NAME

IPTables::Rule - Perl extension for holding iptables rule information in objects.

SYNOPSIS

  use IPTables::Rule;

  my $ipt_rule = new IPTables::Rule ;
  $ipt_rule->chain('INPUT');
  $ipt_rule->source('192.168.0.0/24');
  $ipt_rule->protocol('tcp');
  $ipt_rule->dport('22');
  $ipt_rule->target('ACCEPT');
  $ipt_rule->comment('accept ssh from lan');
  print $ipt_rule->generate;

DESCRIPTION

This package provides a way to build/store iptables rules in objects. It deals with ONLY individual rules; no attention it given to the overall structure of the ruleset (see IPTables::IPv4 or IPTables::IPv6 for that).

Once all your criteria has been set, you can call the generate method to convert the set criteria into an iptables command line string.

METHODS

Methods return a value for success, or undef for failure. Errors are availabe using the errstr method:

  $ipt_rule->chain('INPUT') or print $ipt_rule->errstr;

new

Create a new object to hold a rule.

ip4binary

When you call "generate", the returned output will prefix with the generic string 'iptables'. Use ip4binary method to change this to something more appropriate. For example, to use an absolute path:

  $ipt_rule->ip4binary('/usr/bin/iptables');

ip6binary

When you call "generate", the returned output will prefix with the generic string 'ip6tables'. Use ip4binary method to change this to something more appropriate. For example, to use an absolute path:

  $ipt_rule->ip6binary('/usr/bin/ip6tables');

iptaction

The default action for a new rule is append (-A). Use this method to change this to any other valid iptables action. See "Options/Commands" in iptables(8) for valid actions.

Syntax is to supply the capitalized short flag:

  $ipt_rule->iptaction('-I');   # Change iptables action to 'Insert'
  $ipt_rule->iptaction('-Z');   # Change iptables action to 'Zero Counters'

dump

Returns a hash-ref of the current rule details.

  my $hashref = $ipt_rule->dump();

ipversion

Defaults to IPv4 (ie, iptables). Valid options are '4' for IPv4/iptables, or '6' for IPv6/ip6tables.

  $ipt_rule->ipversion('6');

table

Set the table this rule applies to. By default, this is the 'filter' table. Valid options depend on the ipversion:

IPv4: filter, nat, mangle or raw

IPv6: filter, mangle or raw

chain

Set which chain (within "Table") this rule applies to. Can be either an inbuilt (eg, INPUT, FORWARD, OUTPUT etc) for a user-created chain.

Remember that IPTables::Rule ONLY deals with individual rules so it is unable to validate what you provide here (ie, that the chain already exists)

target

The chain or action this rule should 'Jump' (-j) to if it is matched.

  $ipt_rule->target('ACCEPT');

proto

Protocol to match against.

  $ipt_rule->proto('tcp');

in

The input interface to match. Opposite of "out".

  $ipt_rule->in('eth0');

out

The output interface to match. Opposite of "in".

  $ipt_rule->out('eth1');

source

Source address this rule is to match. Opposite of "destination". See "VALID INET ADDRESSES" for valid values.

  $ipt_rule->source('www.example.com');
  $ipt_rule->source('192.168.1.0/24');
  $ipt_rule->source('fe80::4dc1:e674:f5e4:a74f');

destination

Destination address this rule is to match. Opposite of "source". See "VALID INET ADDRESSES" for valid values.

  $ipt_rule->destination('www.example.com');
  $ipt_rule->destination('192.168.1.0/24');
  $ipt_rule->destination('fe80::4dc1:e674:f5e4:a74f');

dpt

Destination Port to match. Opposite of "spt". See "VALID INET PORTS" for valid values.

Protocol must be set to either 'tcp' or 'udp' for this to be valid at "Generate" time.

  $ipt_rule->dpt('http');
  $ipt_rule->dpt('http,https');
  $ipt_rule->dpt('20:21');

spt

Source Port to match. Opposite of "dpt". See "VALID INET PORTS" for valid values.

Protocol must be set to either 'tcp' or 'udp' for this to be valid at "Generate" time.

  $ipt_rule->spt('http');
  $ipt_rule->spt('http,https');
  $ipt_rule->spt('20:21');

mac

Source MAC Address to match against.

  $ipt_rule->mac('6c:f0:49:e8:64:2a');

state

Match the incoming packet against the state of the connection as tracked by the kernel connection tracking. Valid options are:

NEW
ESTABLISHED
RELATED
INVALID
UNTRACKED

  $ipt_rule->state('new');

limit

Set a rate-limit for how often this rule will match. Syntax is number/period where number is an integer for how often, and period is the time period to count against. Valid options for period are second, minute, hour and day.

  $ipt_rule->limit('3/second');
  $ipt_rule->limit('30/minute');        # average 1 every 2 seconds
  $ipt_rule->limit('24/day');           # average 1 per hour

icmp_type

Specify the ICMP type (and optionally sub-type) to match against. Protocol must be set to 'icmp' (or 'icmpv6' for IPv6) to use this method. For valid types, run iptables -m icmp --help

Type and sub-type can be passed either numerically or named. If specifying a sub-type, it must be separated with a forward slash ('/').

  $ipt_rule->icmp_type('echo-request');
  $ipt_rule->icmp_type('redirect/host-redirect');
  $ipt_rule->icmp_type('3');
  $ipt_rule->icmp_type('3/1');

logprefix

When you set "target" to the inbuilt LOG target, use this method to define what the log entries will be prefixed with.

  $ipt_rule->logprefix('[SSH PACKET] ');

comment

Add a comment to the rule to accompany it when viewing rules in iptables output

  $ipt_rule->comment('This rule allows SSH traffic');

generate

Returns the "compiled" rule in iptables command line syntax after performing some validation on the rule criteria.

  print $ipt_rule->generate();

VALID INET ADDRESSES

When passing addresses, valid input can be one of the following:

A Fully Qualified Domain Name (FQDN) (eg, www.example.com)
An IPv4 Address (eg, 192.168.1.1)
An IPv4 Address and CIDR (eg, 192.168.1.0/24)
An IPv4 Address Range (eg, 192.168.1.1-192.168.1.9)
An IPv6 Address (eg, fe80::4dc1:e674:f5e4:a74f)
An IPv6 Address and CIDR (eg, fe80::4dc1:e674:f5e4:a74f/10)
An IPv6 Address Range (eg, fe80::4dc1:e674:f5e4:0000-fe80::4dc1:e674:f5e4:ffff)

VALID INET PORTS

When specifying destination or source ports, valid input can be one of the following:

A numeric port (eg, 80)
A named port (eg, http)
A numeric port range, colon separated (eg, 20:21)
A named port range, colon separated (eg, ftp-data:ftp)
A list of comma separated numeric ports (eg, 25,110,143)
A list of comma separated named ports (eg, smtp,pop3,imap)

NOTE: When using named ports, iptables/ip6tables will attempt to resolve them using the file /etc/services so valid named ports must exist within this file.

HISTORY

0.03: Add 'ip6binary' method, and fix bug in output with src/dst ports.
0.02: Allow multiple states to be used (comma-delimed). Typo fixed in function call.
0.01: Original version; created by h2xs 1.23

AUTHOR

Phillip Smith, <fukawi2@gmail.com>

COPYRIGHT AND LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.14.2 or, at your option, any later version of Perl 5 you may have available.

To install IPTables::Rule, copy and paste the appropriate command in to your terminal.

cpanm

cpanm IPTables::Rule

CPAN shell

perl -MCPAN -e shell
install IPTables::Rule

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)