Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #1 from numbata/master

Added chain and tables rule definitions
  • Loading branch information...
commit 3e0ed9b5909aad73b25d5406411050c0c0cee7db 2 parents ea02590 + 0b4f154
@phlipper authored
Showing with 117 additions and 29 deletions.
  1. +57 −0 README.md
  2. +60 −29 rebuild-iptables.rb
View
57 README.md
@@ -25,6 +25,63 @@ The following platforms are supported by this cookbook, meaning that the recipes
Write `iptables` rule fragments and place them in `/etc/iptables.d`. Running this script will assemble them in order and reset the firewall rules.
+## Example
+
+For example, we have three rule-file:
+
+`/etc/iptables.d/vagrant`
+
+ # Vagrant boxes forwarding rules for public static ip
+
+ *filter
+ # Vagrand boxes forwarding ports
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 80 -j ACCEPT
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 22 -j ACCEPT
+
+ *nat
+ # Nat all traffic to vagrant boxes
+ -A PREROUTING -d 192.168.25.2 -p tcp -j DNAT --to-destination 192.168.5.10
+ -A POSTROUTING -j MASQUERADE
+ COMMIT
+
+`/etc/iptables.d/all_icmp`
+
+ # ICMP
+ -A FWR -p icmp -j ACCEP
+
+`/etc/iptables.d/all_estabilished`
+
+ # Any established connection is money
+ -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+They are produce `/etc/iptables/general`
+
+ *filter
+ :INPUT ACCEPT [0,0]
+ :FORWARD ACCEPT [0,0]
+ :OUTPUT ACCEPT [0,0]
+ :FWR -
+ # Any established connection is money
+ -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+ # ICMP
+ -A FWR -p icmp -j ACCEPT
+ # Vagrant boxes forwarding rules for public static ip
+
+ # Vagrand boxes forwarding ports
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 80 -j ACCEPT
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 22 -j ACCEPT
+
+ COMMIT
+ *nat
+ :PREROUTING ACCEPT [0,0]
+ :POSTROUTING ACCEPT [0,0]
+ :OUTPUT ACCEPT [0,0]
+ # Nat all traffic to vagrant boxes
+ -A PREROUTING -d 192.168.25.2 -p tcp -j DNAT --to-destination 192.168.5.10
+ -A POSTROUTING -j MASQUERADE
+
+ COMMIT
+
## Contributing
View
89 rebuild-iptables.rb
@@ -23,33 +23,25 @@
# Installation
##############################################################################
-# Return the prefix
-def prefix
- File.read(File.join(TEMPLATE_PATH, "prefix")) rescue "*filter"
-end
-
-# Return the suffix
-def suffix
- File.read(File.join(TEMPLATE_PATH, "suffix")) rescue "COMMIT"
-end
-
-def snat
- File.read("/etc/iptables.snat") rescue ""
-end
-
# Read in a file, processing includes as required.
-def read_iptables(file)
- data = []
+def read_iptables(file, table = :filter)
file = File.join(TEMPLATE_PATH, file) unless File.dirname(file) =~ /iptables\.d/
rule = File.readlines(file).map{ |line| line.chomp }
rule.each do |line|
if line =~ /^\s*include\s+(\S+)$/
- data << read_iptables($1)
- else
- data << line
+ read_iptables($1, table)
+ elsif line =~ /^\s*\*([a-z]+)\s*$/
+ table = $1.to_sym
+ elsif line =~ /^\s*:([A-Z]+)(?:\s+([A-Z]+(?:\s*\[.*?\])))?$/
+ @data[table][chains][$1] = $2 || '-'
+ elsif line !~ /^\s*COMMIT\s*$/
+ #detect new chains
+ if chain = line.match(/\-[ADRILFZN]\s+([-a-zA-Z0-9_]+)\s/)
+ @data[table][:chains][chain[1]] ||= '-'
+ end
+ @data[table][:rules].push line
end
end
- data.join("\n")
end
# Write a file carefully.
@@ -75,22 +67,61 @@ def install_debian(data)
# Main routine
##############################################################################
-data = []
+@data = {
+ :filter => {
+ :chains => {
+ 'INPUT' => 'ACCEPT [0,0]',
+ 'FORWARD' => 'ACCEPT [0,0]',
+ 'OUTPUT' => 'ACCEPT [0,0]'
+ },
+ :rules => []
+ },
+ :mangle => {
+ :chains => {
+ 'PREROUTING' => 'ACCEPT [0,0]',
+ 'INPUT' => 'ACCEPT [0,0]',
+ 'FORWARD' => 'ACCEPT [0,0]',
+ 'OUTPUT' => 'ACCEPT [0,0]',
+ 'POSTROUTING' => 'ACCEPT [0,0]'
+ },
+ :rules => []
+ },
+ :nat => {
+ :chains => {
+ 'PREROUTING' => 'ACCEPT [0,0]',
+ 'POSTROUTING' => 'ACCEPT [0,0]',
+ 'OUTPUT' => 'ACCEPT [0,0]'
+ },
+ :rules => [],
+ }
+}
+
templates = Dir["#{TEMPLATE_PATH}/*"].sort.delete_if do |template|
- %w[prefix suffix].include?(File.basename(template))
+ %w[prefix suffix postfix].include?(File.basename(template))
end
-data << prefix
-templates.each { |template| data << read_iptables(template) }
-data << suffix
-data << snat
+templates.unshift 'prefix' if File.exists? "#{TEMPLATE_PATH}/prefix"
+templates.push 'suffix' if File.exists? "#{TEMPLATE_PATH}/suffix"
+templates.push 'postfix' if File.exists? "#{TEMPLATE_PATH}/postfix"
+
+templates.each { |template| read_iptables(template) }
-data = data.join("\n")
+iptables_rules = ""
+@data.each do |table, table_data|
+ if table_data[:rules].any?
+ iptables_rules << "*#{table.to_s}\n"
+ table_data[:chains].each do |chain, rule|
+ iptables_rules << ":#{chain} #{rule}\n"
+ end
+ iptables_rules << table_data[:rules].join("\n")
+ iptables_rules << "\nCOMMIT\n"
+ end
+end
if File.exists?("/etc/debian_version")
- install_debian(data)
+ install_debian(iptables_rules)
elsif File.exists?("/etc/redhat-release")
- install_redhat(data)
+ install_redhat(iptables_rules)
else
raise "#{$0}: cannot figure out whether this is Red Hat or Debian\n";
end
Please sign in to comment.
Something went wrong with that request. Please try again.