NAME
ipmangle - Manage iptables rules with YAML files
SYNOPSIS
usage: ipmangle --config=[file] [ test | commit | dump | out=[file] ]
--config | takes a YAML file
--dump | prints processed iptable rules to stdout
--commit | commits rules
--test | tests rules
out=[file] | dumps iptables rules to fileCONFIGURATION FILE
The configuration file is a YAML data-structure interpreted by the IPTables::Mangle module.
EXAMPLE FILE
filter:
forward: { default: drop }
foo:
rules:
- src: 9.9.9.9
- src: 10.10.10.10
action: drop
input:
# by default, do not allow any connections unless authorized
# in the rules below
default: drop
# by default, if no "action" is given to a rule below, accept it
default_rule_action: accept
rules:
# Accept all traffic on loopback interface
- in-interface: lo
# Don't disconnect existing connections during a rule change.
- { match: state, state: 'ESTABLISHED,RELATED' }
# Allow for pings (no more than 10 a second)
- { protocol: icmp, icmp-type: 8, match: limit, limit: 10/sec }
# Allow these IPs, no matter what
- src: 123.123.123.123
# example of blocking an IP
- { action: drop, src: 8.8.8.8 }
# example of allowing ip to connect to port 25 (smtp) (one-line)
- { protocol: tcp, dport: 25, src: 4.2.2.2 }
# jump to rules defined in "foo" above
- action: foo
# if there are no more rules, reject the connection with icmp, don't just let it hang
- action: reject
action_options:
reject-with: icmp-admin-prohibitedCOPYRIGHT
Copyright 2011, 2012 Ohio-Pennsylvania Software, LLC.
LICENSE
This library is free software. You can redistribute it and/or modify it under the same terms as Perl itself.
AUTHOR
Michael J. Flickinger, <mjflick@gnu.org>