Custom Iptables Rules
This Public Stable API allows you to leverage preexisting iptables rules on Linux workloads and add them as rules to rulesets.
You can use the rules API to create custom iptables rules in situations where your Linux workloads have preexisting iptables rules configured that you would like to keep in addition to the rules you create using Illumio Core.
If you configured iptables on Linux workloads before using Illumio Core, when you pair a workload, the VEN assumes control of the iptables to enact policy and disables any pre-programmed iptables. To solve this, you can use the Rules API to leverage your own iptables rule configurations in a ruleset.
Custom Iptables Rules
These terms clarify the relationship between your iptables rules and Illumio Core rules:
iptables: Linux host configuration before the VEN is installed
Rules: Configurations in the PCE that define the allowed communication between two or more workloads or other entities (IP lists, labels representing multiple workloads, and label groups)
Custom iptables rules: PCE rules that leverage your iptables rule configurations that get programmed on your workloads by the VEN and managed by the PCE
How Custom iptables Rules Work
Custom iptables rules in the PCE consist of a list of predefined iptables statements and the entities that receive the rule definitions. Each rule can have a list of iptables configurations, which allows you to group a sequence of rules for a specific function. Custom iptables rules are programmed after the Illumio PCE generates the iptables rules and are provisioned.
Before custom iptables rules are sent to the VEN, they are checked for any unsupported tokens (such as names of firewall chains already in use by Illumio, matching against IP sets, and semicolons). The rule cannot be saved or provisioned if an unsupported token is included.
If the VEN fails to apply a custom iptables rule because of a missing package or an incorrectly formatted rule:
Error is reported to the PCE and is logged as two audit events:
“Firewall config failure” (
fw_config_failure) and“Failed to apply policy changes” (
policy_deploy_failed).The error is displayed in the VEN health status.
The new policy is not used, and the last known successful policy is used instead.
For policy distribution and enforcement, the VEN creates a custom chain that contains the rules for each table or chain in the iptables. Each custom chain is appended to the end of its corresponding chain in the correct table. When the VEN requests the policy, the iptables command is sent, including where the chain should be placed.
For security reasons, custom iptables rules only support rules in the mangle, nat, and filter tables.
The following table describes the permitted actions for each iptables type:
Table Name | Chain Names | Custom Rules |
|---|---|---|
| prerouting, output | No |
| prerouting, input, output, forward, postrouting | Yes |
| prerouting, output, postrouting | Yes |
| input, output, forward | Yes |
| input, output, forward | No |
Create a Custom iptables Rule.
This method allows you to create a rule that can contain custom iptables.
Create a Custom iptables Rule.
POST [api_version/[rule_set_href]/sec_rules