如何使用python iptables编写特定的iptables规则
我试图使用python iptables编写一个脚本来设置某些规则。我知道如何设置规则来允许所有和拒绝所有,但我需要知道如何编写规则来允许已建立的连接 例如,我需要使用python iptables编写以下规则:如何使用python iptables编写特定的iptables规则,python,iptables,Python,Iptables,我试图使用python iptables编写一个脚本来设置某些规则。我知道如何设置规则来允许所有和拒绝所有,但我需要知道如何编写规则来允许已建立的连接 例如,我需要使用python iptables编写以下规则: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 如果
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
import iptc
def dropAll():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.in_interface = "eth+"
target = iptc.Target(rule, "DROP")
rule.target = target
chain.insert_rule(rule)
def allowLoopback():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.in_interface = "lo"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.insert_rule(rule)
def allowEstablished():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT')
rule = iptc.Rule()
match = rule.create_match('state')
match.state = "RELATED,ESTABLISHED"
rule.target = iptc.Target(rule, 'ACCEPT')
chain.insert_rule(rule)
dropAll()
allowLoopback()
allowEstablished()
import subprocess
p = subprocess.Popen(["iptables", "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", "22" , "-j", "ACCEPT"], stdout=subprocess.PIPE)
output , err = p.communicate()
print output
我没有尝试使用python iptables,但看起来您需要类似以下内容:
rule = iptc.Rule()
match = rule.create_match('state')
match.state = 'RELATED,ESTABLISHED'
match.target = iptc.Target('ACCEPT')
chain = iptc.Chain(iptc.Table.(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
诸如此类。我知道这个古老的脚本,但我终于得到了一个工作脚本,希望有人会发现它有用
import iptc
class pop_table:
def __init__(self, table_name):
self.table = iptc.Table(table_name)
self.chains = dict()
for i in self.table.chains:
self.chains[i.name] = iptc.Chain(self.table, i.name)
self.method = {'append': self.append,
'insert': self.insert}
def append(self, chain, rule):
tmp = self.chains[chain]
tmp.append_rule(rule)
def insert(self, chain, rule):
tmp = self.chains[chain]
tmp.insert_rule(rule)
class make_rule(iptc.Rule):
def __init__(self):
iptc.Rule.__init__(self)
self.method={'block': self.block,
'snat': self.snat,
'allow': self.allow,
'i_iface': self.i_iface,
'o_iface': self.o_iface,
'source': self.source,
'destination': self.destination}
def block(self):
t = iptc.Target(self, 'REJECT')
self.target = t
def snat(self, snat_ip):
t = iptc.Target(self, 'SNAT')
t.to_source = snat_ip
self.target = t
def allow(self):
t = iptc.Target(self, 'ACCEPT')
self.target = t
def i_iface(self, iface):
self.in_interface = iface
def o_iface(self, iface):
self.out_interface = iface
def source(self, netaddr):
self.src = netaddr
def destination(self, netaddr):
self.dst = netaddr
class phyawall:
def __init__(self):
self.list = []
def add_rule(self, rule_dict):
tbl = pop_table(rule_dict['tblchn']['table'])
chn = rule_dict['tblchn']['chain']
act = tbl.method[rule_dict['tblchn']['action']]
tmp = make_rule()
for i in rule_dict['rule']:
tmp.method[i](rule_dict['rule'][i])
act(chn, tmp)
#
#
# Testing :: below will go into main app
#
phyrule = dict()
phyrule['tblchn'] = dict()
phyrule['tblchn']['table'] = 'nat'
phyrule['tblchn']['chain'] = 'POSTROUTING'
phyrule['tblchn']['action'] = 'append'
phyrule['rule'] = dict()
phyrule['rule']['o_iface'] = 'ens3'
phyrule['rule']['snat'] = '10.1.2.250'
phyrule['rule']['source'] = '6.9.6.9'
phyrule['rule']['destination'] = '9.6.9.6'
a = phyawall()
a.add_rule(phyrule)
我今天会给大家一个机会,然后把它发回给大家。谢谢你的帮助。实际上我已经有了使用子流程的工作,这可能是更好的方法。我刚刚访问了python iptables,并希望使用该库实现规则。但是,我没有使用“output,err=p.communicate()打印输出行,我可能会将其添加到我已经在工作的代码中。h33th3n,你是最终使用python库,还是仅仅调用子流程?最终是什么驱动了你的决定?好的,伙计们,这是我现在正在做的。第三条规则是有问题的孩子,但现在一切都正常了。我计划添加多条可选规则以允许http/s、 ssh等。如果用户愿意。感谢你们的帮助。有人知道我如何将上面的内容转换为编写规则的类吗?我是否可以将上面的内容转换为包含每个函数的对象?