.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "Rex::Commands::Iptables 3pm"
.TH Rex::Commands::Iptables 3pm "2023-08-09" "perl v5.36.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Rex::Commands::Iptables \- Iptable Management Commands
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
With this Module you can manage basic Iptables rules.
.PP
Version <= 1.0: All these functions will not be reported.
.PP
Only \fIopen_port\fR and \fIclose_port\fR are idempotent.
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& use Rex::Commands::Iptables;
\&
\& task "firewall", sub {
\&   iptables_clear;
\&
\&   open_port 22;
\&   open_port [22, 80] => {
\&     dev => "eth0",
\&   };
\&
\&   close_port 22 => {
\&     dev => "eth0",
\&   };
\&   close_port "all";
\&
\&   redirect_port 80 => 10080;
\&   redirect_port 80 => {
\&     dev => "eth0",
\&     to  => 10080,
\&   };
\&
\&   default_state_rule;
\&   default_state_rule dev => "eth0";
\&
\&   is_nat_gateway;
\&
\&   iptables t => "nat",
\&         A => "POSTROUTING",
\&         o => "eth0",
\&         j => "MASQUERADE";
\&
\&   # The \*(Aqiptables\*(Aq function also accepts long options,
\&   # however, options with dashes need to be quoted
\&   iptables table => "nat",
\&         accept          => "POSTROUTING",
\&         "out\-interface" => "eth0",
\&         jump            => "MASQUERADE";
\&
\&   # Version of IP can be specified in the first argument
\&   # of any function: \-4 or \-6 (defaults to \-4)
\&   iptables_clear \-6;
\&
\&   open_port \-6, [22, 80];
\&   close_port \-6, "all";
\&   redirect_port \-6, 80 => 10080;
\&   default_state_rule \-6;
\&
\&   iptables \-6, "flush";
\&   iptables \-6,
\&         t     => "filter",
\&         A     => "INPUT",
\&         i     => "eth0",
\&         m     => "state",
\&         state => "RELATED,ESTABLISHED",
\&         j     => "ACCEPT";
\& };
.Ve
.SH "EXPORTED FUNCTIONS"
.IX Header "EXPORTED FUNCTIONS"
.ie n .SS "open_port($port, $option)"
.el .SS "open_port($port, \f(CW$option\fP)"
.IX Subsection "open_port($port, $option)"
Open a port for inbound connections.
.PP
.Vb 6
\& task "firewall", sub {
\&   open_port 22;
\&   open_port [22, 80];
\&   open_port [22, 80],
\&     dev => "eth1";
\& };
\&
\& task "firewall", sub {
\&  open_port 22,
\&    dev    => "eth1",
\&    only_if => "test \-f /etc/firewall.managed";
\&} ;
.Ve
.ie n .SS "close_port($port, $option)"
.el .SS "close_port($port, \f(CW$option\fP)"
.IX Subsection "close_port($port, $option)"
Close a port for inbound connections.
.PP
.Vb 7
\& task "firewall", sub {
\&   close_port 22;
\&   close_port [22, 80];
\&   close_port [22, 80],
\&     dev    => "eth0",
\&     only_if => "test \-f /etc/firewall.managed";
\& };
.Ve
.ie n .SS "redirect_port($in_port, $option)"
.el .SS "redirect_port($in_port, \f(CW$option\fP)"
.IX Subsection "redirect_port($in_port, $option)"
Redirect \f(CW$in_port\fR to another local port.
.PP
.Vb 7
\& task "redirects", sub {
\&   redirect_port 80 => 10080;
\&   redirect_port 80 => {
\&     to  => 10080,
\&     dev => "eth0",
\&   };
\& };
.Ve
.SS "iptables(@params)"
.IX Subsection "iptables(@params)"
Write standard iptable comands.
.PP
Note that there is a short form for the iptables \f(CW\*(C`\-\-flush\*(C'\fR option; when you
pass the option of \f(CW\*(C`\-F|"flush"\*(C'\fR as the only argument, the command
\&\f(CW\*(C`iptables \-F\*(C'\fR is run on the connected host.  With the two argument form of
\&\f(CW\*(C`flush\*(C'\fR shown in the examples below, the second argument is table you want to
flush.
.PP
.Vb 3
\& task "firewall", sub {
\&   iptables t => "nat", A => "POSTROUTING", o => "eth0", j => "MASQUERADE";
\&   iptables t => "filter", i => "eth0", m => "state", state => "RELATED,ESTABLISHED", j => "ACCEPT";
\&
\&   # automatically flushes all tables; equivalent to \*(Aqiptables \-F\*(Aq
\&   iptables "flush";
\&   iptables \-F;
\&
\&   # flush only the "filter" table
\&   iptables flush => "filter";
\&   iptables \-F => "filter";
\& };
\&
\& # Note: options with dashes "\-" need to be quoted to escape them from Perl
\& task "long_form_firewall", sub {
\&   iptables table => "nat",
\&        append          => "POSTROUTING",
\&        "out\-interface" => "eth0",
\&        jump            => "MASQUERADE";
\&   iptables table => "filter",
\&        "in\-interface" => "eth0",
\&        match          => "state",
\&        state          => "RELATED,ESTABLISHED",
\&        jump           => "ACCEPT";
\& };
.Ve
.SS "is_nat_gateway"
.IX Subsection "is_nat_gateway"
This function creates a \s-1NAT\s0 gateway for the device the default route points to.
.PP
.Vb 4
\& task "make\-gateway", sub {
\&   is_nat_gateway;
\&   is_nat_gateway \-6;
\& };
.Ve
.SS "default_state_rule(%option)"
.IX Subsection "default_state_rule(%option)"
Set the default state rules for the given device.
.PP
.Vb 3
\& task "firewall", sub {
\&   default_state_rule(dev => "eth0");
\& };
.Ve
.SS "iptables_list"
.IX Subsection "iptables_list"
List all iptables rules.
.PP
.Vb 4
\& task "list\-iptables", sub {
\&   print Dumper iptables_list;
\&   print Dumper iptables_list \-6;
\& };
.Ve
.SS "iptables_clear"
.IX Subsection "iptables_clear"
Remove all iptables rules.
.PP
.Vb 3
\& task "no\-firewall", sub {
\&   iptables_clear;
\& };
.Ve