如何使用python-iptables編寫特定iptables規則

Question

我正在嘗試使用python-iptables編寫腳本來設置特定規則。我想出瞭如何設置規則來允許所有人都拒絕，但我需要弄清楚如何編寫規則來建立連接。

比如我需要寫使用python-的iptables規則如下：

iptables -A INPUT -m state --state  RELATED,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 

如果任何人有第一手的資料或者知道寫上述或類似的規則，我將不勝感激一個很好的資源。提前致謝！

這是成品。我計劃添加更多的規則選項，以允許用戶允許http/s等連接，如果他們願意。感謝所有的幫助。

import iptc 

def dropAll(): 
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") 
    rule = iptc.Rule() 
    rule.in_interface = "eth+" 
    target = iptc.Target(rule, "DROP") 
    rule.target = target 
    chain.insert_rule(rule) 

def allowLoopback(): 
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") 
    rule = iptc.Rule() 
    rule.in_interface = "lo" 
    target = iptc.Target(rule, "ACCEPT") 
    rule.target = target 
    chain.insert_rule(rule) 

def allowEstablished(): 
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT') 
    rule = iptc.Rule() 
    match = rule.create_match('state') 
    match.state = "RELATED,ESTABLISHED" 
    rule.target = iptc.Target(rule, 'ACCEPT') 
    chain.insert_rule(rule) 

dropAll() 
allowLoopback() 
allowEstablished() 

Answer 1

我還沒有嘗試過使用Python-iptables的，但它看起來像你需要的東西，如：

rule = iptc.Rule() 
match = rule.create_match('state') 
match.state = 'RELATED,ESTABLISHED' 
match.target = iptc.Target('ACCEPT') 

chain = iptc.Chain(iptc.Table.(iptc.Table.FILTER), "INPUT") 
chain.insert_rule(rule) 

等。

Answer 2

試試這個

import subprocess 

p = subprocess.Popen(["iptables", "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", "22" , "-j", "ACCEPT"], stdout=subprocess.PIPE) 
     output , err = p.communicate() 
     print output 

Answer 3

我知道這個老，但我終於得到了一個工作腳本，希望有人會發現它有用。

import iptc 

class pop_table: 
    def __init__(self, table_name): 
     self.table = iptc.Table(table_name) 
     self.chains = dict() 

     for i in self.table.chains: 
      self.chains[i.name] = iptc.Chain(self.table, i.name) 

     self.method = {'append': self.append, 
         'insert': self.insert} 

    def append(self, chain, rule): 
     tmp = self.chains[chain] 
     tmp.append_rule(rule) 

    def insert(self, chain, rule): 
     tmp = self.chains[chain] 
     tmp.insert_rule(rule) 


class make_rule(iptc.Rule): 
    def __init__(self): 
     iptc.Rule.__init__(self) 

     self.method={'block': self.block, 
        'snat': self.snat, 
        'allow': self.allow, 
        'i_iface': self.i_iface, 
        'o_iface': self.o_iface, 
        'source': self.source, 
        'destination': self.destination} 

    def block(self): 
     t = iptc.Target(self, 'REJECT') 
     self.target = t 

    def snat(self, snat_ip): 
     t = iptc.Target(self, 'SNAT') 
     t.to_source = snat_ip 
     self.target = t 

    def allow(self): 
     t = iptc.Target(self, 'ACCEPT') 
     self.target = t 

    def i_iface(self, iface): 
     self.in_interface = iface 

    def o_iface(self, iface): 
     self.out_interface = iface 

    def source(self, netaddr): 
     self.src = netaddr 

    def destination(self, netaddr): 
     self.dst = netaddr 

class phyawall: 
    def __init__(self): 
     self.list = [] 

    def add_rule(self, rule_dict): 
     tbl = pop_table(rule_dict['tblchn']['table']) 
     chn = rule_dict['tblchn']['chain'] 
     act = tbl.method[rule_dict['tblchn']['action']] 
     tmp = make_rule() 

     for i in rule_dict['rule']: 
      tmp.method[i](rule_dict['rule'][i]) 
     act(chn, tmp) 

# 
# 
# Testing :: below will go into main app 
# 

phyrule = dict() 
phyrule['tblchn'] = dict() 
phyrule['tblchn']['table'] = 'nat' 
phyrule['tblchn']['chain'] = 'POSTROUTING' 
phyrule['tblchn']['action'] = 'append' 
phyrule['rule'] = dict() 
phyrule['rule']['o_iface'] = 'ens3' 
phyrule['rule']['snat'] = '10.1.2.250' 
phyrule['rule']['source'] = '6.9.6.9' 
phyrule['rule']['destination'] = '9.6.9.6' 


a = phyawall() 
a.add_rule(phyrule)