IPTables configuration

Module for processing output of the iptables-save and ip6tables-save commands. Parsers included are:

IPTables - command iptables-save

IP6Tables - command ip6tables-save

IPTabPermanent - file /etc/sysconfig/iptables

IP6TabPermanent - file /etc/sysconfig/ip6tables

Sample input data looks like:

# Generated by iptables-save v1.4.7 on Tue Aug 16 10:18:43 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [769:196899]
:REJECT-LOG - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A REJECT-LOG -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Aug 16 10:18:43 2016
# Generated by iptables-save v1.4.7 on Tue Aug 16 10:18:43 2016
*mangle
:PREROUTING ACCEPT [451:22060]
:INPUT ACCEPT [451:22060]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [594:47151]
:POSTROUTING ACCEPT [594:47151]
COMMIT
# Completed on Tue Aug 16 10:18:43 2016
# Generated by iptables-save v1.4.7 on Tue Aug 16 10:18:43 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:450]
:OUTPUT ACCEPT [3:450]
COMMIT
# Completed on Tue Aug 16 10:18:43 2016
  • Each table of iptables starts with a # Generated by ... line.

  • Each table starts with *<table-name>, for example *filter.

  • Each chain specifications starts with a : sign.

  • A chain specification looks like :<chain-name> <chain-policy> [<packet-counter>:<byte-counter>]

  • The chain-name may be for example INPUT.

  • Each iptables rule starts with a - sign.

Examples

>>> ipt.rules[0] == {'target': 'ACCEPT', 'chain': 'INPUT', 'rule': '-m state --state RELATED,ESTABLISHED -j ACCEPT', 'table': 'filter', 'target_options': None, 'target_action': 'jump', 'constraints': '-m state --state RELATED,ESTABLISHED'}
True
>>> ipt.get_chain('INPUT')[1] == {'target': 'ACCEPT', 'chain': 'INPUT', 'rule': '-s 192.168.0.0/24 -j ACCEPT', 'table': 'filter', 'target_options': None, 'target_action': 'jump', 'constraints': '-s 192.168.0.0/24'}
True
>>> ipt.table_chains('mangle') == {'FORWARD': [], 'INPUT': [], 'POSTROUTING': [], 'PREROUTING': [], 'OUTPUT': []}
True
>>> ipt.get_table('nat')[-1] == {'policy': 'ACCEPT', 'table': 'nat', 'byte_counter': 450, 'name': 'OUTPUT', 'packet_counter': 3}
True
class insights.parsers.iptables.IP6TabPermanent(context)[source]

Bases: IPTablesConfiguration

Process ip6tables configuration saved in file /etc/sysconfig/ip6tables.

The configuration in this file is loaded by the ip6tables service when the system boots. New configuration is saved by using the service ip6tables save command. This configuration file is not available on a system with firewalld service.

See the insights.parsers.iptables.IPTablesConfiguration base class for additional information.

class insights.parsers.iptables.IP6Tables(context, extra_bad_lines=None)[source]

Bases: CommandParser, IPTablesConfiguration

Process output of the ip6tables-save command.

See the insights.parsers.iptables.IPTablesConfiguration base class for additional information.

class insights.parsers.iptables.IPTabPermanent(context)[source]

Bases: IPTablesConfiguration

Process iptables configuration saved in file /etc/sysconfig/iptables.

The configuration in this file is loaded by the iptables service when the system boots. New configuration is saved by using the service iptables save command. This configuration file is not available on a system with firewalld service.

See the insights.parsers.iptables.IPTablesConfiguration base class for additional information.

class insights.parsers.iptables.IPTables(context, extra_bad_lines=None)[source]

Bases: CommandParser, IPTablesConfiguration

Process output of the iptables-save command.

See the insights.parsers.iptables.IPTablesConfiguration base class for additional information.

class insights.parsers.iptables.IPTablesConfiguration(context)[source]

Bases: Parser

A general class for parsing iptables configuration in the iptables-save-like format.

get_chain(name, table='filter')[source]

Get the list of rules for a particular chain. Chain order is kept intact.

Parameters:
  • name (str) -- chain name, e.g. ``

  • table (str) -- table name, defaults to filter

Returns:

rules

Return type:

list

get_rule(s)[source]

Get the list of rules that contain the given string.

Parameters:

s (str) -- string to look for in iptables rules

Returns:

rules containing given string

Return type:

list

get_table(name='filter')[source]

Get the list of chains for a particular table.

Parameters:

name (str) -- table name, defaults to filter

Returns:

chains

Return type:

list

parse_content(content)[source]

This method must be implemented by classes based on this class.

table_chains(table='filter')[source]

Get a dict where the keys are all the chains for the given table and each value is the set of rules defined for the given chain.

Parameters:

table (str) -- table name, defaults to filter

Returns:

chains with set of defined rules

Return type:

dict