xtables

package module
v1.0.5-rc.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2024 License: Apache-2.0 Imports: 4 Imported by: 2

README

Go Reference Go License Go Report Card Platform

English | 简体中文

What is go-xtables?

Concepts

Capabilities

Go-xtables(production-ready) is a wrapper for the iptables, ebtables, and arptables utils. It provides full features, extensions and abstractions from Netfilter, making it very convenient to use.

Check out the iptables godoc and ebtables godoc to learn about the 70+ match capabilities, 50+ target capabilities, and 10+ option capabilities.

Matches:

  • ✅ MatchTypeAddrType
  • ✅ MatchTypeAH
  • ✅ MatchTypeBPF
  • ✅ MatchTypeCGroup
  • ✅ MatchTypeCluster
  • ✅ MatchTypeComment
  • ✅ MatchTypeConnBytes
  • ✅ MatchTypeConnLabel
  • ✅ MatchTypeConnLimit
  • ✅ MatchTypeConnMark
  • ✅ MatchTypeConnTrack
  • ✅ MatchTypeCPU
  • ✅ MatchTypeDCCP
  • ✅ MatchTypeDestination
  • ✅ MatchTypeDevGroup
  • ✅ MatchTypeDSCP
  • ✅ MatchTypeDst
  • ✅ MatchTypeECN
  • ✅ MatchTypeESP
  • ✅ MatchTypeEUI64
  • ✅ MatchTypeFrag
  • ✅ MatchTypeHashLimit
  • ✅ MatchTypeHBH
  • ✅ MatchTypeHelper
  • ✅ MatchTypeHL
  • ✅ MatchTypeICMP
  • ✅ MatchTypeInInterface
  • ✅ MatchTypeIPRange
  • ✅ MatchTypeIPv4
  • ✅ MatchTypeIPv6
  • ✅ MatchTypeIPv6Header
  • ✅ MatchTypeIPVS
  • ✅ MatchTypeLength
  • ✅ MatchTypeLimit
  • ✅ MatchTypeMAC
  • ✅ MatchTypeMark
  • ✅ MatchTypeMH
  • ✅ MatchTypeMultiPort
  • ✅ MatchTypeNFAcct
  • ✅ MatchTypeOSF
  • ✅ MatchTypeOutInterface
  • ✅ MatchTypeOwner
  • ✅ MatchTypePhysDev
  • ✅ MatchTypePktType
  • ✅ MatchTypePolicy
  • ✅ MatchTypeProtocol
  • ✅ MatchTypeQuota
  • ✅ MatchTypeRateEst
  • ✅ MatchTypeRealm
  • ✅ MatchTypeRecent
  • ✅ MatchTypeRPFilter
  • ✅ MatchTypeRT
  • ✅ MatchTypeSCTP
  • ✅ MatchTypeSet
  • ✅ MatchTypeSocket
  • ✅ MatchTypeSource
  • ✅ MatchTypeSRH
  • ✅ MatchTypeState
  • ✅ MatchTypeStatistic
  • ✅ MatchTypeString
  • ✅ MatchTypeTCP
  • ✅ MatchTypeTCPMSS
  • ✅ MatchTypeTime
  • ✅ MatchTypeTOS
  • ✅ MatchTypeTTL
  • ✅ MatchTypeU32
  • ✅ MatchTypeUDP

Targets:

  • ✅ TargetTypeAccept
  • ✅ TargetTypeDrop
  • ✅ TargetTypeReturn
  • ✅ TargetTypeJumpChain
  • ✅ TargetTypeGotoChain
  • ✅ TargetTypeAudit
  • ✅ TargetTypeCheckSum
  • ✅ TargetTypeClassify
  • ✅ TargetTypeClusterIP
  • ✅ TargetTypeConnMark
  • ✅ TargetTypeConnSecMark
  • ✅ TargetTypeCT
  • ✅ TargetTypeDNAT
  • ✅ TargetTypeDNPT
  • ✅ TargetTypeDSCP
  • ✅ TargetTypeECN
  • ✅ TargetTypeHL
  • ✅ TargetTypeHMark
  • ✅ TargetTypeIdleTimer
  • ✅ TargetTypeLED
  • ✅ TargetTypeLog
  • ✅ TargetTypeMark
  • ✅ TargetTypeMasquerade
  • ✅ TargetTypeMirror
  • ✅ TargetTypeNetmap
  • ✅ TargetTypeNFLog
  • ✅ TargetTypeNFQueue
  • ✅ TargetTypeNoTrack
  • ✅ TargetTypeRateEst
  • ✅ TargetTypeRedirect
  • ✅ TargetTypeReject
  • ✅ TargetTypeSame
  • ✅ TargetTypeSecMark
  • ✅ TargetTypeSet
  • ✅ TargetTypeSNAT
  • ✅ TargetTypeSNPT
  • ✅ TargetTypeSYNProxy
  • ✅ TargetTypeTCPMSS
  • ✅ TargetTypeTCPOptStrip
  • ✅ TargetTypeTEE
  • ✅ TargetTypeTOS
  • ✅ TargetTypeTProxy
  • ✅ TargetTypeTrace
  • ✅ TargetTypeTTL
  • ✅ TargetTypeULog

Features

  • Multiple tables(iptables, ebtables, arptables) to support.
  • Full featured matches, options, watchers and other extensions.
  • Addtional search.
  • Chainable pattern.
  • Dryrun commands to writer.
  • Log control(inner log, logrus etc.).

Usage

Getting Started

Only accep ssh, http and https ports for incoming traffic
package main

import (
	"log"

	"github.com/singchia/go-xtables/iptables"
	"github.com/singchia/go-xtables/pkg/network"
)

func main() {
	ipt := iptables.NewIPTables().Table(iptables.TableTypeFilter).Chain(iptables.ChainTypeINPUT).MatchProtocol(false, network.ProtocolTCP)

	// allow ssh, http and https
	err := ipt.MatchMultiPort(iptables.WithMatchMultiPortDstPorts(false, 22, 80, 443)).TargetAccept().Insert()
	if err != nil {
		log.Fatal(err)
	}
	// drop others
	err = iptables.NewIPTables().Table(iptables.TableTypeFilter).Chain(iptables.ChainTypeINPUT).Policy(iptables.TargetTypeDrop)
	if err != nil {
		log.Fatal(err)
	}
}

Simple Use

Drop all incoming traffic on specific port
iptables.NewIPTables().
	Table(iptables.TableTypeFilter).
	Chain(iptables.ChainTypeINPUT).
	MatchProtocol(false, network.ProtocolTCP).
	MatchTCP(iptables.WithMatchTCPDstPort(false, 2432)).
	TargetDrop().
	Append()
Accept all incoming traffic from a specific source IP address
iptables.NewIPTables().
	Table(iptables.TableTypeFilter).
	Chain(iptables.ChainTypeINPUT).
	MatchSource(false, "192.168.1.100").
	TargetAccept().
	Append()

rules, err := iptables.NewIPTables().
	Table(iptables.TableTypeFilter).
	Chain(iptables.ChainTypeINPUT).
	MatchSource(false, "192.168.1.100").
	TargetAccept().
	FindRules()
Delete all rules from all tables
iptables.NewIPTables().Flush()
Allow a maximum of 10 connections per minute to enter port 80
iptables.NewIPTables().
	Table(iptables.TableTypeFilter).
	Chain(iptables.ChainTypeINPUT).
	MatchProtocol(false, network.ProtocolTCP).
	MatchTCP(iptables.WithMatchTCPDstPort(false, 80)).
	MatchLimit(iptables.WithMatchLimit(xtables.Rate{10, xtables.Minute})).
	TargetAccept().
	Append()
Mirror traffic to the gateway
iptables.NewIPTables().
	Table(iptables.TableTypeMangle).
	Chain(iptables.ChainTypePREROUTING).
	MatchProtocol(false, network.ProtocolTCP).
	MatchTCP(iptables.WithMatchTCPDstPort(false, 2432)).
	TargetTEE(net.ParseIP("192.168.1.1")).
	Insert()
Deny access from a specific MAC address.

This example uses ebtables. Please note that this rule applies to the linux-bridge, so make sure that the network interface is being hosted by the bridge.

ebtables.NewEBTables().
	Table(ebtables.TableTypeFilter).
	Chain(ebtables.ChainTypeINPUT).
	MatchSource(false, "00:11:22:33:44:55").
	TargetDrop().
	Append()

Real-world scenario

Anti DDOS attack
custom := "SYN_FLOOD"
ipt := iptables.NewIPTables().Table(iptables.TableTypeFilter)
ipt.NewChain(custom)
ipt.Chain(iptables.ChainTypeINPUT).
	MatchProtocol(false, network.ProtocolTCP).
	MatchTCP(iptables.WithMatchTCPSYN(false)).
	TargetJumpChain(custom).
	Append()

userDefined := iptables.ChainTypeUserDefined
userDefined.SetName(custom)
rate := xtables.Rate{1, xtables.Second}
ipt.Chain(userDefined).
	MatchLimit(
		iptables.WithMatchLimit(rate),
		iptables.WithMatchLimitBurst(3)).
	TargetReturn().
	Append()
ipt.Chain(userDefined).
	TargetDrop().
	Append()
Disable PING
iptables.NewIPTables().
	Table(iptables.TableTypeFilter).
	Chain(iptables.ChainTypeINPUT).
	MatchProtocol(false, network.ProtocolICMP).
	MatchICMP(false, network.ICMPType(network.EchoRequest)).
	TargetDrop().
	Append()
Traffic outbound only except ssh port
ipt := iptables.NewIPTables().Table(iptables.TableTypeFilter)
ipt.Chain(iptables.ChainTypeINPUT).
	MatchInInterface(false, "lo").
	TargetAccept().
	Append()
ipt.Chain(iptables.ChainTypeINPUT).
	MatchState(iptables.ESTABLISHED | iptables.RELATED).
	TargetAccept().
	Append()
ipt.Chain(iptables.ChainTypeINPUT).
	MatchProtocol(false, network.ProtocolTCP).
	MatchTCP(iptables.WithMatchTCPDstPort(false, 22)).
	TargetAccept().
	Append()
ipt.Chain(iptables.ChainTypeINPUT).Policy(iptables.TargetTypeDrop)
ipt.Chain(iptables.ChainTypeFORWARD).Policy(iptables.TargetTypeDrop)
ipt.Chain(iptables.ChainTypeOUTPUT).Policy(iptables.TargetTypeAccept)

Note

Compatibility

Starting from Linux kernel version 4.18, nftables became part of the kernel and gradually replaced iptables. Therefore, distributions using Linux 4.18 and higher versions typically use nftables instead of iptables. Since nftables is not fully compatible with iptables, if you still want to continue using go-xtables, it is best to switch to iptables to continue using it when using these distributions.

The following distributions need to pay attention to compatibility:

  • Debian 10(Buster) and higher versions
  • Ubuntu 18.04(Bionic Beaver) and higher versions.
  • Centos 8 and higher versions.
  • Fedora 18 and higher versions.
  • OpenSUSE Leap 15.2 and higher versions.
  • Arch Linux

Contributing

If you find any bug, please submit the issue, and we will respond in a short time.

If you want to contribute new features or help solve project problems, please feel free to submit a PR:

  • Maintain consistent code style
  • Submit one feature at a time
  • Include unit tests with the code you submit

Who is using

License

Released under the Apache License 2.0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrUnsupportedAddress       = errors.New("unsupported address")
	ErrIllegalAddress           = errors.New("illegal address")
	ErrChainRequired            = errors.New("chain required")
	ErrCommandRequired          = errors.New("command required")
	ErrRulenumMustNot0          = errors.New("rulenum mustn't be 0")
	ErrChainLineTooShort        = errors.New("chain line too short")
	ErrChainAttrsNotRecognized  = errors.New("chain attrs not recognized")
	ErrArgs                     = errors.New("wrong args")
	ErrTargetNotFound           = errors.New("target not found")
	ErrMatchParams              = errors.New("illegal match params")
	ErrWatcherParams            = errors.New("illegal watcher params")
	ErrTargetParams             = errors.New("illegal target params")
	ErrAtLeastOneOptionRequired = errors.New("at least one option required")
	ErrTargetParseFailed        = errors.New("target parse failed")
	ErrIllegalTargetType        = errors.New("illegal target type")
	ErrArgsWithoutMAC           = errors.New("args without mac address")
)
View Source 
var (
	Weekdays = map[string]Weekday{
		"Mon": Monday,
		"Tue": Tuesday,
		"Wed": Wednesday,
		"Thu": Thursday,
		"Fri": Friday,
		"Sat": Saturday,
		"Sun": Sunday,
	}
)

Functions

func ErrAndStdErr 

func ErrAndStdErr(err error, stderr []byte) error

Types

type CommandError 

type CommandError struct {
	Err     error
	Message string
}

func (*CommandError) Error 

func (ce *CommandError) Error() string

func (*CommandError) IsRuleNotExistError 

func (ce *CommandError) IsRuleNotExistError() bool

type Date 

type Date struct {
	*Yeartime
	*Daytime
}

func ParseDate 

func ParseDate(date string) (*Date, error)

func (*Date) String 

func (date *Date) String() string

type Daytime 

type Daytime struct {
	Hour   int8
	Minute int8
	Second int8
	// contains filtered or unexported fields
}

func ParseDaytime 

func ParseDaytime(daytime string) (*Daytime, error)

func (*Daytime) String 

func (dt *Daytime) String() string

type Direction 

type Direction int
const (
	In Direction = 1 << iota
	Out
)

func (Direction) String 

func (dir Direction) String() string

type LogLevel 

type LogLevel int8
const (
	LogLevelEMERG   LogLevel = 0 /* system is unusable */
	LogLevelALERT   LogLevel = 1 /* action must be taken immediately */
	LogLevelCRIT    LogLevel = 2 /* critical conditions */
	LogLevelERR     LogLevel = 3 /* error conditions */
	LogLevelWARNING LogLevel = 4 /* warning conditions */
	LogLevelNOTICE  LogLevel = 5 /* normal but significant condition */
	LogLevelINFO    LogLevel = 6 /* informational */
	LogLevelDEBUG   LogLevel = 7 /* debug-level messages */
)

type Monthday 

type Monthday int32

func (Monthday) String 

func (monthday Monthday) String() string

type Operator 

type Operator uint32
const (
	OperatorNull Operator = iota
	OperatorEQ            // ==
	OperatorNE            // !=
	OperatorLT            // <
	OperatorGT            // >
	OperatorINC           // +
	OperatorDEC           // -
	OperatorSET           // =
	OperatorXSET          // ^=
	OperatorAND           // &
	OperatorOR            // |
	OperatorXOR           // ^|
)

func (Operator) String 

func (operator Operator) String() string

type Rate 

type Rate struct {
	Rate int
	Unit Unit
}

func (Rate) String 

func (rate Rate) String() string

type RateFloat 

type RateFloat struct {
	Rate float64
	Unit Unit
}

func (RateFloat) Sting 

func (rateFloat RateFloat) Sting() string

type Unit 

type Unit int

time related 

const (
	Microsecond Unit
	Millisecond
	Second
	Minute
	Hour
	Day
	BPS  // bytes per second
	KBPS // kilo bytes per second
	MBPS // million bytes per second
)

type Weekday 

type Weekday int8
const (
	Monday Weekday = 1 << iota
	Tuesday
	Wednesday
	Thursday
	Friday
	Saturday
	Sunday
)

func (Weekday) String 

func (weekday Weekday) String() string

type Yeartime 

type Yeartime struct {
	Year  int16
	Month int8
	Day   int8
	// contains filtered or unexported fields
}

func ParseYeartime 

func ParseYeartime(yeartime string) (*Yeartime, error)

func (*Yeartime) String 

func (yt *Yeartime) String() string

Source Files

View all Source files

Directories

Path Synopsis
test command
examples
allow_dports_accept command
allow_multiports_accept command
* Apache License 2.0 * * Copyright (c) 2022, Austin Zhai * All rights reserved.
 * Apache License 2.0 * * Copyright (c) 2022, Austin Zhai * All rights reserved.
internal
sandbox
xutil
test command
pkg
cmd
constraint
iproute2
log
* Apache License 2.0 * * Copyright (c) 2022, Austin Zhai * All rights reserved.
 * Apache License 2.0 * * Copyright (c) 2022, Austin Zhai * All rights reserved.
network
* Apache License 2.0 * * Copyright (c) 2022, Austin Zhai * All rights reserved.
 * Apache License 2.0 * * Copyright (c) 2022, Austin Zhai * All rights reserved.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.