Introduction¶
About python-iptables¶
Iptables is the tool that is used to manage netfilter, the standard packet filtering and manipulation framework under Linux. As the iptables manpage puts it:
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.
Each table contains a number of built-in chains and may also contain user- defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a target, which may be a jump to a user-defined chain in the same table.
Python-iptables
provides a pythonesque wrapper via python bindings to
iptables under Linux. Interoperability with iptables is achieved via using
the iptables C libraries (libiptc
, libxtables
, and the iptables
extensions), not calling the iptables binary and parsing its output. It is
meant primarily for dynamic and/or complex routers and firewalls, where rules
are often updated or changed, or Python programs wish to interface with the
Linux iptables framework..
If you are looking for ebtables
python bindings, check out
python-ebtables.
Python-iptables
supports Python 2.6, 2.7 and 3.4.
Compiling from source¶
First make sure you have iptables installed (most Linux distributions install
it by default). Python-iptables
needs the shared libraries libiptc.so
and libxtables.so
coming with iptables, they are installed in /lib
on
Ubuntu.
You can compile python-iptables
in the usual distutils way:
% cd python-iptables
% python setup.py build
If you like, python-iptables
can also be installed into a virtualenv
:
% mkvirtualenv python-iptables
% python setup.py install
If you install python-iptables
as a system package, make sure the
directory where distutils
installs shared libraries is in the dynamic
linker’s search path (it’s in /etc/ld.so.conf
or in one of the files in
the folder /etc/ld.co.conf.d
). Under Ubuntu distutils
by default
installs into /usr/local/lib
.
Now you can run the tests:
% sudo PATH=$PATH python setup.py test
WARNING: this test will manipulate iptables rules.
Don't do this on a production machine.
Would you like to continue? y/n y
[...]
The PATH=$PATH
part is necessary after sudo
if you have installed into
a virtualenv
, since sudo
will reset your environment to a system
setting otherwise..
Once everything is in place you can fire up python to check whether the package can be imported:
% sudo PATH=$PATH python
>>> import iptc
>>>
Of course you need to be root to be able to use iptables.
Using a custom iptables install¶
If you are stuck on a system with an old version of iptables
, you can
install a more up to date version to a custom location, and ask
python-iptables
to use libraries at that location.
To install iptables
to /tmp/iptables
:
% git clone git://git.netfilter.org/iptables && cd iptables
% ./autogen.sh
% ./configure --prefix=/tmp/iptables
% make
% make install
Make sure the dependencies iptables
needs are installed.
Now you can point python-iptables
to this install path via:
% sudo PATH=$PATH IPTABLES_LIBDIR=/tmp/iptables/lib XTABLES_LIBDIR=/tmp/iptables/lib/xtables python
>>> import iptc
>>>