Skip to content

iptables Operations

The iptables modules handles iptables rules

Facts used in these operations: iptables.Ip6tablesChains, iptables.Ip6tablesRules, iptables.IptablesChains, iptables.IptablesRules.

iptables.chain

Add/remove/update iptables chains.

iptables.chain(chain: 'str', present=True, table='filter', policy: 'str | None' = None, version=4,
         **kwargs,
    )
  • chain: the name of the chain
  • present: whether the chain should exist
  • table: the iptables table this chain should belong to
  • policy: the policy this table should have
  • version: whether to target iptables or ip6tables

Policy: These can only be applied to system chains (FORWARD, INPUT, OUTPUT, etc).

Global arguments

This operation also inherits all global arguments.

iptables.rule

Add/remove iptables rules.

iptables.rule(
         chain: 'str',
         jump: 'str',
         present: 'bool' = True,
         table: 'str' = 'filter',
         append: 'bool' = True,
         version: 'int' = 4,
         protocol: 'str | None' = None,
         not_protocol: 'str | None' = None,
         source: 'str | None' = None,
         not_source: 'str | None' = None,
         destination: 'str | None' = None,
         not_destination: 'str | None' = None,
         in_interface: 'str | None' = None,
         not_in_interface: 'str | None' = None,
         out_interface: 'str | None' = None,
         not_out_interface: 'str | None' = None,
         to_destination: 'str | None' = None,
         to_source: 'str | None' = None,
         to_ports: 'int | str | None' = None,
         log_prefix: 'str | None' = None,
         destination_port: 'int | None' = None,
         source_port: 'int | None' = None,
         extras: 'str' = '',
         **kwargs,
    )
  • chain: the chain this rule should live in
  • jump: the target of the rule
  • table: the iptables table this rule should belong to
  • append: whether to append or insert the rule (if not present)
  • version: whether to target iptables or ip6tables

Iptables args:

  • protocol/not_protocol: filter by protocol (tcp or udp)
  • source/not_source: filter by source IPs
  • destination/not_destination: filter by destination IPs
  • in_interface/not_in_interface: filter by incoming interface
  • out_interface/not_out_interface: filter by outgoing interface
  • to_destination: where to route to when jump=DNAT
  • to_source: where to route to when jump=SNAT
  • to_ports: where to route to when jump=REDIRECT
  • log_prefix: prefix for the log of this rule when jump=LOG

Extras:

  • extras: a place to define iptables extension arguments (eg --limit, --physdev)
  • destination_port: destination port (requires protocol)
  • source_port: source port (requires protocol)

Examples:

from pyinfra.operations import iptables
iptables.rule(
    name="Block SSH traffic",
    chain="INPUT",
    jump="DROP",
    destination_port=22,
)

iptables.rule(
    name="NAT traffic on from 8.8.8.8:53 to 8.8.4.4:8080",
    chain="PREROUTING",
    jump="DNAT",
    table="nat",
    source="8.8.8.8",
    destination_port=53,
    to_destination="8.8.4.4:8080",
)

Global arguments

This operation also inherits all global arguments.