About a python module (iptables)
John Hunter
jdhunter at ace.bsd.uchicago.edu
Wed Nov 10 11:00:58 EST 2004
>>>>> "Douglas" == Douglas Soares de Andrade <dsa at unilestemg.br> writes:
Douglas> Hi ! Is there a module to do the interaction between
Douglas> python and iptables ? I want to make a app to interect
Douglas> with iptables (new chain, erase chain, list chain,
Douglas> generate rules and so on).
I've written one that I've used privately for years on standalone
machines as well as routers using NAT/etc. It doesn't support all of
iptables, but it does the common stuff. In debug mode, it only prints
out the rules to the logfile, but doesn't execute them.
Whether it is sophisticated enough for your app, I don't know. It was
designed simply to setup the iptables config and then run, so there is
no support for erasing chains, etc....
I've uploaded a tarfile to
http://jdh.uchicago.edu/share/py_iptables.tar.gz which contains the
module code and some example scripts.
Here is a simple script to configure the firewall for a typical
standalone machine.
#!/usr/bin/env python
from IptablesRules import IptablesRules
# debug=False executes the commands - you must be superuser
ipt = IptablesRules(debug=True, verbose='moderate')
nameservers = ipt.get_nameservers()
# udpAccept and tcpAccept are dictionaries from ports to
# machines which have access to those ports
udpAccept = {"domain" : nameservers,}
# we've parsed /etc/services so you can specify ports by name or
# number.
tcpAccept = {
('smtp', 'ntp', 'ssh', 'ftp', 'http', 'https') : 'all',
('postgres', ) : "128.135.0.0/16", # limit to U of C
('all', ) : "128.135.90.217/32", # my printer
}
ipt.broadcast_policy(eth_iface="eth0", chain='DROP')
ipt.drop_nolog_ports(ports = ('auth', 'netbios-ns', 'microsoft-ds'), eth_iface="eth0")
ipt.implement_rules( udp_accept = udpAccept,
icmp_accept = ( 0, 3, 5, 8, 11 ),
tcp_accept = tcpAccept,
eth_iface = "eth0"
)
ipt.execute( logfile = '/var/tmp/iptables_rules' )
More information about the Python-list
mailing list