Difference between revisions of "Quantum-iptables-manager"
m (Fungi moved page Dlink Router Support Phone Number 1(888) 990-8801 to Quantum-iptables-manager without leaving a redirect: Undoing vandalism) |
|||
| (11 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | |||
* '''Git Branch''': https://github.com/locaweb/quantum | * '''Git Branch''': https://github.com/locaweb/quantum | ||
= Handling Iptables Manager = | = Handling Iptables Manager = | ||
| − | |||
| − | |||
== Abstract == | == Abstract == | ||
| Line 14: | Line 11: | ||
= Proposed Quantum Module Operations = | = Proposed Quantum Module Operations = | ||
| + | |||
| + | Setting up the module | ||
| + | |||
| + | <pre><nowiki> | ||
| + | from quantum.plugins.agent.linux import iptables_manager | ||
| + | iptables = iptables_manager.IptablesManager() | ||
| + | </nowiki></pre> | ||
| + | |||
| + | You can use an alternate configuration file calling the [[IptablesManager]] using the config_file='path' | ||
Adding a filter chain | Adding a filter chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].add_chain('iptables-ipv4-filter') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Adding rule to a filter chain | ||
<pre><nowiki>#!highlight python | <pre><nowiki>#!highlight python | ||
| − | from | + | iptables.ipv4['filter'].add_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP') |
| − | iptables = | + | </nowiki></pre> |
| − | iptables.ipv4['filter']. | + | |
| + | |||
| + | Removing rule from a filter chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Empty a chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Removing a filter chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Adding a nat chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].add_chain('iptables-ipv4-nat') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Adding rule to a nat chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) | ||
| + | iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Removing rule from a nat chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') | ||
| + | iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Empty a chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Removing a filter chain | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat') | ||
| + | </nowiki></pre> | ||
| + | |||
| + | |||
| + | Applying iptables rules | ||
| + | |||
| + | <pre><nowiki> | ||
| + | iptables.apply() | ||
</nowiki></pre> | </nowiki></pre> | ||
Latest revision as of 13:23, 29 July 2016
- Git Branch: https://github.com/locaweb/quantum
Handling Iptables Manager
Abstract
The idea behind this blueprint is create a python iptables module implementing a generic iptables abstraction, this will be useful for every plugin based on iptables.
Summary
This module works with ipv4 and ipv6, supporting use of stateless or stateful firewalls.
Proposed Quantum Module Operations
Setting up the module
from quantum.plugins.agent.linux import iptables_manager iptables = iptables_manager.IptablesManager()
You can use an alternate configuration file calling the IptablesManager using the config_file='path'
Adding a filter chain
iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')
Adding rule to a filter chain
#!highlight python
iptables.ipv4['filter'].add_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')
Removing rule from a filter chain
iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')
Empty a chain
iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')
Removing a filter chain
iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')
Adding a nat chain
iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')
Adding rule to a nat chain
iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
Removing rule from a nat chain
iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
Empty a chain
iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')
Removing a filter chain
iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')
Applying iptables rules
iptables.apply()
