iptable library allows you to quick and easy parse and manipulate iptables records via PHP. As a main feature it parse raw iptable dump and build full objected tree with chains and rules. It moves almost all functionality which give you iptables.
Not all patches are implemented - for my purposes there was no need to do that - but it should be enough for most use cases.
The simpliest way to install iptables is by the composer.
composer require plugowski/iptables
Of course you can also download that repository and load all classes from src into your project (don't forget to load all required files).
Parsing raw iptables dump build chains tree connected to one of five default tables in iptables
.
use plugowski\iptables\IptablesService;
use plugowski\iptables\Table\Table;
use plugowski\iptables\Table\TableFactory;
$iptables = new IptablesService();
$table = (new TableFactory())->build(Table::TABLE_MANGLE);
$table->setRaw(shell_exec('iptables -nL --line-numbers -t ' . Table::TABLE_MANGLE));
$result = $iptables->parseIptablesChains($table);
As result of above code you should get Table
object with Chain
collection:
$chains = $iptables->getChainsList();
Each Table
got Chains
and each Chain
got Rules
with properties which describes all selected options.
Using iptables class you can simply find specified chain and get list of all rules in it.
Some examples you can check directly in tests. But for quick review I also put it here.
Let's get that iptables settings and we want edit first record - set source to 127.0.0.1
:
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 MAC 00:00:00:00:11:22
I assume that we already have parsed table under $result
var, so the easiest way to do that is:
$newRule = new Rule('ACCEPT', 'tcp', '127.0.0.1');
$cmd = $result->getChainByName('INPUT')->replaceRule($newRule, 1);
First rule in object has been changed and in result we got command in $cmd
:
iptables -R INPUT 1 -t mangle --proto tcp --source 127.0.0.1 --jump ACCEPT
Command class allows you to generate plain shell commands to manage iptables (only return as strings without execute!).
// To create shell comand like that:
// iptables -A INPUT -t mangle --match mac --mac-source 11:22:33:aa:bb:cc --jump RETURN
$command = new Command(Table::TABLE_MANGLE);
$cmd = $command->setMatch('mac', ['source' => '11:22:33:aa:bb:cc'])
->setJump('RETURN')
->append('INPUT');
Please make sure that you first set all options (setters like setMatch()
, setProtocol()
etc.), and after that call action method, because that methods return
strings so it is imposibble to chaining.