tessl/pypi-python-iptables
Python bindings for iptables providing programmatic control over Linux netfilter rules
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-python-iptables@1.2.0index.mddocs/
Python-iptables
Python-iptables provides Python bindings for iptables, the standard packet filtering and manipulation framework under Linux. It offers a pythonesque wrapper that interfaces directly with the iptables C libraries (libiptc, libxtables, and extensions) rather than parsing command-line output, making it suitable for dynamic and complex routing and firewall applications where rules are frequently updated.
Package Information
- Package Name: python-iptables
- Package Type: pypi
- Language: Python
- Installation:
pip install python-iptables
Core Imports
import iptcCommon patterns for working with tables, chains, and rules:
from iptc import Table, Chain, Rule, Match, Target, Policy, IPTCError
from iptc import Table6, Rule6, is_table_available, is_table6_available
from iptc.errors import XTablesErrorHigh-level interface:
import iptc.easy as easyBasic Usage
import iptc
# Create a table and chain
table = iptc.Table(iptc.Table.FILTER)
chain = iptc.Chain(table, "INPUT")
# Create a rule to accept SSH traffic
rule = iptc.Rule()
rule.protocol = "tcp"
rule.src = "192.168.1.0/24"
# Add TCP match for SSH port
match = rule.create_match("tcp")
match.dport = "22"
# Set target to ACCEPT
rule.target = rule.create_target("ACCEPT")
# Insert rule into chain
chain.insert_rule(rule)High-level interface example:
import iptc.easy as easy
# Add rule using dictionary syntax
rule_dict = {
'protocol': 'tcp',
'src': '192.168.1.0/24',
'tcp': {'dport': '22'},
'target': 'ACCEPT'
}
easy.add_rule('filter', 'INPUT', rule_dict)
# Dump existing rules
rules = easy.dump_chain('filter', 'INPUT')
print(rules)Architecture
Python-iptables uses a layered architecture that mirrors the iptables C library structure:
- Tables: Container for chains (filter, nat, mangle, raw, security)
- Chains: Container for rules (INPUT, OUTPUT, FORWARD, custom chains)
- Rules: Individual packet filtering/manipulation instructions
- Matches: Conditions for packet matching (tcp, udp, state, etc.)
- Targets: Actions to take on matched packets (ACCEPT, DROP, MASQUERADE, etc.)
The library provides both a low-level object-oriented interface that closely matches the underlying C API and a high-level dictionary-based interface for simplified operations.
Capabilities
IPv4 Table and Chain Management
Core functionality for managing iptables tables and chains, including creation, deletion, policy setting, and rule management. Provides the foundation for all iptables operations.
class Table:
FILTER: str
NAT: str
MANGLE: str
RAW: str
SECURITY: str
def __init__(self, name: str, autocommit: bool = None): ...
def commit(self) -> None: ...
def refresh(self) -> None: ...
def create_chain(self, chain: str) -> 'Chain': ...
def delete_chain(self, chain: str) -> None: ...
class Chain:
def __init__(self, table: Table, name: str): ...
def insert_rule(self, rule: 'Rule', position: int = 0) -> None: ...
def append_rule(self, rule: 'Rule') -> None: ...
def delete_rule(self, rule: 'Rule') -> None: ...
def flush(self) -> None: ...
def set_policy(self, policy: str, counters: tuple = None) -> None: ...
def is_table_available(name: str) -> bool: ...Rule Creation and Management
Comprehensive rule creation, matching, and targeting system supporting all iptables match and target extensions. Enables precise packet filtering and manipulation.
class Rule:
def __init__(self, entry=None, chain=None): ...
def create_match(self, name: str, revision: int = None) -> 'Match': ...
def create_target(self, name: str, revision: int = None, goto: bool = False) -> 'Target': ...
def add_match(self, match: 'Match') -> None: ...
class Match:
def __init__(self, rule: Rule, name: str = None, match=None, revision: int = None): ...
class Target:
def __init__(self, rule: Rule, name: str = None, target=None, revision: int = None, goto: bool = None): ...IPv6 Support
Full IPv6 support with dedicated classes for handling IPv6 addresses, prefixes, and protocol-specific matching. Provides the same interface as IPv4 with IPv6-specific handling.
class Table6(Table):
def __init__(self, name: str, autocommit: bool = None): ...
class Rule6(Rule):
def __init__(self, entry=None, chain=None): ...
def is_table6_available(name: str) -> bool: ...High-Level Interface
Simplified dictionary-based interface for common iptables operations. Provides functions for table, chain, and rule management without requiring object instantiation.
def add_rule(table: str, chain: str, rule_d: dict, position: int = 0, ipv6: bool = False) -> None: ...
def delete_rule(table: str, chain: str, rule_d: dict, ipv6: bool = False, raise_exc: bool = True) -> None: ...
def dump_chain(table: str, chain: str, ipv6: bool = False) -> list: ...
def flush_table(table: str, ipv6: bool = False, raise_exc: bool = True) -> None: ...
def add_chain(table: str, chain: str, ipv6: bool = False, raise_exc: bool = True) -> bool: ...
def delete_chain(table: str, chain: str, ipv6: bool = False, flush: bool = False, raise_exc: bool = True) -> None: ...Types
class Policy:
ACCEPT: str
DROP: str
QUEUE: str
RETURN: str
class IPTCError(Exception):
"""Exception for low-level libiptc errors"""
class XTablesError(Exception):
"""Exception for xtables extension errors"""