Iptables-gem is a Ruby API for parsing, generating, and comparing Linux iptables rules. It is configured using JSON and oriented toward use within configuration-management software such as http://www.opscode.com/chef/.
- Ruby: 1.8
- Likely also works on 1.9, but testing is giving me fits so I am ignoring it for now
The following platforms and versions are tested:
- Ubuntu 10.04, 12.04
- CentOS 6.4, Red Hat 6.4
Install this gem and require iptables. In the examples below,
/path/to/json/ refers to the directory containing JSON policy files.
See [Generate.md](the firewall generation documentation) for information
on setting these up. There are also example configuration files in
examples/policy/*.json.
You will first need to create JSON firewall configuration files. See the
Generating a Firewall section below for details. Once this is done,
you can generate a firewall like so:
config = IPTables::Configuration.new
config.parse_files('/path/to/json/')
policy_fw = config.converge_firewall
puts policy_fw.as_array
You can determine whether a proposed/policy firewall and the currently-applied firewall are identical:
config = IPTables::Configuration.new
config.parse_files('/path/to/json/')
policy_fw = config.converge_firewall
active_fw = IPTables::Tables.new(%x/iptables-save/)
comparison = IPTables::TablesComparison.new(active_fw, policy_fw)
comparison.equal?
Alternately, you can compare firewalls using only iptables-save output:
active_fw = IPTables::Tables.new(%x/iptables-save/)
other_fw = IPTables::Tables.new(File.readlines('/path/to/another/saved/firewall'))
comparison = IPTables::TablesComparison.new(active_fw, policy_fw)
comparison.equal?
If two firewalls are the same except for embedded firewall comments, you can ignore comments:
comparison.ignore_comments
comparison.equal?
If you want to see exactly how two firewalls differ:
comparison.as_array
If you want to see debug messages, turn on logging:
require 'logger'
$log = Logger.new(STDOUT)
$log.level = Logger::DEBUG
config = IPTables::Configuration.new
config.parse_files('/path/to/json/')
policy_fw = config.converge_firewall
An explanation of generating a firewall can be found within
[Generate.md](the firewall generation documentation). An example set of
configuration files to create a basic working firewall can be found in
examples/policy/*.json.
The bin directory contains a Nagios helper script written in Ruby to
compare the running firewall against a "policy" firewall. To try it from
within the gem source directory (that is, without first installing the
gem), first copy examples/policy to a temporary location and edit the
policy files to taste. Then change to the bin directory and run:
./check_firewall.rb -l=/path/to/iptables/gem/lib/ -v -c=/path/to/policy/
The above example includes debugging information which makes it unsuitable for use with Nagios. For "live" use with Nagios, you would want to install this gem and run:
check_firewall.rb -c=/path/to/policy/
To run unit tests:
- change to iptables directory
- run
rake - examine coverage reports in directory
coverage
Changes/Features I would like to see:
- Is ipv6 even working?
- Write policy in YAML or JSON
- Deprecate
requires_primitive: these should be ignored if there is no matching interpolation - Deprecate
interpolated: these should be properly handled inside any kind of rule - Deprecate
commentandulog? These seem like they ought to be macros. uloghas-p tcpbut this seems awkward; is it even useful?- Do other stuff like ebtables too? Not sure it's in scope here. Certainly the gem name would need to be reconsidered.
- Generate better error messages when we encounter failures parsing configurations.
- Move development/testing/coverage environment to Ruby 1.9
- Author:: Kurt Yoder kyoder@loc.gov
See LICENSE file for project license information.