iptables 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,3 @@
1
+ Gemfile.lock
2
+ *.gem
3
+ .*.swp
@@ -0,0 +1 @@
1
+ ruby-1.8.7@ruby-iptables
@@ -0,0 +1,12 @@
1
+ language: ruby
2
+ script: "bundle exec rspec spec --format documentation"
3
+ rvm:
4
+ - 1.8.7
5
+ - 1.9.3
6
+ - 2.0.0
7
+ - ruby-head
8
+ matrix:
9
+ allow_failures:
10
+ - rvm: ruby-head
11
+ notifications:
12
+ email: false
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source :rubygems
2
+
3
+ gemspec
@@ -0,0 +1,17 @@
1
+ iptables gem
2
+ ------------
3
+
4
+ This gem provides a library that is a higher-level abstration for iptables. It can be used for parsing `iptables-save` output and producing `iptables-restore` compatible output.
5
+
6
+ Tools
7
+ =====
8
+
9
+ ### iptables-decode
10
+
11
+ This tool takes in the output of iptables-save and returns a hash in JSON. This is useful for debugging the parser. You can either run iptabes-save directly:
12
+
13
+ iptables-save | iptables-decode
14
+
15
+ Or pipe from the persisted file:
16
+
17
+ cat /etc/iptables/rules.v4 | iptables-decode
@@ -0,0 +1,18 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'rubygems'
4
+ require 'json'
5
+ require 'pp'
6
+ begin
7
+ require 'iptables'
8
+ rescue LoadError => e
9
+ begin
10
+ require 'bundler/setup'
11
+ Bundler.require :default
12
+ rescue LoadError
13
+ raise e
14
+ end
15
+ end
16
+
17
+ #pp Iptables.decode(STDIN.read)
18
+ jj Iptables.decode(STDIN.read)
@@ -0,0 +1,21 @@
1
+ # -*- encoding: utf-8 -*-
2
+ Gem::Specification.new do |s|
3
+ # Metadata
4
+ s.name = "iptables"
5
+ s.version = "0.0.1"
6
+ s.authors = ["Ken Barber"]
7
+ s.email = ["ken@bob.sh"]
8
+ s.homepage = "https://github.com/kbarber/ruby-iptables"
9
+ s.summary = "iptables-save encoder/decoder"
10
+
11
+ # Manifest
12
+ s.files = `git ls-files`.split("\n")
13
+ s.test_files = `git ls-files -- {test,spec,features}/*_spec.rb`.split("\n")
14
+ s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
15
+ s.require_paths = ["lib"]
16
+
17
+ # Dependencies
18
+ s.required_ruby_version = '>= 1.8.7'
19
+ s.add_runtime_dependency "json"
20
+ s.add_development_dependency "rspec"
21
+ end
@@ -0,0 +1,327 @@
1
+ # This class encodes and decodes iptables style -save and -restore formats
2
+ #
3
+ # @version 1.0.0
4
+ class Iptables
5
+
6
+ VERSION = '1.0.0'
7
+
8
+ # Takes the output for iptables-save returning a hash
9
+ #
10
+ # @example Decode iptables-save output
11
+ # Iptables.decode(`iptables-save`)
12
+ # @param text [String] the raw output of iptables-save
13
+ # @param opts [Hash] options for the decoder
14
+ # @option opts [Bool] :debug If true, turns on debugging output
15
+ # @option opts [String] :iptables_compatibilty version of iptables to be
16
+ # compatible with. Since some versions differ wildly, this might be
17
+ # necessary.
18
+ # @return [Hash] returns a hash containing the parsed rules
19
+ # @see Iptables::Decoder
20
+ def self.decode(text, opts = {})
21
+ decoder = Decoder.new(opts)
22
+ decoder.decode(text)
23
+ end
24
+
25
+ # This is the internal Decoder class used by methods in the main class.
26
+ class Decoder
27
+ # @!attribute r opts
28
+ # @return [Hash] Options hash set on initialization
29
+ attr_reader :opts
30
+
31
+ # Initialize the decoder object
32
+ #
33
+ # @param opts [Hash] a hash of options
34
+ # @option opts [Bool] :debug If true, turns on debugging output
35
+ # @option opts [String] :iptables_compatibilty version of iptables to be
36
+ # compatible with. Since some versions differ wildly, this might be
37
+ # necessary.
38
+ def initialize(opts = {})
39
+ @opts = {
40
+ :debug => false,
41
+ :iptables_compatibility => nil,
42
+ }.merge(opts)
43
+ end
44
+
45
+ # Decodes iptables-save input into a normalized hash
46
+ #
47
+ # @param text [String] the raw output of iptables-save
48
+ # @return [Hash] returns a hash containing the parsed rules
49
+ # @raise [Iptables::IptablesException] raised on a known exception
50
+ def decode(text)
51
+ {
52
+ :metadata => {
53
+ :ruby_iptables_version => VERSION,
54
+ :iptables_compatibility => opts[:iptables_compatibility],
55
+ },
56
+ :result => parse_iptables_save(text),
57
+ }
58
+ end
59
+
60
+ # Takes raw iptables-save input, returns a data hash
61
+ #
62
+ # @api private
63
+ # @param text [String] the raw output of iptables-save
64
+ # @return [Hash] returns a hash containing the parsed rules
65
+ # @raise [Iptables::NoTable] raised if a rule is passed without a prior
66
+ # table declaration
67
+ def parse_iptables_save(text)
68
+ # Set the table to nil to begin with so we can detect append lines with no
69
+ # prior table decleration.
70
+ table = nil
71
+
72
+ # Input line number for debugging later
73
+ original_line_number = 0
74
+
75
+ # Hash for storing the final result
76
+ hash = {}
77
+
78
+ text.each_line do |line|
79
+
80
+ # If we find a table declaration, change table
81
+ if line =~ /^\*([a-z]+)$/
82
+ table = $1
83
+ debug("Found table [#{table}] on line [#{original_line_number}]")
84
+ end
85
+
86
+ # If we find an append line, parse it
87
+ if line =~ /^-A (\S+)/
88
+ raise NoTable, "Found an append line [#{line}] on line [#{input_line}], but no table yet" if table.nil?
89
+
90
+ chain = $1
91
+ line_hash = parse_append_line(line)
92
+
93
+ line_hash[:source] = {
94
+ :original_line => line,
95
+ :original_line_number => original_line_number,
96
+ }
97
+
98
+ hash[table] ||= {}
99
+ hash[table][chain] ||= {}
100
+ hash[table][chain][:rules] ||= []
101
+ hash[table][chain][:rules] << line_hash
102
+ end
103
+
104
+ original_line_number += 1
105
+ end
106
+
107
+ hash
108
+ end
109
+
110
+ # Parses an append line return a hash
111
+ #
112
+ # @api private
113
+ # @param text [String] a single iptables-save append line
114
+ # @return [Hash] a hash containing data for the parsed rule
115
+ def parse_append_line(line)
116
+ ss = shellsplit(line)
117
+ sh = switch_hash(ss)
118
+ rh = rule(sh)
119
+ {
120
+ :shell_split => ss,
121
+ :swtch_hash => sh,
122
+ :rule => rh,
123
+ }
124
+ end
125
+
126
+ # Takes a switch_hash and returns the rule as a hash
127
+ #
128
+ # @api private
129
+ # @param switch_hash [Hash] a semi-parsed hash of the rule append line
130
+ # @return [Hash] a parsed rule in hash format
131
+ def rule(switch_hash)
132
+ h = {
133
+ :chain => nil,
134
+ :parameters => {},
135
+ :target => nil,
136
+ :matches => [],
137
+ :target_options => {},
138
+ }
139
+
140
+ # States
141
+ match = false
142
+ match_current = {}
143
+ target = false
144
+
145
+ switch_hash.each do |sh|
146
+ sw = sh[:switch]
147
+ if sw == "A"
148
+ h[:chain] = sh[:values].first
149
+ next
150
+ end
151
+
152
+ # Outside of match and target, these letters are the basic parameters
153
+ if !match and !target and ["p", "s", "d", "i", "o", "f"].include? sw
154
+ h[:parameters]["#{sh[:negate]? '!' : ''}#{sw}"] = sh[:values]
155
+ next
156
+ end
157
+
158
+ # If option is 'm' then we are in a match
159
+ if sw == 'm'
160
+ if match and !match_current.empty?
161
+ # We were already in a match, stow it
162
+ h[:matches] << match_current
163
+ match_current = {}
164
+ end
165
+
166
+ # Clear the current match
167
+ match_current = {}
168
+ match_current[:name] = sh[:values].first
169
+
170
+ # Reset states
171
+ match = true
172
+ target = false
173
+
174
+ next
175
+ end
176
+
177
+ # If option is 'j' then its a target, and anything else is a target_option
178
+ if sw == "j"
179
+ if match and !match_current.empty?
180
+ # We were already in a match, stow it
181
+ h[:matches] << match_current
182
+ match_current = {}
183
+ end
184
+
185
+ h[:target] = sh[:values].first
186
+
187
+ # Reset states
188
+ target = true
189
+ match = false
190
+
191
+ next
192
+ end
193
+
194
+ if match
195
+ match_current[:options] ||= {}
196
+ match_current[:options]["#{sh[:negate]? '!' : ''}#{sw}"] = sh[:values]
197
+
198
+ next
199
+ end
200
+
201
+ if target
202
+ h[:target_options]["#{sh[:negate]? '!' : ''}#{sw}"] = sh[:values]
203
+ next
204
+ end
205
+ end
206
+
207
+ # Stow away any incomplete matches
208
+ if match and !match_current.empty?
209
+ h[:matches] << match_current
210
+ end
211
+
212
+ h
213
+ end
214
+
215
+ # Takes an argument array, and returns swtiches and values. It returns a hash
216
+ # with switches on the LHS, and values on the right. Values appear as arrays.
217
+ #
218
+ # For switches without values, the RHS will just be the boolean `true`.
219
+ #
220
+ # @api private
221
+ # @param split [Array] a list of arguments and values split in a shell-safe
222
+ # way
223
+ # @return [Hash] a semi-parsed hash of arguments, values and negation status
224
+ # @raise [Iptables::UnparseableSplit] raised when the split cannot be parsed
225
+ # into the correct format, usually because the input format is incorrect.
226
+ def switch_hash(split)
227
+ result = []
228
+
229
+ current = nil
230
+
231
+ debug("processing #{split.inspect}")
232
+
233
+ split.each do |p|
234
+ debug "p: #{p}"
235
+ debug "pre current: #{current.inspect}" if current
236
+ if p =~ /^--?(.+)/
237
+ if current and !current.empty?
238
+ if (current[:negate] and current[:switch]) or !current[:negate]
239
+ result << current
240
+ current = {}
241
+ end
242
+ else
243
+ current = {}
244
+ end
245
+ current[:switch] = $1
246
+ elsif p == '!'
247
+ if current and !current.empty?
248
+ unless current[:switch] \
249
+ and iptables_backwards_negates.include? current[:switch]
250
+ result << current
251
+ current = {}
252
+ end
253
+ end
254
+ current[:negate] = true
255
+ else
256
+ raise UnparseableSplit, "Found a value without corresponding arg" unless current
257
+ current[:values] ||= []
258
+ current[:values] << p
259
+ end
260
+ debug "post current: #{current.inspect}" if current
261
+ debug "result: #{result.inspect}"
262
+ end
263
+ result << current
264
+
265
+ result
266
+ end
267
+
268
+ # Break rule line into pices like a shell.
269
+ #
270
+ # The code itself is taken from Ruby core, and supplanted here to work with
271
+ # older rubies.
272
+ #
273
+ # @api private
274
+ # @param line [String] a list of shell arguments and values
275
+ # @return [Array] an array of shell arguments and values split in a shell
276
+ # safe way.
277
+ # @see http://svn.ruby-lang.org/repos/ruby/trunk/lib/shellwords.rb Original
278
+ # code
279
+ # @raise [ArgumentError] raised on unmatched double quote
280
+ def shellsplit(line)
281
+ words = []
282
+ field = ''
283
+ line.scan(/\G\s*(?>([^\s\\\'\"]+)|'([^\']*)'|"((?:[^\"\\]|\\.)*)"|(\\.?)|(\S))(\s|\z)?/m) do
284
+ |word, sq, dq, esc, garbage, sep|
285
+ raise ArgumentError, "Unmatched double quote: #{line.inspect}" if garbage
286
+ field << (word || sq || (dq || esc).gsub(/\\(.)/, '\\1'))
287
+ if sep
288
+ words << field
289
+ field = ''
290
+ end
291
+ end
292
+ words
293
+ end
294
+
295
+ def iptables_backwards_negates
296
+ if opts[:iptables_compatibility] == '1.3.5'
297
+ %w{p s d i o ctorigsrc ctorigdst ctreplsrc ctrepldst espspi length sports dports ports mss}
298
+ else
299
+ []
300
+ end
301
+ end
302
+
303
+ # Prints debug output to STDOUT if debug switch is true
304
+ #
305
+ # @api private
306
+ # @param text [String] text to output for debugging
307
+ def debug(text)
308
+ puts "D, #{text}" if @opts[:debug]
309
+ end
310
+ end
311
+
312
+ # Base class for iptables parser exceptions
313
+ class IptablesException < Exception
314
+ end
315
+
316
+ # Indicates a line was parsed but no prior table was declared
317
+ class NoTable < IptablesException
318
+ end
319
+
320
+ # Raised if the line cannot be parsed
321
+ class UnparseableLine < IptablesException
322
+ end
323
+
324
+ # Raised if the split cannot be parsed
325
+ class UnparseableSplit < IptablesException
326
+ end
327
+ end
@@ -0,0 +1,219 @@
1
+ # Generated by iptables-save v1.3.5 on Thu Feb 28 11:52:00 2013
2
+ *mangle
3
+ :PREROUTING ACCEPT [1242:75017]
4
+ :INPUT ACCEPT [1242:75017]
5
+ :FORWARD ACCEPT [0:0]
6
+ :OUTPUT ACCEPT [3189:276703]
7
+ :POSTROUTING ACCEPT [3189:276703]
8
+ -A INPUT -s 1.1.1.1 -p tcp -j ECN --ecn-tcp-remove
9
+ -A INPUT -s 1.1.1.1 -p tcp -j LOG --log-level 6
10
+ -A INPUT -s 1.1.1.1 -p tcp -j LOG --log-prefix "foo"
11
+ -A INPUT -s 1.1.1.1 -p tcp -j LOG --log-tcp-sequence
12
+ -A INPUT -s 1.1.1.1 -p tcp -j LOG --log-tcp-options
13
+ -A INPUT -s 1.1.1.1 -p tcp -j LOG --log-ip-options
14
+ -A INPUT -s 1.1.1.1 -p tcp -j LOG --log-uid
15
+ -A INPUT -s 1.1.1.1 -p tcp -j MARK --set-mark 0x2
16
+ COMMIT
17
+ # Completed on Thu Feb 28 11:52:00 2013
18
+ # Generated by iptables-save v1.3.5 on Thu Feb 28 11:52:00 2013
19
+ *filter
20
+ :INPUT ACCEPT [0:0]
21
+ :FORWARD ACCEPT [0:0]
22
+ :OUTPUT ACCEPT [21292:2298439]
23
+ :RH-Firewall-1-INPUT - [0:0]
24
+ :foo - [0:0]
25
+ -A INPUT -j RH-Firewall-1-INPUT
26
+ -A INPUT -p tcp
27
+ -A INPUT -p ! tcp
28
+ -A INPUT -s 1.1.1.0/255.255.255.0
29
+ -A INPUT -s ! 1.1.1.0/255.255.255.0
30
+ -A INPUT -s ! 1.1.1.1
31
+ -A INPUT -s 1.1.1.1
32
+ -A INPUT -d 1.1.1.1
33
+ -A INPUT -d 1.1.1.0/255.255.255.0
34
+ -A INPUT -d ! 1.1.1.0/255.255.255.0
35
+ -A INPUT -d ! 1.1.1.1
36
+ -A INPUT -s 1.1.1.1 -g foo
37
+ -A INPUT -s 1.1.1.1 -j foo
38
+ -A INPUT -i eth1
39
+ -A INPUT -i ! eth1
40
+ -A INPUT -f
41
+ -A INPUT ! -f
42
+ -A INPUT -s 1.1.1.1 -d 1.1.1.1 -p tcp -g foo
43
+ -A INPUT -s 1.1.1.1 -d ! 1.1.1.1 -p tcp -g foo
44
+ -A INPUT -s 1.1.1.1 -d ! 1.1.1.1 -i ! eth1:1 -p tcp -g foo
45
+ -A INPUT -s 1.1.1.1 -d ! 1.1.1.1 -i ! eth1 -p tcp -g foo
46
+ -A INPUT -s ! 1.1.1.1 -d 1.1.1.1 -i eth1 -p tcp -j foo
47
+ -A INPUT -s ! 1.1.1.1 -d 1.1.1.1 -i eth1 -p tcp -f -j foo
48
+ -A INPUT -s ! 1.1.1.1 -d 1.1.1.1 -i eth1 -p tcp ! -f -j foo
49
+ -A INPUT -m addrtype --src-type UNSPEC
50
+ -A INPUT -m addrtype --dst-type UNSPEC
51
+ -A INPUT -m addrtype --dst-type UNICAST
52
+ -A INPUT -m addrtype --src-type BROADCAST --dst-type UNICAST
53
+ -A INPUT -m comment --comment "123 foo bar #$#%"
54
+ -A INPUT -m connlimit --connlimit-above 10 --connlimit-mask 32
55
+ -A INPUT -m connlimit ! --connlimit-above 10 --connlimit-mask 32
56
+ -A INPUT -m connlimit ! --connlimit-above 10 --connlimit-mask 1
57
+ -A INPUT -m connmark --mark 0x18/0xc
58
+ -A INPUT -m connmark --mark 0x18
59
+ -A INPUT -m conntrack --ctstate NEW
60
+ -A INPUT -m conntrack --ctproto 1
61
+ -A INPUT -m conntrack --ctorigsrc ! 1.1.1.0/24
62
+ -A INPUT -m conntrack --ctorigsrc 1.1.1.0/24
63
+ -A INPUT -m conntrack --ctorigdst 1.1.1.0/24
64
+ -A INPUT -m conntrack --ctorigdst ! 1.1.1.0/24
65
+ -A INPUT -m conntrack --ctreplsrc 1.1.1.0/24
66
+ -A INPUT -m conntrack --ctreplsrc ! 1.1.1.0/24
67
+ -A INPUT -m conntrack --ctrepldst 1.1.1.0/24
68
+ -A INPUT -m conntrack --ctrepldst ! 1.1.1.0/24
69
+ -A INPUT -m conntrack --ctstatus NONE
70
+ -A INPUT -m conntrack --ctstatus EXPECTED
71
+ -A INPUT -m conntrack --ctexpire 1234
72
+ -A INPUT -m conntrack --ctexpire 1234
73
+ -A INPUT -m dscp --dscp 0x0a
74
+ -A INPUT -m dscp --dscp 0x01
75
+ -A INPUT -m dscp --dscp 0x00
76
+ -A INPUT -p esp -m esp --espspi 1
77
+ -A INPUT -p esp -m esp --espspi 1
78
+ -A INPUT -p esp -m esp --espspi ! 1
79
+ -A INPUT -p esp -m esp --espspi ! 1
80
+ -A INPUT -p dccp -m dccp
81
+ -A INPUT -p dccp -m dccp --sport 100
82
+ -A INPUT -p dccp -m dccp --sport 100:200
83
+ -A INPUT -p dccp -m dccp ! --sport 100:200
84
+ -A INPUT -p dccp -m dccp --dport 100
85
+ -A INPUT -p dccp -m dccp --dport 100:200
86
+ -A INPUT -p dccp -m dccp ! --dport 100:200
87
+ -A INPUT -p dccp -m dccp ! --dport 100
88
+ -A INPUT -p dccp -m dccp --dccp-type REQUEST
89
+ -A INPUT -p dccp -m dccp --dccp-type REQUEST,RESPONSE
90
+ -A INPUT -p dccp -m dccp --dccp-type ! REQUEST,RESPONSE
91
+ -A INPUT -p dccp -m dccp --dccp-option 4
92
+ -A INPUT -p dccp -m dccp --dccp-option 4
93
+ -A INPUT -m helper --helper "foo"
94
+ -A INPUT -p icmp -m icmp --icmp-type 0
95
+ -A INPUT -p icmp -m icmp ! --icmp-type 0
96
+ -A INPUT -m iprange --src-range 1.1.1.1-2.2.2.2
97
+ -A INPUT -m iprange ! --src-range 1.1.1.1-2.2.2.2
98
+ -A INPUT -m iprange --dst-range 1.1.1.1-2.2.2.2
99
+ -A INPUT -m iprange ! --dst-range 1.1.1.1-2.2.2.2
100
+ -A INPUT -m length --length 100
101
+ -A INPUT -m length --length 100:200
102
+ -A INPUT -m length --length ! 100:200
103
+ -A INPUT -m limit --limit 30/sec
104
+ -A INPUT -m limit --limit 30/min
105
+ -A INPUT -m limit --limit 30/min --limit-burst 60
106
+ -A INPUT -m mac --mac-source 00:AA:00:AA:00:AA
107
+ -A INPUT -m mac ! --mac-source 00:AA:00:AA:00:AA
108
+ -A INPUT -m mark --mark 0x4
109
+ -A INPUT -m mark --mark 0x4/0x5
110
+ -A INPUT -p udp -m multiport --sports 45
111
+ -A INPUT -p udp -m multiport --sports ! 45
112
+ -A INPUT -p udp -m multiport --dports 45
113
+ -A INPUT -p udp -m multiport --dports 45:46
114
+ -A INPUT -p udp -m multiport --dports 45:46,68
115
+ -A INPUT -p udp -m multiport --dports ! 45:46,68
116
+ -A INPUT -p udp -m multiport --ports 4,5,6:10
117
+ -A INPUT -p udp -m multiport --ports ! 4,5,6:10
118
+ -A INPUT -p udp -m owner --uid-owner root
119
+ -A INPUT -p udp -m owner --uid-owner root
120
+ -A INPUT -p udp -m owner --gid-owner wheel
121
+ -A INPUT -p udp -m owner --gid-owner wheel
122
+ -A INPUT -p tcp -m physdev --physdev-in eth0
123
+ -A INPUT -p tcp -m physdev --physdev-in eth0:1
124
+ -A INPUT -p tcp -m physdev ! --physdev-in eth0
125
+ -A INPUT -p tcp -m physdev --physdev-out eth0
126
+ -A INPUT -p tcp -m physdev --physdev-is-in
127
+ -A INPUT -p tcp -m physdev ! --physdev-is-in
128
+ -A INPUT -p tcp -m physdev --physdev-is-out
129
+ -A INPUT -p tcp -m physdev ! --physdev-is-out
130
+ -A INPUT -p tcp -m physdev --physdev-is-bridged
131
+ -A INPUT -p tcp -m physdev ! --physdev-is-bridged
132
+ -A INPUT -p tcp -m pkttype --pkt-type unicast
133
+ -A INPUT -p tcp -m pkttype --pkt-type multicast
134
+ -A INPUT -p tcp -m policy --dir in --pol ipsec
135
+ -A INPUT -p tcp -m policy --dir out --pol ipsec
136
+ -A INPUT -p tcp -m policy --dir in --pol none
137
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --strict --reqid 4
138
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --spi 0x5
139
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --proto ah
140
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --mode transport
141
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --mode tunnel
142
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --mode tunnel --tunnel-src 1.1.1.0/24
143
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --mode tunnel --tunnel-dst 1.1.1.0/24
144
+ -A INPUT -p tcp -m policy --dir in --pol ipsec --strict --mode tunnel --next --reqid 5
145
+ -A INPUT -p tcp -m realm --realm 0x7b
146
+ -A INPUT -p tcp -m realm --realm 0x7b/0x22
147
+ -A INPUT -p tcp -m realm ! --realm 0x7b/0x22
148
+ -A INPUT -p tcp -m recent --set --name foo --rsource
149
+ -A INPUT -p tcp -m recent ! --set --name foo --rsource
150
+ -A INPUT -p tcp -m recent --rcheck --name foo --rsource
151
+ -A INPUT -p tcp -m recent ! --rcheck --name foo --rsource
152
+ -A INPUT -p tcp -m recent --update --name foo --rsource
153
+ -A INPUT -p tcp -m recent ! --update --name foo --rsource
154
+ -A INPUT -p tcp -m recent --remove --name foo --rsource
155
+ -A INPUT -p tcp -m recent ! --remove --name foo --rsource
156
+ -A INPUT -p tcp -m recent --update --seconds 500 --name foo --rsource
157
+ -A INPUT -p tcp -m recent --update --rttl --name foo --rsource
158
+ -A INPUT -p sctp -m sctp --sport 12
159
+ -A INPUT -p sctp -m sctp --sport 12:45
160
+ -A INPUT -p sctp -m sctp ! --sport 12:45
161
+ -A INPUT -p sctp -m sctp --dport 34
162
+ -A INPUT -p sctp -m sctp --dport 34:56
163
+ -A INPUT -p sctp -m sctp ! --dport 34:56
164
+ -A INPUT -p sctp -m sctp --chunk-types all DATA
165
+ -A INPUT -p sctp -m sctp ! --chunk-types all DATA
166
+ -A INPUT -p sctp -m sctp ! --chunk-types all DATA:U
167
+ -A INPUT -p sctp -m sctp --chunk-types all DATA:U
168
+ -A INPUT -p tcp -m state --state INVALID
169
+ -A INPUT -p tcp -m state --state INVALID,ESTABLISHED
170
+ -A INPUT -p tcp -m statistic --mode nth --every 1
171
+ -A INPUT -p tcp -m statistic --mode random --probability 1.000000
172
+ -A INPUT -p tcp -m statistic --mode nth --every 56
173
+ -A INPUT -p tcp -m statistic --mode nth --every 56 --packet 4
174
+ -A INPUT -p tcp -m string --string "foo bar baz" --algo bm --to 65535
175
+ -A INPUT -p tcp -m string --string "foo bar baz" --algo bm --from 100 --to 65535
176
+ -A INPUT -p tcp -m string --string "foo bar baz" --algo bm --to 200
177
+ -A INPUT -p tcp -m tcp --sport 123
178
+ -A INPUT -p tcp -m tcp --sport 123:400
179
+ -A INPUT -p tcp -m tcp ! --sport 123:400
180
+ -A INPUT -p tcp -m tcp --dport 123:400
181
+ -A INPUT -p tcp -m tcp ! --dport 123:400
182
+ -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK FIN
183
+ -A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK FIN
184
+ -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
185
+ -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
186
+ -A INPUT -p tcp -m tcp ! --tcp-option 4
187
+ -A INPUT -p tcp -m tcp --tcp-option 4
188
+ -A INPUT -p tcp -m tcpmss --mss 1024:2048
189
+ -A INPUT -p tcp -m tcpmss --mss 1024
190
+ -A INPUT -p tcp -m tcpmss --mss ! 1024
191
+ -A INPUT -m tos --tos Maximize-Reliability
192
+ -A INPUT -m ttl --ttl-eq 100
193
+ -A INPUT -m ttl --ttl-gt 100
194
+ -A INPUT -m ttl --ttl-lt 100
195
+ -A INPUT -p udp -m udp --sport 1024
196
+ -A INPUT -p udp -m udp --sport 1024:2049
197
+ -A INPUT -p udp -m udp ! --sport 1024:2049
198
+ -A INPUT -p udp -m udp --dport 1024:2049
199
+ -A INPUT -p udp -m udp ! --dport 1024:2049
200
+ -A INPUT -s 1.1.1.1 -p tcp -j CONNMARK --set-mark 0x1/0x2
201
+ -A INPUT -s 1.1.1.1 -p tcp -j CONNMARK --save-mark --mask 0x17
202
+ -A FORWARD -j RH-Firewall-1-INPUT
203
+ -A OUTPUT -o eth1
204
+ -A OUTPUT -o ! eth1
205
+ -A OUTPUT -p tcp -m physdev --physdev-out eth0
206
+ -A OUTPUT -p tcp -m physdev ! --physdev-out eth0
207
+ -A RH-Firewall-1-INPUT -i lo -j ACCEPT
208
+ -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
209
+ -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
210
+ -A RH-Firewall-1-INPUT -p esp -j ACCEPT
211
+ -A RH-Firewall-1-INPUT -p ah -j ACCEPT
212
+ -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
213
+ -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
214
+ -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
215
+ -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
216
+ -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
217
+ -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
218
+ COMMIT
219
+ # Completed on Thu Feb 28 11:52:00 2013