Revision as of 22:19, 29 May 2012

• Git Branch: https://github.com/locaweb/quantum

Handling Iptables Manager

<<TableOfContents()>>

Abstract

The idea behind this blueprint is create a python iptables module implementing a generic iptables abstraction, this will be useful for every plugin based on iptables.

Summary

This module works with ipv4 and ipv6, supporting use of stateless or stateful firewalls.

Proposed Quantum Module Operations

Setting up the module

#! 
from quantum.plugins.agent.linux import iptables_manager
iptables = iptables_manager.IptablesManager()

You can use an alternate configuration file calling the IptablesManager using the config_file='path'

Adding a filter chain

#!highlight python
iptables.ipv4['filter'].add_chain('iptables-ipv4-filter')

Adding rule to a filter chain

#!highlight python
iptables.ipv4['filter'].add_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')

Removing rule from a filter chain

#!highlight python
iptables.ipv4['filter'].remove_rule('iptables-ipv4-filter', '-s 192.168.0.3 -j DROP')

Empty a chain

#!highlight python
iptables.ipv4['filter'].empty_chain('iptables-ipv4-filter')

Removing a filter chain

#!highlight python
iptables.ipv4['filter'].remove_chain('iptables-ipv4-filter')

Adding a nat chain

#!highlight python
iptables.ipv4['filter'].add_chain('iptables-ipv4-nat')

Adding rule to a nat chain

#!highlight python
iptables.ipv4['nat'].add_rule('iptables-ipv4-nat', ' -A PREROUTING -i eth0 -p udp --dport 8080 -j REDIRECT --to-port 80')

Removing rule from a nat chain

#!highlight python
iptables.ipv4['nat'].remove_rule('iptables-ipv4-nat', ' -A PREROUTING -i eth0 -p udp --dport 8080 -j REDIRECT --to-port 80')

Empty a chain

#!highlight python
iptables.ipv4['filter'].empty_chain('iptables-ipv4-nat')

Removing a filter chain

#!highlight python
iptables.ipv4['filter'].remove_chain('iptables-ipv4-nat')