Skip to content

Loading…

Added chain and tables rule definitions #1

Merged
merged 3 commits into from

2 participants

@numbata

No description provided.

@numbata

После названия таблицы нужно вывести список всех цепочек и правил по умолчанию к ним.
:POSTROUTING, :FORWARD, :FWD, прочее

@phlipper
Owner

@numbata thank you so much, this is great! I have endorsed you on Coderwall and I will update the README with your contribution. Thanks!

@phlipper phlipper merged commit 3e0ed9b into phlipper:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Aug 31, 2012
  1. @numbata

    Added: tables rule support

    numbata committed
Commits on Sep 3, 2012
  1. @numbata

    Chain definitions

    numbata committed
Commits on Sep 12, 2012
  1. @numbata

    Update README.md

    numbata committed
    example ruleset
Showing with 117 additions and 29 deletions.
  1. +57 −0 README.md
  2. +60 −29 rebuild-iptables.rb
View
57 README.md
@@ -25,6 +25,63 @@ The following platforms are supported by this cookbook, meaning that the recipes
Write `iptables` rule fragments and place them in `/etc/iptables.d`. Running this script will assemble them in order and reset the firewall rules.
+## Example
+
+For example, we have three rule-file:
+
+`/etc/iptables.d/vagrant`
+
+ # Vagrant boxes forwarding rules for public static ip
+
+ *filter
+ # Vagrand boxes forwarding ports
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 80 -j ACCEPT
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 22 -j ACCEPT
+
+ *nat
+ # Nat all traffic to vagrant boxes
+ -A PREROUTING -d 192.168.25.2 -p tcp -j DNAT --to-destination 192.168.5.10
+ -A POSTROUTING -j MASQUERADE
+ COMMIT
+
+`/etc/iptables.d/all_icmp`
+
+ # ICMP
+ -A FWR -p icmp -j ACCEP
+
+`/etc/iptables.d/all_estabilished`
+
+ # Any established connection is money
+ -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+They are produce `/etc/iptables/general`
+
+ *filter
+ :INPUT ACCEPT [0,0]
+ :FORWARD ACCEPT [0,0]
+ :OUTPUT ACCEPT [0,0]
+ :FWR -
+ # Any established connection is money
+ -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+ # ICMP
+ -A FWR -p icmp -j ACCEPT
+ # Vagrant boxes forwarding rules for public static ip
+
+ # Vagrand boxes forwarding ports
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 80 -j ACCEPT
+ -A FORWARD -p tcp -d 192.168.5.10 --dport 22 -j ACCEPT
+
+ COMMIT
+ *nat
+ :PREROUTING ACCEPT [0,0]
+ :POSTROUTING ACCEPT [0,0]
+ :OUTPUT ACCEPT [0,0]
+ # Nat all traffic to vagrant boxes
+ -A PREROUTING -d 192.168.25.2 -p tcp -j DNAT --to-destination 192.168.5.10
+ -A POSTROUTING -j MASQUERADE
+
+ COMMIT
+
## Contributing
View
89 rebuild-iptables.rb
@@ -23,33 +23,25 @@
# Installation
##############################################################################
-# Return the prefix
-def prefix
- File.read(File.join(TEMPLATE_PATH, "prefix")) rescue "*filter"
-end
-
-# Return the suffix
-def suffix
- File.read(File.join(TEMPLATE_PATH, "suffix")) rescue "COMMIT"
-end
-
-def snat
- File.read("/etc/iptables.snat") rescue ""
-end
-
# Read in a file, processing includes as required.
-def read_iptables(file)
- data = []
+def read_iptables(file, table = :filter)
file = File.join(TEMPLATE_PATH, file) unless File.dirname(file) =~ /iptables\.d/
rule = File.readlines(file).map{ |line| line.chomp }
rule.each do |line|
if line =~ /^\s*include\s+(\S+)$/
- data << read_iptables($1)
- else
- data << line
+ read_iptables($1, table)
+ elsif line =~ /^\s*\*([a-z]+)\s*$/
+ table = $1.to_sym
+ elsif line =~ /^\s*:([A-Z]+)(?:\s+([A-Z]+(?:\s*\[.*?\])))?$/
+ @data[table][chains][$1] = $2 || '-'
+ elsif line !~ /^\s*COMMIT\s*$/
+ #detect new chains
+ if chain = line.match(/\-[ADRILFZN]\s+([-a-zA-Z0-9_]+)\s/)
+ @data[table][:chains][chain[1]] ||= '-'
+ end
+ @data[table][:rules].push line
end
end
- data.join("\n")
end
# Write a file carefully.
@@ -75,22 +67,61 @@ def install_debian(data)
# Main routine
##############################################################################
-data = []
+@data = {
+ :filter => {
+ :chains => {
+ 'INPUT' => 'ACCEPT [0,0]',
+ 'FORWARD' => 'ACCEPT [0,0]',
+ 'OUTPUT' => 'ACCEPT [0,0]'
+ },
+ :rules => []
+ },
+ :mangle => {
+ :chains => {
+ 'PREROUTING' => 'ACCEPT [0,0]',
+ 'INPUT' => 'ACCEPT [0,0]',
+ 'FORWARD' => 'ACCEPT [0,0]',
+ 'OUTPUT' => 'ACCEPT [0,0]',
+ 'POSTROUTING' => 'ACCEPT [0,0]'
+ },
+ :rules => []
+ },
+ :nat => {
+ :chains => {
+ 'PREROUTING' => 'ACCEPT [0,0]',
+ 'POSTROUTING' => 'ACCEPT [0,0]',
+ 'OUTPUT' => 'ACCEPT [0,0]'
+ },
+ :rules => [],
+ }
+}
+
templates = Dir["#{TEMPLATE_PATH}/*"].sort.delete_if do |template|
- %w[prefix suffix].include?(File.basename(template))
+ %w[prefix suffix postfix].include?(File.basename(template))
end
-data << prefix
-templates.each { |template| data << read_iptables(template) }
-data << suffix
-data << snat
+templates.unshift 'prefix' if File.exists? "#{TEMPLATE_PATH}/prefix"
+templates.push 'suffix' if File.exists? "#{TEMPLATE_PATH}/suffix"
+templates.push 'postfix' if File.exists? "#{TEMPLATE_PATH}/postfix"
+
+templates.each { |template| read_iptables(template) }
-data = data.join("\n")
+iptables_rules = ""
+@data.each do |table, table_data|
+ if table_data[:rules].any?
+ iptables_rules << "*#{table.to_s}\n"
+ table_data[:chains].each do |chain, rule|
+ iptables_rules << ":#{chain} #{rule}\n"
+ end
+ iptables_rules << table_data[:rules].join("\n")
+ iptables_rules << "\nCOMMIT\n"
+ end
+end
if File.exists?("/etc/debian_version")
- install_debian(data)
+ install_debian(iptables_rules)
elsif File.exists?("/etc/redhat-release")
- install_redhat(data)
+ install_redhat(iptables_rules)
else
raise "#{$0}: cannot figure out whether this is Red Hat or Debian\n";
end
Something went wrong with that request. Please try again.