Quantum-iptables-manager


 * Git Branch: https://github.com/locaweb/quantum

= Handling Iptables Manager =

Abstract
The idea behind this blueprint is create a python iptables module implementing a generic iptables abstraction, this will be useful for every plugin based on iptables.

Summary
This module works with ipv4 and ipv6, supporting use of stateless or stateful firewalls.

= Proposed Quantum Module Operations =

Setting up the module

from quantum.plugins.agent.linux import iptables_manager iptables = iptables_manager.IptablesManager

You can use an alternate configuration file calling the IptablesManager using the config_file='path'

Adding a filter chain

iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')

Adding rule to a filter chain

#!highlight python iptables.ipv4['filter'].add_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')

Removing rule from a filter chain

iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')

Empty a chain

iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')

Removing a filter chain

iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')

Adding a nat chain

iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')

Adding rule to a nat chain

iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')

Removing rule from a nat chain

iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)

Empty a chain

iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')

Removing a filter chain

iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')

Applying iptables rules

iptables.apply