pyinfra 3.x
Iptables Operations¶
The iptables modules handles iptables rules
Facts used in these operations: iptables.Ip6tablesChains, iptables.Ip6tablesRules, iptables.IptablesChains, iptables.IptablesRules.
iptables.chain¶
Add/remove/update iptables chains.
iptables.chain(chain: str, present=True, table="filter", policy: str | None=None, version=4, **kwargs)
chain**: the name of the chain present**: whether the chain should exist table**: the iptables table this chain should belong to policy**: the policy this table should have version**: whether to target iptables or ip6tables
cy: These can only be applied to system chains (FORWARD, INPUT, OUTPUT, etc). Note:
This operation also inherits all global arguments.
iptables.rule¶
Add/remove iptables rules.
iptables.rule(
chain: str, jump: str, present: bool=True, table: str="filter", append: bool=True,
version: int=4, protocol: str | None=None, not_protocol: str | None=None,
source: str | None=None, not_source: str | None=None, destination: str | None=None,
not_destination: str | None=None, in_interface: str | None=None,
not_in_interface: str | None=None, out_interface: str | None=None,
not_out_interface: str | None=None, to_destination: str | None=None,
to_source: str | None=None, to_ports: int | str | None=None, log_prefix: str | None=None,
destination_port: int | None=None, source_port: int | None=None, extras: str="", **kwargs,
)
chain**: the chain this rule should live in jump**: the target of the rule table**: the iptables table this rule should belong to append**: whether to append or insert the rule (if not present) version**: whether to target iptables or ip6tables
bles args:
protocol/not_protocol**: filter by protocol (tcp or udp) source/not_source**: filter by source IPs destination/not_destination**: filter by destination IPs in_interface/not_in_interface**: filter by incoming interface out_interface/not_out_interface**: filter by outgoing interface to_destination**: where to route to when jump=DNAT to_source**: where to route to when jump=SNAT to_ports**: where to route to when jump=REDIRECT log_prefix**: prefix for the log of this rule when jump=LOG
as:
extras**: a place to define iptables extension arguments (eg –limit, –physdev) destination_port**: destination port (requires protocol) source_port**: source port (requires protocol)
amples:**
ode:: python
- iptables.rule(
name=”Block SSH traffic”, chain=”INPUT”, jump=”DROP”, destination_port=22,
)
- iptables.rule(
name=”NAT traffic on from 8.8.8.8:53 to 8.8.4.4:8080”, chain=”PREROUTING”, jump=”DNAT”, table=”nat”, source=”8.8.8.8”, destination_port=53, to_destination=”8.8.4.4:8080”,
) Note:
This operation also inherits all global arguments.