如何使用 python-iptables 编写特定的 iptables 规则

Question

我正在尝试使用 python-iptables 编写脚本来设置某些规则。我想出了如何设置规则以允许所有和拒绝所有，但我需要弄清楚如何编写规则以允许已建立的连接。

例如我需要使用 python-iptables 编写以下规则：

iptables -A INPUT  -m state --state     RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

如果有人拥有第一手知识或知道编写上述或类似规则的良好资源，我将不胜感激。提前致谢！

这是成品。我计划添加更多规则选项，以允许用户根据需要允许 http/s 等连接。感谢所有帮助。

import iptc

def dropAll():
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
    rule = iptc.Rule()
    rule.in_interface = "eth+"
    target = iptc.Target(rule, "DROP")
    rule.target = target
    chain.insert_rule(rule)

def allowLoopback():
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
    rule = iptc.Rule()
    rule.in_interface = "lo"
    target = iptc.Target(rule, "ACCEPT")
    rule.target = target
    chain.insert_rule(rule)

def allowEstablished():
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT')
    rule = iptc.Rule()
    match = rule.create_match('state')
    match.state = "RELATED,ESTABLISHED"
    rule.target = iptc.Target(rule, 'ACCEPT')
    chain.insert_rule(rule)

dropAll()
allowLoopback()
allowEstablished()

Answer 1

试试这个

 import subprocess

p = subprocess.Popen(["iptables", "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", "22" , "-j", "ACCEPT"], stdout=subprocess.PIPE)
        output , err = p.communicate()
        print output

Answer 2

我没有尝试使用 python-iptables，但看起来你需要类似的东西：

rule = iptc.Rule()
match = rule.create_match('state')
match.state = 'RELATED,ESTABLISHED'
match.target = iptc.Target('ACCEPT')

chain = iptc.Chain(iptc.Table.(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)

等等。

Answer 3

我知道这个旧的，但我终于得到了一个工作脚本，希望有人会发现它有用。

import iptc

class pop_table:
    def __init__(self, table_name):
        self.table = iptc.Table(table_name)
        self.chains = dict()

        for i in self.table.chains:
            self.chains[i.name] = iptc.Chain(self.table, i.name)

        self.method = {'append': self.append,
                       'insert': self.insert}

    def append(self, chain, rule):
        tmp = self.chains[chain]
        tmp.append_rule(rule)

    def insert(self, chain, rule):
        tmp = self.chains[chain]
        tmp.insert_rule(rule)


class make_rule(iptc.Rule):
    def __init__(self):
        iptc.Rule.__init__(self)

        self.method={'block': self.block,
                     'snat': self.snat,
                     'allow': self.allow,
                     'i_iface': self.i_iface,
                     'o_iface': self.o_iface,
                     'source': self.source,
                     'destination': self.destination}

    def block(self):
        t = iptc.Target(self, 'REJECT')
        self.target = t

    def snat(self, snat_ip):
        t = iptc.Target(self, 'SNAT')
        t.to_source = snat_ip
        self.target = t

    def allow(self):
        t = iptc.Target(self, 'ACCEPT')
        self.target = t

    def i_iface(self, iface):
        self.in_interface = iface

    def o_iface(self, iface):
        self.out_interface = iface

    def source(self, netaddr):
        self.src = netaddr

    def destination(self, netaddr):
        self.dst = netaddr

class phyawall:
    def __init__(self):
        self.list = []

    def add_rule(self, rule_dict):
        tbl = pop_table(rule_dict['tblchn']['table'])
        chn = rule_dict['tblchn']['chain']
        act = tbl.method[rule_dict['tblchn']['action']]
        tmp = make_rule()

        for i in rule_dict['rule']:
            tmp.method[i](rule_dict['rule'][i])
        act(chn, tmp)

#
#
# Testing :: below will go into main app
#

phyrule = dict()
phyrule['tblchn'] = dict()
phyrule['tblchn']['table'] = 'nat'
phyrule['tblchn']['chain'] = 'POSTROUTING'
phyrule['tblchn']['action'] = 'append'
phyrule['rule'] = dict()
phyrule['rule']['o_iface'] = 'ens3'
phyrule['rule']['snat'] = '10.1.2.250'
phyrule['rule']['source'] = '6.9.6.9'
phyrule['rule']['destination'] = '9.6.9.6'


a = phyawall()
a.add_rule(phyrule)