IPTables configuration
Module for processing output of the iptables-save
and ip6tables-save
commands. Parsers included are:
IPTables - command iptables-save
IP6Tables - command ip6tables-save
IPTabPermanent - file /etc/sysconfig/iptables
IP6TabPermanent - file /etc/sysconfig/ip6tables
Sample input data looks like:
# Generated by iptables-save v1.4.7 on Tue Aug 16 10:18:43 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [769:196899]
:REJECT-LOG - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A REJECT-LOG -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Aug 16 10:18:43 2016
# Generated by iptables-save v1.4.7 on Tue Aug 16 10:18:43 2016
*mangle
:PREROUTING ACCEPT [451:22060]
:INPUT ACCEPT [451:22060]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [594:47151]
:POSTROUTING ACCEPT [594:47151]
COMMIT
# Completed on Tue Aug 16 10:18:43 2016
# Generated by iptables-save v1.4.7 on Tue Aug 16 10:18:43 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:450]
:OUTPUT ACCEPT [3:450]
COMMIT
# Completed on Tue Aug 16 10:18:43 2016
Each table of iptables starts with a
# Generated by ...
line.Each table starts with
*<table-name>
, for example*filter
.Each chain specifications starts with a
:
sign.A chain specification looks like
:<chain-name> <chain-policy> [<packet-counter>:<byte-counter>]
The chain-name may be for example
INPUT
.Each
iptables
rule starts with a - sign.
Examples
>>> ipt.rules[0] == {'target': 'ACCEPT', 'chain': 'INPUT', 'rule': '-m state --state RELATED,ESTABLISHED -j ACCEPT', 'table': 'filter', 'target_options': None, 'target_action': 'jump', 'constraints': '-m state --state RELATED,ESTABLISHED'}
True
>>> ipt.get_chain('INPUT')[1] == {'target': 'ACCEPT', 'chain': 'INPUT', 'rule': '-s 192.168.0.0/24 -j ACCEPT', 'table': 'filter', 'target_options': None, 'target_action': 'jump', 'constraints': '-s 192.168.0.0/24'}
True
>>> ipt.table_chains('mangle') == {'FORWARD': [], 'INPUT': [], 'POSTROUTING': [], 'PREROUTING': [], 'OUTPUT': []}
True
>>> ipt.get_table('nat')[-1] == {'policy': 'ACCEPT', 'table': 'nat', 'byte_counter': 450, 'name': 'OUTPUT', 'packet_counter': 3}
True
- class insights.parsers.iptables.IP6TabPermanent(context)[source]
Bases:
IPTablesConfiguration
Process
ip6tables
configuration saved in file/etc/sysconfig/ip6tables
.The configuration in this file is loaded by the
ip6tables
service when the system boots. New configuration is saved by using theservice ip6tables save
command. This configuration file is not available on a system withfirewalld
service.See the
insights.parsers.iptables.IPTablesConfiguration
base class for additional information.
- class insights.parsers.iptables.IP6Tables(context, extra_bad_lines=None)[source]
Bases:
CommandParser
,IPTablesConfiguration
Process output of the
ip6tables-save
command.See the
insights.parsers.iptables.IPTablesConfiguration
base class for additional information.
- class insights.parsers.iptables.IPTabPermanent(context)[source]
Bases:
IPTablesConfiguration
Process
iptables
configuration saved in file/etc/sysconfig/iptables
.The configuration in this file is loaded by the
iptables
service when the system boots. New configuration is saved by using theservice iptables save
command. This configuration file is not available on a system withfirewalld
service.See the
insights.parsers.iptables.IPTablesConfiguration
base class for additional information.
- class insights.parsers.iptables.IPTables(context, extra_bad_lines=None)[source]
Bases:
CommandParser
,IPTablesConfiguration
Process output of the
iptables-save
command.See the
insights.parsers.iptables.IPTablesConfiguration
base class for additional information.
- class insights.parsers.iptables.IPTablesConfiguration(context)[source]
Bases:
Parser
A general class for parsing iptables configuration in the
iptables-save
-like format.- get_chain(name, table='filter')[source]
Get the list of rules for a particular chain. Chain order is kept intact.
- Parameters:
name (str) -- chain name, e.g. ``
table (str) -- table name, defaults to
filter
- Returns:
rules
- Return type:
list
- get_rule(s)[source]
Get the list of rules that contain the given string.
- Parameters:
s (str) -- string to look for in iptables rules
- Returns:
rules containing given string
- Return type:
list