Skip to main content

programmatic access to Linux iptables

Project description

linuxnet-iptables

linuxnet-iptables provides programmatic access to the Linux iptables(8) (or ip6tables(8)) command. Using linuxnet-iptables one can view existing chains/rules, create new ones, or delete existing ones. The package documentation is available here.

For the following examples, Python3 (3.6 or later) is required.

>>> from linuxnet.iptables import IptablesPacketFilterTable
>>> table = IptablesPacketFilterTable('filter')
>>> table.read_system_config()
>>> input_chain = table.get_chain('INPUT')
>>> for rule in input_chain:
...    print(' '.join(rule.to_iptables_args()))
...
-j prod_bad_traffic
-m state --state RELATED,ESTABLISHED -j ACCEPT
-j prod_ingress
-j prod_INPUT_ldrop
>>>
>>> print(input_chain.get_packet_count())
183506560
>>>

The above code requires root access in order to successfully invoke the iptables command. If you are uncomfortable running it as root, you can extract the iptables output as root and then process it with linuxnet-iptables (note that the -xnv options must be specified):

# iptables -xnv -L > /tmp/iptables.output
#

Then, as a regular user:

>>> with open("/tmp/iptables.output") as f:
...    output = f.read()
...
>>> from linuxnet.iptables import IptablesPacketFilterTable
>>> table = IptablesPacketFilterTable('filter')
>>> table.init_from_output(output)
True
>>> input_chain = table.get_chain('INPUT')
>>> for rule in input_chain:
...     print(' '.join(rule.to_iptables_args()))
...
-j prod_bad_traffic
-m state --state RELATED,ESTABLISHED -j ACCEPT
-j prod_ingress
-j prod_INPUT_ldrop
>>>

Modifications to the chains are also supported as shown in the following (hereon, root permissions will be assumed).

Creating a new chain:

>>> from linuxnet.iptables import ChainRule, Targets
>>> newchain = table.create_chain('acceptall')
>>> newchain.append_rule(ChainRule(target=Targets.ACCEPT))
>>>
# iptables -nv -L acceptall
Chain acceptall (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
#

Modifying the new chain to only accept TCP packets:

>>> newchain.flush()        # remove the existing rule
>>> from linuxnet.iptables import PacketMatch
>>> match_tcp = PacketMatch().protocol().equals('tcp')
>>> rule = ChainRule(match=match_tcp, target=Targets.ACCEPT)
>>> newchain.append_rule(rule)
>>> newchain.append_rule(ChainRule(target=Targets.DROP))
>>>
# iptables -L acceptall -nv
Chain acceptall (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
#

Deleting the new chain:

>>> table.delete_chain(newchain)
>>>

Installation

Python3 is required.

Available Makefile targets can be listed by invoking make with no arguments.

make install will install the package.

make test runs the unit tests.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

linuxnet_iptables-7.4.4.tar.gz (108.3 kB view details)

Uploaded Source

Built Distribution

linuxnet_iptables-7.4.4-py3-none-any.whl (114.5 kB view details)

Uploaded Python 3

File details

Details for the file linuxnet_iptables-7.4.4.tar.gz.

File metadata

  • Download URL: linuxnet_iptables-7.4.4.tar.gz
  • Upload date:
  • Size: 108.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.4.0 pkginfo/1.9.5 requests/2.27.1 requests-toolbelt/0.10.1 tqdm/4.52.0 CPython/3.10.14

File hashes

Hashes for linuxnet_iptables-7.4.4.tar.gz
Algorithm Hash digest
SHA256 9a59ad21f35b17130a838d311185cad73afcf1853e4290948764b43e17898a17
MD5 49d88b584c8e0e8076c472de5d0b1b86
BLAKE2b-256 b4e067f2e72d2a6b16981d2077e2a2e7b845a1718e0ad908020eb28f234b0ee6

See more details on using hashes here.

File details

Details for the file linuxnet_iptables-7.4.4-py3-none-any.whl.

File metadata

  • Download URL: linuxnet_iptables-7.4.4-py3-none-any.whl
  • Upload date:
  • Size: 114.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.4.0 pkginfo/1.9.5 requests/2.27.1 requests-toolbelt/0.10.1 tqdm/4.52.0 CPython/3.10.14

File hashes

Hashes for linuxnet_iptables-7.4.4-py3-none-any.whl
Algorithm Hash digest
SHA256 4143fe5f8e0598b3f9b1a63cf9d40f01551aa708df0439c945e53682817b6189
MD5 29136198aece9edace895d3a1d35630e
BLAKE2b-256 191dec73a87f4293c80dcea53d1039a2c7f0cac6cc592b95dceeebfad9a7c286

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page