org>
184
186 The IPTables::Parse module is used by the IPTables::ChainMgr extension
187 in support of the psad and fwsnort projects to parse iptables or
188 ip6tables policies (see the psad(8), and fwsnort(8) man pages). As
189 always, the iptables(8) and ip6tables(8) man pages provide the best
190 information on command line execution and theory behind iptables and
191 ip6tables.
192
193 Although there is no mailing that is devoted specifically to the
194 IPTables::Parse extension, questions about the extension will be
195 answered on the following lists:
196
197 The psad mailing list: http://lists.sourceforge.net/lists/listinfo/psad-discuss
198 The fwsnort mailing list: http://lists.sourceforge.net/lists/listinfo/fwsnort-discuss
199
200 The latest version of the IPTables::Parse extension can be found on
201 CPAN and also here:
202
203 http://www.cipherdyne.org/modules/
204
205 Source control is provided by git:
206
207 https://github.com/mrash/IPTables-Parse.git
208
210 Thanks to the following people:
211
212 Franck Joncourt <franck.mail@dthconnex.com>
213 Stuart Schneider
214 Grant Ferley
215 Fabien Mazieres
216 Miloslav Trmač
217
219 The IPTables::Parse extension was written by Michael Rash
220 <mbr@cipherdyne.org> to support the psad and fwsnort projects. Please
221 send email to this address if there are any questions, comments, or bug
222 reports.
223
225 Version 1.6.1 (November, 2015)
226
228 Copyright (C) 2005-2015 Michael Rash. All rights reserved.
229
230 This module is free software. You can redistribute it and/or modify it
231 under the terms of the Artistic License 2.0. More information can be
232 found here: http://www.perl.com/perl/misc/Artistic.html
233
234 This program is distributed "as is" in the hope that it will be useful,
235 but without any warranty; without even the implied warranty of
236 merchantability or fitness for a particular purpose.
237
238
239
240perl v5.34.0 2022-01-21 IPTables::Parse(3)