Jump to: navigation, search

Difference between revisions of "Quantum-iptables-manager"

(import cleanup)
Line 1: Line 1:
__NOTOC__
 
 
* '''Git Branch''': https://github.com/locaweb/quantum
 
* '''Git Branch''': https://github.com/locaweb/quantum
  
 
= Handling Iptables Manager =
 
= Handling Iptables Manager =
 
<<[[TableOfContents]]()>>
 
  
 
== Abstract ==
 
== Abstract ==
Line 17: Line 14:
 
Setting up the module
 
Setting up the module
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
from quantum.plugins.agent.linux import iptables_manager
 
from quantum.plugins.agent.linux import iptables_manager
 
iptables = iptables_manager.IptablesManager()
 
iptables = iptables_manager.IptablesManager()
Line 26: Line 23:
 
Adding a filter chain
 
Adding a filter chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')
 
iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')
 
</nowiki></pre>
 
</nowiki></pre>
Line 40: Line 37:
 
Removing rule from a filter chain
 
Removing rule from a filter chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')
 
iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')
 
</nowiki></pre>
 
</nowiki></pre>
Line 47: Line 44:
 
Empty a chain
 
Empty a chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')
 
iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')
 
</nowiki></pre>
 
</nowiki></pre>
Line 54: Line 51:
 
Removing a filter chain
 
Removing a filter chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')
 
iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')
 
</nowiki></pre>
 
</nowiki></pre>
Line 61: Line 58:
 
Adding a nat chain
 
Adding a nat chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')
 
iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')
 
</nowiki></pre>
 
</nowiki></pre>
Line 68: Line 65:
 
Adding rule to a nat chain
 
Adding rule to a nat chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
 
iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
 
iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
 
iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
Line 76: Line 73:
 
Removing rule from a nat chain
 
Removing rule from a nat chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
 
iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
 
iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
 
iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
Line 84: Line 81:
 
Empty a chain
 
Empty a chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')
 
iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')
 
</nowiki></pre>
 
</nowiki></pre>
Line 91: Line 88:
 
Removing a filter chain
 
Removing a filter chain
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')
 
iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')
 
</nowiki></pre>
 
</nowiki></pre>
Line 98: Line 95:
 
Applying iptables rules
 
Applying iptables rules
  
<pre><nowiki>#!highlight python
+
<pre><nowiki>
 
iptables.apply()
 
iptables.apply()
 
</nowiki></pre>
 
</nowiki></pre>

Revision as of 22:07, 16 February 2013

Handling Iptables Manager

Abstract

The idea behind this blueprint is create a python iptables module implementing a generic iptables abstraction, this will be useful for every plugin based on iptables.

Summary

This module works with ipv4 and ipv6, supporting use of stateless or stateful firewalls.

Proposed Quantum Module Operations

Setting up the module

from quantum.plugins.agent.linux import iptables_manager
iptables = iptables_manager.IptablesManager()

You can use an alternate configuration file calling the IptablesManager using the config_file='path'

Adding a filter chain

iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')


Adding rule to a filter chain

#!highlight python
iptables.ipv4['filter'].add_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')


Removing rule from a filter chain

iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')


Empty a chain

iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')


Removing a filter chain

iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')


Adding a nat chain

iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')


Adding rule to a nat chain

iptables.ipv4['nat'].add_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)
iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')


Removing rule from a nat chain

iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', '-i eth0 -p tcp -d 192.168.0.3 --dport 8080 -j REDIRECT --to-port 80')
iptables.ipv4['nat'].remove_rule('PREROUTING', '-d 192.168.0.3 -j iptables-ipv4-nat', wrap=False)


Empty a chain

iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')


Removing a filter chain

iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')


Applying iptables rules

iptables.apply()