iptablesmanage

package module

v0.0.0-...-4d71715 Latest Latest Go to latest Published: Jan 19, 2020 License: GPL-3.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/horgh/iptables-manage

Links

Open Source Insights

README ¶

This repository provides programs to simplify managing iptables rules.

iptables-manage

iptables-manage reads the IPs (as CIDRs) from a file and updates iptables rules to allow them access to particular ports. It adds IPs that are not present, and removes any that are in the rules but not in the file.

It can run in two modes:

One-off in which it updates the rules once and exits
As a daemon. It watches for changes to the IP file and updates the rules each time the file changes.

I use the daemon to dynamically whitelist IPs, such as with sshrecordips.

dnsrule

dnsrule looks up the IPs associated with a hostname and ensures the IPs are allowed access to given ports. It removes any IPs that are allowed access to the ports but are not associated with the hostname.

I run this from cron on hosts where I want to allow only access from a dynamic IP host.

Rationale

Why? I keep my httpd firewalled from all hosts except those I whitelist.

I want to work on a list of IPs (adding and removing to that list as necessary) and then sync the rules. Doing this with iptables alone is tedious, so I use iptables-manage.

I expect there are existing tools to do this kind of thing, but given it is really only one command (iptables -A), I prefer to write something simple myself.

Documentation ¶

Overview ¶

Package iptablesmanage provides functionality to interact with iptables rules. You can use it to sync rules with CIDR list files.

Index ¶

func Allow(verbose bool, networks []*net.IPNet, ports []int) error
func ApplyUpdatesFromCIDRFile(cidrFile string, verbose bool, ports []int) error
func CSVToPorts(s string) ([]int, error)
func Sync(verbose bool, networks []*net.IPNet, ports []int) error
type IPTablesRule
- func (i IPTablesRule) String() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func Allow ¶

func Allow(
	verbose bool,
	networks []*net.IPNet,
	ports []int,
) error

Allow ensures the networks and ports are allowed by adding rules for them if they are not yet allowed.

func ApplyUpdatesFromCIDRFile ¶

func ApplyUpdatesFromCIDRFile(
	cidrFile string,
	verbose bool,
	ports []int,
) error

ApplyUpdatesFromCIDRFile ensures the iptables rules match what is in the CIDR file.

func CSVToPorts ¶

func CSVToPorts(s string) ([]int, error)

CSVToPorts takes a comma separated string such as "80,443" and returns the ports.

func Sync ¶

func Sync(
	verbose bool,
	networks []*net.IPNet,
	ports []int,
) error

Sync takes a list of networks that should be allowed and ensures the iptables rules match that.

We remove any rules for CIDRs not in the list and add any CIDRs not in the rules that are in the list.

Types ¶

type IPTablesRule ¶

type IPTablesRule struct {
	// Source CIDR.
	Source *net.IPNet

	// Destination port.
	DestPort int

	// Line number.
	Line int
}

IPTablesRule holds an iptables rule.

func (IPTablesRule) String ¶

func (i IPTablesRule) String() string

Source Files ¶

View all Source files

lib.go

Directories ¶

Path	Synopsis
cidrlist Package cidrlist interacts with a CIDR list suitable for the iptables-manage program.	Package cidrlist interacts with a CIDR list suitable for the iptables-manage program.
cmd
dnsrule This program synchronizes a whitelist based firewall with IPs found from resolving a DNS record.	This program synchronizes a whitelist based firewall with IPs found from resolving a DNS record.
iptables-manage

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL