NAME
IPTables::Mangle
SYNOPSIS
Given a config file, produces rules for iptables-restore.
Example YAML file, for ease of viewing:
filter:
forward: { default: drop }
foo:
rules:
- src: 9.9.9.9
- src: 10.10.10.10
action: drop
input:
# by default, do not allow any connections unless authorized
# in the rules below
default: drop
# by default, if no "action" is given to a rule below, accept it
default_rule_action: accept
rules:
# Accept all traffic on loopback interface
- in-interface: lo
# Don't disconnect existing connections during a rule change.
- { match: state, state: 'ESTABLISHED,RELATED' }
# Allow for pings (no more than 10 a second)
- { protocol: icmp, icmp-type: 8, match: limit, limit: 10/sec }
# Allow these IPs, no matter what
- src: 123.123.123.123
# example of blocking an IP
- { action: drop, src: 8.8.8.8 }
# example of allowing ip to connect to port 25 (smtp) (one-line)
- { protocol: tcp, dport: 25, src: 4.2.2.2 }
# jump to rules defined in "foo" above
- action: foo
# if there are no more rules, reject the connection with icmp, don't just let it hang
- action: reject
action_options:
reject-with: icmp-admin-prohibitedTABLES
The top hashref is the table for iptables, this can be either mangle, nat, or filter.
CHAINS
The hashref under the top hashref is the chain name. For system chains the default chainrule can be set by setting a default hashref in the chain.
$VAR1->{filter}{input} would be the input chain for the filter table.
CHAIN RULES
Chainrules live in a 'rules' arrayref under the chain, $VAR1->{filter}{input}{rules}, for example.
Every rule in the chain is a hashref which builds a rule. By default, the jump in the rules, referenced as 'action' in a rule, is set to accept. The default action can be modified by changing 'default_rule_action' in the chain. Every key in the rule's hashref represents a parameter prefixed by two dashes, '--', in an iptables rule. Two things to note here are that 'action' in a rule really maps to 'jump' in iptables, and a special action_options key exists, which references a hashref, which appends options after the iptables jump. This is useful for things like setting '--reject-with' after a jump to reject.
Examples of a chain rule:
# by default, allow this ip
$VAR1->{filter}{input}{rules}[0] = { src => '10.10.10.10' } ;
# allow this ip on port 25 tcp, using accept default
$VAR1->{filter}{input}{rules}[1] = { protocol: 'tcp', dport: 25, src => '10.10.10.10' } ;
# make it explicit
$VAR1->{filter}{input}{rules}[2] = { protocol: 'tcp', dport: 25, src => '10.10.10.10', action => 'accept' } ;
# blacklist an ip
$VAR1->{filter}{input}{rules}[3] = { src => '10.10.10.10', action => 'drop' } ;
# reject with icmp message
$VAR1->{filter}{input}{rules}[-1] = { action => 'reject', action_options => { reject-with: 'icmp-admin-prohibited', }, };
METHODS
process_config
Given a hashref, produces rules usable by iptables-restore.
Returns one string.
COPYRIGHT
Copyright 2011, 2012 Ohio-Pennsylvania Software, LLC.
LICENSE
This library is free software. You can redistribute it and/or modify it under the same terms as Perl itself.