iptables 0.0.1

data/.gitignore

@@ -0,0 +1,3 @@
+Gemfile.lock
+*.gem
+.*.swp

data/.ruby-version

@@ -0,0 +1 @@
+ruby-1.8.7@ruby-iptables

data/.travis.yml

@@ -0,0 +1,12 @@
+language: ruby
+script: "bundle exec rspec spec --format documentation"
+rvm:
+  - 1.8.7
+  - 1.9.3
+  - 2.0.0
+  - ruby-head
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+notifications:
+  email: false

data/Gemfile

@@ -0,0 +1,3 @@
+source :rubygems
+
+gemspec

data/README.md

@@ -0,0 +1,17 @@
+iptables gem
+------------
+
+This gem provides a library that is a higher-level abstration for iptables. It can be used for parsing `iptables-save` output and producing `iptables-restore` compatible output.
+
+Tools
+=====
+
+### iptables-decode
+
+This tool takes in the output of iptables-save and returns a hash in JSON. This is useful for debugging the parser. You can either run iptabes-save directly:
+
+    iptables-save | iptables-decode
+
+Or pipe from the persisted file:
+
+    cat /etc/iptables/rules.v4 | iptables-decode

data/bin/iptables-decode

@@ -0,0 +1,18 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'json'
+require 'pp'
+begin
+  require 'iptables'
+rescue LoadError => e
+  begin
+    require 'bundler/setup'
+    Bundler.require :default
+  rescue LoadError
+    raise e
+  end
+end
+
+#pp Iptables.decode(STDIN.read)
+jj Iptables.decode(STDIN.read)

data/iptables.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  # Metadata
+  s.name        = "iptables"
+  s.version     = "0.0.1"
+  s.authors     = ["Ken Barber"]
+  s.email       = ["ken@bob.sh"]
+  s.homepage    = "https://github.com/kbarber/ruby-iptables"
+  s.summary     = "iptables-save encoder/decoder"
+
+  # Manifest
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*_spec.rb`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # Dependencies
+  s.required_ruby_version = '>= 1.8.7'
+  s.add_runtime_dependency "json"
+  s.add_development_dependency "rspec"
+end

data/lib/iptables.rb

@@ -0,0 +1,327 @@
+# This class encodes and decodes iptables style -save and -restore formats
+#
+# @version 1.0.0
+class Iptables
+
+  VERSION = '1.0.0'
+
+  # Takes the output for iptables-save returning a hash
+  #
+  # @example Decode iptables-save output
+  #   Iptables.decode(`iptables-save`)
+  # @param text [String] the raw output of iptables-save
+  # @param opts [Hash] options for the decoder
+  # @option opts [Bool] :debug If true, turns on debugging output
+  # @option opts [String] :iptables_compatibilty version of iptables to be
+  #   compatible with. Since some versions differ wildly, this might be
+  #   necessary.
+  # @return [Hash] returns a hash containing the parsed rules
+  # @see Iptables::Decoder
+  def self.decode(text, opts = {})
+    decoder = Decoder.new(opts)
+    decoder.decode(text)
+  end
+
+  # This is the internal Decoder class used by methods in the main class.
+  class Decoder
+    # @!attribute r opts
+    #   @return [Hash] Options hash set on initialization
+    attr_reader :opts
+
+    # Initialize the decoder object
+    #
+    # @param opts [Hash] a hash of options
+    # @option opts [Bool] :debug If true, turns on debugging output
+    # @option opts [String] :iptables_compatibilty version of iptables to be
+    #   compatible with. Since some versions differ wildly, this might be
+    #   necessary.
+    def initialize(opts = {})
+      @opts = {
+        :debug => false,
+        :iptables_compatibility => nil,
+      }.merge(opts)
+    end
+
+    # Decodes iptables-save input into a normalized hash
+    #
+    # @param text [String] the raw output of iptables-save
+    # @return [Hash] returns a hash containing the parsed rules
+    # @raise [Iptables::IptablesException] raised on a known exception
+    def decode(text)
+      {
+        :metadata => {
+          :ruby_iptables_version => VERSION,
+          :iptables_compatibility => opts[:iptables_compatibility],
+        },
+        :result => parse_iptables_save(text),
+      }
+    end
+
+    # Takes raw iptables-save input, returns a data hash
+    #
+    # @api private
+    # @param text [String] the raw output of iptables-save
+    # @return [Hash] returns a hash containing the parsed rules
+    # @raise [Iptables::NoTable] raised if a rule is passed without a prior
+    #   table declaration
+    def parse_iptables_save(text)
+      # Set the table to nil to begin with so we can detect append lines with no
+      # prior table decleration.
+      table = nil
+
+      # Input line number for debugging later
+      original_line_number = 0
+
+      # Hash for storing the final result
+      hash = {}
+
+      text.each_line do |line|
+
+        # If we find a table declaration, change table
+        if line =~ /^\*([a-z]+)$/
+          table = $1
+          debug("Found table [#{table}] on line [#{original_line_number}]")
+        end
+
+        # If we find an append line, parse it
+        if line =~ /^-A (\S+)/
+          raise NoTable, "Found an append line [#{line}] on line [#{input_line}], but no table yet" if table.nil?
+
+          chain = $1
+          line_hash = parse_append_line(line)
+
+          line_hash[:source] = {
+            :original_line => line,
+            :original_line_number => original_line_number,
+          }
+
+          hash[table] ||= {}
+          hash[table][chain] ||= {}
+          hash[table][chain][:rules] ||= []
+          hash[table][chain][:rules] << line_hash
+        end
+
+        original_line_number += 1
+      end
+
+      hash
+    end
+
+    # Parses an append line return a hash
+    #
+    # @api private
+    # @param text [String] a single iptables-save append line
+    # @return [Hash] a hash containing data for the parsed rule
+    def parse_append_line(line)
+      ss = shellsplit(line)
+      sh = switch_hash(ss)
+      rh = rule(sh)
+      {
+        :shell_split => ss,
+        :swtch_hash => sh,
+        :rule => rh,
+      }
+    end
+
+    # Takes a switch_hash and returns the rule as a hash
+    #
+    # @api private
+    # @param switch_hash [Hash] a semi-parsed hash of the rule append line
+    # @return [Hash] a parsed rule in hash format
+    def rule(switch_hash)
+      h = {
+        :chain => nil,
+        :parameters => {},
+        :target => nil,
+        :matches => [],
+        :target_options => {},
+      }
+
+      # States
+      match = false
+      match_current = {}
+      target = false
+
+      switch_hash.each do |sh|
+        sw = sh[:switch]
+        if sw == "A"
+          h[:chain] = sh[:values].first
+          next
+        end
+
+        # Outside of match and target, these letters are the basic parameters
+        if !match and !target and ["p", "s", "d", "i", "o", "f"].include? sw
+          h[:parameters]["#{sh[:negate]? '!' : ''}#{sw}"] = sh[:values]
+          next
+        end
+
+        # If option is 'm' then we are in a match
+        if sw == 'm'
+          if match and !match_current.empty?
+            # We were already in a match, stow it
+            h[:matches] << match_current
+            match_current = {}
+          end
+
+          # Clear the current match
+          match_current = {}
+          match_current[:name] = sh[:values].first
+
+          # Reset states
+          match = true
+          target = false
+
+          next
+        end
+
+        # If option is 'j' then its a target, and anything else is a target_option
+        if sw == "j"
+          if match and !match_current.empty?
+            # We were already in a match, stow it
+            h[:matches] << match_current
+            match_current = {}
+          end
+
+          h[:target] = sh[:values].first
+
+          # Reset states
+          target = true
+          match = false
+
+          next
+        end
+
+        if match
+          match_current[:options] ||= {}
+          match_current[:options]["#{sh[:negate]? '!' : ''}#{sw}"] = sh[:values]
+
+          next
+        end
+
+        if target
+          h[:target_options]["#{sh[:negate]? '!' : ''}#{sw}"] = sh[:values]
+          next
+        end
+      end
+
+      # Stow away any incomplete matches
+      if match and !match_current.empty?
+        h[:matches] << match_current
+      end
+
+      h
+    end
+
+    # Takes an argument array, and returns swtiches and values. It returns a hash
+    # with switches on the LHS, and values on the right. Values appear as arrays.
+    #
+    # For switches without values, the RHS will just be the boolean `true`.
+    #
+    # @api private
+    # @param split [Array] a list of arguments and values split in a shell-safe
+    #   way
+    # @return [Hash] a semi-parsed hash of arguments, values and negation status
+    # @raise [Iptables::UnparseableSplit] raised when the split cannot be parsed
+    #   into the correct format, usually because the input format is incorrect.
+    def switch_hash(split)
+      result = []
+
+      current = nil
+
+      debug("processing #{split.inspect}")
+
+      split.each do |p|
+        debug "p: #{p}"
+        debug "pre current: #{current.inspect}" if current
+        if p =~ /^--?(.+)/
+          if current and !current.empty?
+            if (current[:negate] and current[:switch]) or !current[:negate]
+              result << current
+              current = {}
+            end
+          else
+            current = {}
+          end
+          current[:switch] = $1
+        elsif p == '!'
+          if current and !current.empty?
+            unless current[:switch] \
+              and iptables_backwards_negates.include? current[:switch]
+              result << current
+              current = {}
+            end
+          end
+          current[:negate] = true
+        else
+          raise UnparseableSplit, "Found a value without corresponding arg" unless current
+          current[:values] ||= []
+          current[:values] << p
+        end
+        debug "post current: #{current.inspect}" if current
+        debug "result: #{result.inspect}"
+      end
+      result << current
+
+      result
+    end
+
+    # Break rule line into pices like a shell.
+    #
+    # The code itself is taken from Ruby core, and supplanted here to work with
+    # older rubies.
+    #
+    # @api private
+    # @param line [String] a list of shell arguments and values
+    # @return [Array] an array of shell arguments and values split in a shell
+    #   safe way.
+    # @see http://svn.ruby-lang.org/repos/ruby/trunk/lib/shellwords.rb Original
+    #   code
+    # @raise [ArgumentError] raised on unmatched double quote
+    def shellsplit(line)
+      words = []
+      field = ''
+      line.scan(/\G\s*(?>([^\s\\\'\"]+)|'([^\']*)'|"((?:[^\"\\]|\\.)*)"|(\\.?)|(\S))(\s|\z)?/m) do
+        |word, sq, dq, esc, garbage, sep|
+        raise ArgumentError, "Unmatched double quote: #{line.inspect}" if garbage
+        field << (word || sq || (dq || esc).gsub(/\\(.)/, '\\1'))
+        if sep
+          words << field
+          field = ''
+        end
+      end
+      words
+    end
+
+    def iptables_backwards_negates
+      if opts[:iptables_compatibility] == '1.3.5'
+        %w{p s d i o ctorigsrc ctorigdst ctreplsrc ctrepldst espspi length sports dports ports mss}
+      else
+        []
+      end
+    end
+
+    # Prints debug output to STDOUT if debug switch is true
+    #
+    # @api private
+    # @param text [String] text to output for debugging
+    def debug(text)
+      puts "D, #{text}" if @opts[:debug]
+    end
+  end
+
+  # Base class for iptables parser exceptions
+  class IptablesException < Exception
+  end
+
+  # Indicates a line was parsed but no prior table was declared
+  class NoTable < IptablesException
+  end
+
+  # Raised if the line cannot be parsed
+  class UnparseableLine < IptablesException
+  end
+
+  # Raised if the split cannot be parsed
+  class UnparseableSplit < IptablesException
+  end
+end

data/sample_data/complex-iptables-135

@@ -0,0 +1,219 @@
+# Generated by iptables-save v1.3.5 on Thu Feb 28 11:52:00 2013
+*mangle
+:PREROUTING ACCEPT [1242:75017]
+:INPUT ACCEPT [1242:75017]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [3189:276703]
+:POSTROUTING ACCEPT [3189:276703]
+-A INPUT -s 1.1.1.1 -p tcp -j ECN --ecn-tcp-remove 
+-A INPUT -s 1.1.1.1 -p tcp -j LOG --log-level 6 
+-A INPUT -s 1.1.1.1 -p tcp -j LOG --log-prefix "foo" 
+-A INPUT -s 1.1.1.1 -p tcp -j LOG --log-tcp-sequence 
+-A INPUT -s 1.1.1.1 -p tcp -j LOG --log-tcp-options 
+-A INPUT -s 1.1.1.1 -p tcp -j LOG --log-ip-options 
+-A INPUT -s 1.1.1.1 -p tcp -j LOG --log-uid 
+-A INPUT -s 1.1.1.1 -p tcp -j MARK --set-mark 0x2 
+COMMIT
+# Completed on Thu Feb 28 11:52:00 2013
+# Generated by iptables-save v1.3.5 on Thu Feb 28 11:52:00 2013
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [21292:2298439]
+:RH-Firewall-1-INPUT - [0:0]
+:foo - [0:0]
+-A INPUT -j RH-Firewall-1-INPUT 
+-A INPUT -p tcp 
+-A INPUT -p ! tcp 
+-A INPUT -s 1.1.1.0/255.255.255.0 
+-A INPUT -s ! 1.1.1.0/255.255.255.0 
+-A INPUT -s ! 1.1.1.1 
+-A INPUT -s 1.1.1.1 
+-A INPUT -d 1.1.1.1 
+-A INPUT -d 1.1.1.0/255.255.255.0 
+-A INPUT -d ! 1.1.1.0/255.255.255.0 
+-A INPUT -d ! 1.1.1.1 
+-A INPUT -s 1.1.1.1 -g foo 
+-A INPUT -s 1.1.1.1 -j foo 
+-A INPUT -i eth1 
+-A INPUT -i ! eth1 
+-A INPUT -f 
+-A INPUT ! -f 
+-A INPUT -s 1.1.1.1 -d 1.1.1.1 -p tcp -g foo 
+-A INPUT -s 1.1.1.1 -d ! 1.1.1.1 -p tcp -g foo 
+-A INPUT -s 1.1.1.1 -d ! 1.1.1.1 -i ! eth1:1 -p tcp -g foo 
+-A INPUT -s 1.1.1.1 -d ! 1.1.1.1 -i ! eth1 -p tcp -g foo 
+-A INPUT -s ! 1.1.1.1 -d 1.1.1.1 -i eth1 -p tcp -j foo 
+-A INPUT -s ! 1.1.1.1 -d 1.1.1.1 -i eth1 -p tcp -f -j foo 
+-A INPUT -s ! 1.1.1.1 -d 1.1.1.1 -i eth1 -p tcp ! -f -j foo 
+-A INPUT -m addrtype --src-type UNSPEC 
+-A INPUT -m addrtype --dst-type UNSPEC 
+-A INPUT -m addrtype --dst-type UNICAST 
+-A INPUT -m addrtype --src-type BROADCAST --dst-type UNICAST 
+-A INPUT -m comment --comment "123 foo bar #$#%" 
+-A INPUT -m connlimit --connlimit-above 10 --connlimit-mask 32 
+-A INPUT -m connlimit ! --connlimit-above 10 --connlimit-mask 32 
+-A INPUT -m connlimit ! --connlimit-above 10 --connlimit-mask 1 
+-A INPUT -m connmark --mark 0x18/0xc 
+-A INPUT -m connmark --mark 0x18 
+-A INPUT -m conntrack --ctstate NEW 
+-A INPUT -m conntrack --ctproto 1 
+-A INPUT -m conntrack --ctorigsrc ! 1.1.1.0/24 
+-A INPUT -m conntrack --ctorigsrc 1.1.1.0/24 
+-A INPUT -m conntrack --ctorigdst 1.1.1.0/24 
+-A INPUT -m conntrack --ctorigdst ! 1.1.1.0/24 
+-A INPUT -m conntrack --ctreplsrc 1.1.1.0/24 
+-A INPUT -m conntrack --ctreplsrc ! 1.1.1.0/24 
+-A INPUT -m conntrack --ctrepldst 1.1.1.0/24 
+-A INPUT -m conntrack --ctrepldst ! 1.1.1.0/24 
+-A INPUT -m conntrack --ctstatus NONE 
+-A INPUT -m conntrack --ctstatus EXPECTED 
+-A INPUT -m conntrack --ctexpire 1234 
+-A INPUT -m conntrack --ctexpire 1234 
+-A INPUT -m dscp --dscp 0x0a 
+-A INPUT -m dscp --dscp 0x01 
+-A INPUT -m dscp --dscp 0x00 
+-A INPUT -p esp -m esp --espspi 1 
+-A INPUT -p esp -m esp --espspi 1 
+-A INPUT -p esp -m esp --espspi ! 1 
+-A INPUT -p esp -m esp --espspi ! 1 
+-A INPUT -p dccp -m dccp 
+-A INPUT -p dccp -m dccp --sport 100 
+-A INPUT -p dccp -m dccp --sport 100:200 
+-A INPUT -p dccp -m dccp ! --sport 100:200 
+-A INPUT -p dccp -m dccp --dport 100 
+-A INPUT -p dccp -m dccp --dport 100:200 
+-A INPUT -p dccp -m dccp ! --dport 100:200 
+-A INPUT -p dccp -m dccp ! --dport 100 
+-A INPUT -p dccp -m dccp --dccp-type REQUEST
+-A INPUT -p dccp -m dccp --dccp-type REQUEST,RESPONSE
+-A INPUT -p dccp -m dccp --dccp-type ! REQUEST,RESPONSE
+-A INPUT -p dccp -m dccp --dccp-option 4 
+-A INPUT -p dccp -m dccp --dccp-option 4 
+-A INPUT -m helper --helper "foo" 
+-A INPUT -p icmp -m icmp --icmp-type 0 
+-A INPUT -p icmp -m icmp ! --icmp-type 0 
+-A INPUT -m iprange --src-range 1.1.1.1-2.2.2.2 
+-A INPUT -m iprange ! --src-range 1.1.1.1-2.2.2.2 
+-A INPUT -m iprange --dst-range 1.1.1.1-2.2.2.2 
+-A INPUT -m iprange ! --dst-range 1.1.1.1-2.2.2.2 
+-A INPUT -m length --length 100 
+-A INPUT -m length --length 100:200 
+-A INPUT -m length --length ! 100:200 
+-A INPUT -m limit --limit 30/sec 
+-A INPUT -m limit --limit 30/min 
+-A INPUT -m limit --limit 30/min --limit-burst 60 
+-A INPUT -m mac --mac-source 00:AA:00:AA:00:AA 
+-A INPUT -m mac ! --mac-source 00:AA:00:AA:00:AA 
+-A INPUT -m mark --mark 0x4 
+-A INPUT -m mark --mark 0x4/0x5 
+-A INPUT -p udp -m multiport --sports 45 
+-A INPUT -p udp -m multiport --sports ! 45 
+-A INPUT -p udp -m multiport --dports 45 
+-A INPUT -p udp -m multiport --dports 45:46 
+-A INPUT -p udp -m multiport --dports 45:46,68 
+-A INPUT -p udp -m multiport --dports ! 45:46,68 
+-A INPUT -p udp -m multiport --ports 4,5,6:10 
+-A INPUT -p udp -m multiport --ports ! 4,5,6:10 
+-A INPUT -p udp -m owner --uid-owner root 
+-A INPUT -p udp -m owner --uid-owner root 
+-A INPUT -p udp -m owner --gid-owner wheel 
+-A INPUT -p udp -m owner --gid-owner wheel 
+-A INPUT -p tcp -m physdev  --physdev-in eth0 
+-A INPUT -p tcp -m physdev  --physdev-in eth0:1 
+-A INPUT -p tcp -m physdev  ! --physdev-in eth0 
+-A INPUT -p tcp -m physdev  --physdev-out eth0 
+-A INPUT -p tcp -m physdev  --physdev-is-in 
+-A INPUT -p tcp -m physdev  ! --physdev-is-in 
+-A INPUT -p tcp -m physdev  --physdev-is-out 
+-A INPUT -p tcp -m physdev  ! --physdev-is-out 
+-A INPUT -p tcp -m physdev  --physdev-is-bridged 
+-A INPUT -p tcp -m physdev  ! --physdev-is-bridged 
+-A INPUT -p tcp -m pkttype --pkt-type unicast 
+-A INPUT -p tcp -m pkttype --pkt-type multicast 
+-A INPUT -p tcp -m policy --dir in --pol ipsec 
+-A INPUT -p tcp -m policy --dir out --pol ipsec 
+-A INPUT -p tcp -m policy --dir in --pol none 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --strict --reqid 4 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --spi 0x5 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --proto ah 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --mode transport 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --mode tunnel 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --mode tunnel --tunnel-src 1.1.1.0/24 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --mode tunnel --tunnel-dst 1.1.1.0/24 
+-A INPUT -p tcp -m policy --dir in --pol ipsec --strict --mode tunnel --next --reqid 5 
+-A INPUT -p tcp -m realm --realm 0x7b 
+-A INPUT -p tcp -m realm --realm 0x7b/0x22 
+-A INPUT -p tcp -m realm ! --realm 0x7b/0x22 
+-A INPUT -p tcp -m recent --set --name foo --rsource 
+-A INPUT -p tcp -m recent ! --set --name foo --rsource 
+-A INPUT -p tcp -m recent --rcheck --name foo --rsource 
+-A INPUT -p tcp -m recent ! --rcheck --name foo --rsource 
+-A INPUT -p tcp -m recent --update --name foo --rsource 
+-A INPUT -p tcp -m recent ! --update --name foo --rsource 
+-A INPUT -p tcp -m recent --remove --name foo --rsource 
+-A INPUT -p tcp -m recent ! --remove --name foo --rsource 
+-A INPUT -p tcp -m recent --update --seconds 500 --name foo --rsource 
+-A INPUT -p tcp -m recent --update --rttl --name foo --rsource 
+-A INPUT -p sctp -m sctp --sport 12 
+-A INPUT -p sctp -m sctp --sport 12:45 
+-A INPUT -p sctp -m sctp ! --sport 12:45 
+-A INPUT -p sctp -m sctp --dport 34 
+-A INPUT -p sctp -m sctp --dport 34:56 
+-A INPUT -p sctp -m sctp ! --dport 34:56 
+-A INPUT -p sctp -m sctp --chunk-types all DATA 
+-A INPUT -p sctp -m sctp ! --chunk-types all DATA 
+-A INPUT -p sctp -m sctp ! --chunk-types all DATA:U 
+-A INPUT -p sctp -m sctp --chunk-types all DATA:U 
+-A INPUT -p tcp -m state --state INVALID 
+-A INPUT -p tcp -m state --state INVALID,ESTABLISHED 
+-A INPUT -p tcp -m statistic --mode nth --every 1 
+-A INPUT -p tcp -m statistic --mode random --probability 1.000000 
+-A INPUT -p tcp -m statistic --mode nth --every 56 
+-A INPUT -p tcp -m statistic --mode nth --every 56 --packet 4 
+-A INPUT -p tcp -m string --string "foo bar baz" --algo bm --to 65535 
+-A INPUT -p tcp -m string --string "foo bar baz" --algo bm --from 100 --to 65535 
+-A INPUT -p tcp -m string --string "foo bar baz" --algo bm --to 200 
+-A INPUT -p tcp -m tcp --sport 123 
+-A INPUT -p tcp -m tcp --sport 123:400 
+-A INPUT -p tcp -m tcp ! --sport 123:400 
+-A INPUT -p tcp -m tcp --dport 123:400 
+-A INPUT -p tcp -m tcp ! --dport 123:400 
+-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK FIN 
+-A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK FIN 
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN 
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN 
+-A INPUT -p tcp -m tcp ! --tcp-option 4 
+-A INPUT -p tcp -m tcp --tcp-option 4 
+-A INPUT -p tcp -m tcpmss --mss 1024:2048 
+-A INPUT -p tcp -m tcpmss --mss 1024 
+-A INPUT -p tcp -m tcpmss --mss ! 1024 
+-A INPUT -m tos --tos Maximize-Reliability 
+-A INPUT -m ttl --ttl-eq 100 
+-A INPUT -m ttl --ttl-gt 100 
+-A INPUT -m ttl --ttl-lt 100 
+-A INPUT -p udp -m udp --sport 1024 
+-A INPUT -p udp -m udp --sport 1024:2049 
+-A INPUT -p udp -m udp ! --sport 1024:2049 
+-A INPUT -p udp -m udp --dport 1024:2049 
+-A INPUT -p udp -m udp ! --dport 1024:2049 
+-A INPUT -s 1.1.1.1 -p tcp -j CONNMARK --set-mark 0x1/0x2 
+-A INPUT -s 1.1.1.1 -p tcp -j CONNMARK --save-mark --mask 0x17
+-A FORWARD -j RH-Firewall-1-INPUT 
+-A OUTPUT -o eth1 
+-A OUTPUT -o ! eth1 
+-A OUTPUT -p tcp -m physdev  --physdev-out eth0 
+-A OUTPUT -p tcp -m physdev  ! --physdev-out eth0 
+-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
+-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT 
+-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
+-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
+-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
+-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
+-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
+-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
+COMMIT
+# Completed on Thu Feb 28 11:52:00 2013