Difference between revisions of "Quantum-iptables-manager"
(import cleanup) |
|||
Line 1: | Line 1: | ||
− | |||
* '''Git Branch''': https://github.com/locaweb/quantum | * '''Git Branch''': https://github.com/locaweb/quantum | ||
= Handling Iptables Manager = | = Handling Iptables Manager = | ||
− | |||
− | |||
== Abstract == | == Abstract == | ||
Line 17: | Line 14: | ||
Setting up the module | Setting up the module | ||
− | <pre><nowiki> | + | <pre><nowiki> |
from quantum.plugins.agent.linux import iptables_manager | from quantum.plugins.agent.linux import iptables_manager | ||
iptables = iptables_manager.IptablesManager() | iptables = iptables_manager.IptablesManager() | ||
Line 26: | Line 23: | ||
Adding a filter chain | Adding a filter chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].add_chain('iptables-ipv4-filter') | iptables.ipv4['filter'].add_chain('iptables-ipv4-filter') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 40: | Line 37: | ||
Removing rule from a filter chain | Removing rule from a filter chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP') | iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 47: | Line 44: | ||
Empty a chain | Empty a chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter') | iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 54: | Line 51: | ||
Removing a filter chain | Removing a filter chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter') | iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 61: | Line 58: | ||
Adding a nat chain | Adding a nat chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].add_chain('iptables-ipv4-nat') | iptables.ipv4['filter'].add_chain('iptables-ipv4-nat') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 68: | Line 65: | ||
Adding rule to a nat chain | Adding rule to a nat chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) | iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) | ||
iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') | iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') | ||
Line 76: | Line 73: | ||
Removing rule from a nat chain | Removing rule from a nat chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') | iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') | ||
iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) | iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) | ||
Line 84: | Line 81: | ||
Empty a chain | Empty a chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat') | iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 91: | Line 88: | ||
Removing a filter chain | Removing a filter chain | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat') | iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat') | ||
</nowiki></pre> | </nowiki></pre> | ||
Line 98: | Line 95: | ||
Applying iptables rules | Applying iptables rules | ||
− | <pre><nowiki> | + | <pre><nowiki> |
iptables.apply() | iptables.apply() | ||
</nowiki></pre> | </nowiki></pre> |
Revision as of 22:07, 16 February 2013
- Git Branch: https://github.com/locaweb/quantum
Handling Iptables Manager
Abstract
The idea behind this blueprint is create a python iptables module implementing a generic iptables abstraction, this will be useful for every plugin based on iptables.
Summary
This module works with ipv4 and ipv6, supporting use of stateless or stateful firewalls.
Proposed Quantum Module Operations
Setting up the module
from quantum.plugins.agent.linux import iptables_manager iptables = iptables_manager.IptablesManager()
You can use an alternate configuration file calling the IptablesManager using the config_file='path'
Adding a filter chain
iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')
Adding rule to a filter chain
#!highlight python iptables.ipv4['filter'].add_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')
Removing rule from a filter chain
iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')
Empty a chain
iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')
Removing a filter chain
iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')
Adding a nat chain
iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')
Adding rule to a nat chain
iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False) iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
Removing rule from a nat chain
iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80') iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
Empty a chain
iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')
Removing a filter chain
iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')
Applying iptables rules
iptables.apply()