Iptables Operations

The iptables modules handles iptables rules

Facts used in these operations: iptables.Ip6tablesChains, iptables.Ip6tablesRules, iptables.IptablesChains, iptables.IptablesRules.

iptables.chain

Add/remove/update iptables chains.

iptables.chain(chain: str, present=True, table="filter", policy: str | None=None, version=4, **kwargs)

  • chain: the name of the chain

  • present: whether the chain should exist

  • table: the iptables table this chain should belong to

  • policy: the policy this table should have

  • version: whether to target iptables or ip6tables

Policy:

These can only be applied to system chains (FORWARD, INPUT, OUTPUT, etc).

Note:

This operation also inherits all global arguments.

iptables.rule

Add/remove iptables rules.

iptables.rule(
    chain: str, jump: str, present: bool=True, table: str="filter", append: bool=True,
    version: int=4, protocol: str | None=None, not_protocol: str | None=None,
    source: str | None=None, not_source: str | None=None, destination: str | None=None,
    not_destination: str | None=None, in_interface: str | None=None,
    not_in_interface: str | None=None, out_interface: str | None=None,
    not_out_interface: str | None=None, to_destination: str | None=None,
    to_source: str | None=None, to_ports: int | str | None=None, log_prefix: str | None=None,
    destination_port: int | None=None, source_port: int | None=None, extras: str="", **kwargs,
)

  • chain: the chain this rule should live in

  • jump: the target of the rule

  • table: the iptables table this rule should belong to

  • append: whether to append or insert the rule (if not present)

  • version: whether to target iptables or ip6tables

Iptables args:

  • protocol/not_protocol: filter by protocol (tcp or udp)

  • source/not_source: filter by source IPs

  • destination/not_destination: filter by destination IPs

  • in_interface/not_in_interface: filter by incoming interface

  • out_interface/not_out_interface: filter by outgoing interface

  • to_destination: where to route to when jump=DNAT

  • to_source: where to route to when jump=SNAT

  • to_ports: where to route to when jump=REDIRECT

  • log_prefix: prefix for the log of this rule when jump=LOG

Extras:

  • extras: a place to define iptables extension arguments (eg –limit, –physdev)

  • destination_port: destination port (requires protocol)

  • source_port: source port (requires protocol)

Examples:

iptables.rule(
    name="Block SSH traffic",
    chain="INPUT",
    jump="DROP",
    destination_port=22,
)

iptables.rule(
    name="NAT traffic on from 8.8.8.8:53 to 8.8.4.4:8080",
    chain="PREROUTING",
    jump="DNAT",
    table="nat",
    source="8.8.8.8",
    destination_port=53,
    to_destination="8.8.4.4:8080",
)
Note:

This operation also inherits all global arguments.