Class: IpTables

Inherits:

Object

• Object
• IpTables

Defined in:

lib/resources/iptables.rb

Overview

Usage: describe iptables do

it { should have_rule('-P INPUT ACCEPT') }

end

The following serverspec sytax is not implemented: describe iptables do

it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }

end Please use the new sytax: describe iptables(table:‘mangle’, chain: ‘input’) do

it { should have_rule('-P INPUT ACCEPT') }

end

Note: Docker containers normally do not have iptables installed

See Also:

• http://ipset.netfilter.org/iptables.man.html
• http://ipset.netfilter.org/iptables.man.html
• https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

Instance Method Summary

• #has_rule?(rule = nil, _table = nil, _chain = nil) ⇒ Boolean
• #initialize(params = {}) ⇒ IpTables constructor

  A new instance of IpTables.

• #retrieve_rules ⇒ Object
• #to_s ⇒ Object

Constructor Details

#initialize(params = {}) ⇒ IpTables

Returns a new instance of IpTables.

# File 'lib/resources/iptables.rb', line 27

def initialize(params = {})
  @table = params[:table] || nil
  @chain = params[:chain] || nil

  # we're done if we are on linux
  return if inspec.os.linux?

  # ensures, all calls are aborted for non-supported os
  @iptables_cache = []
  skip_resource 'The `iptables` resource is not supported on your OS yet.'
end

Instance Method Details

#has_rule?(rule = nil, _table = nil, _chain = nil) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/resources/iptables.rb', line 39

def has_rule?(rule = nil, _table = nil, _chain = nil)
  found = false
  retrieve_rules.each { |line|
    # checks if the rule is part of the ruleset
    # for now, we expect an excact match
    found = true if line.downcase == rule.downcase
  }
  found
end

#retrieve_rules ⇒ Object

# File 'lib/resources/iptables.rb', line 49

def retrieve_rules
  return @iptables_cache if defined?(@iptables_cache)

  # construct iptables command to read all rules
  @table.nil? ? table_cmd = '' : table_cmd = " -t #{@table} "
  @chain.nil? ? chain_cmd = '' : chain_cmd = " #{@chain}"
  cmd = inspec.command(format('iptables %s -S %s', table_cmd, chain_cmd).strip)
  return [] if cmd.exit_status.to_i != 0

  # split rules, returns array or rules
  @iptables_cache = cmd.stdout.chomp.split("\n")
end

#to_s ⇒ Object

# File 'lib/resources/iptables.rb', line 62

def to_s
  format('Iptables %s %s', @table.nil? ? '' : "table: #{@table}", @chain.nil? ? '' : "chain: #{@chain}").strip
end