Custom Iptables Rules Reference
This topic covers parameters, properties, and examples for iptable rules.
Query Parameters
Parameter | Description | Type | Required |
|---|---|---|---|
| Ruleset name (must be unique) | String | Yes |
| Scope for the ruleset, which consists of a list of labels, with each list having at least one application, environment, and/or location label | Array | Yes |
| External data set identifier. | String | No |
| External data reference identifier | String | No |
| Whether the ruleset is enabled or not | Boolean | Yes |
| Standard (non-iptables) rules | String | Yes |
| Rules that use iptables (see the following table for properties) | String | Yes |
Custom iptables_rules Properties
Property | Description | Type | Required |
|---|---|---|---|
| Whether the rule is currently enabled | Enum | Yes |
| Whether IPv4 or IPv6 is used | String | Yes |
| Description of ruleset | String | No |
| Entities that receive the ruleset. | String | Yes |
| Rules for iptables (table, chain name, and parameters), which consist of the following elements:
| String | Yes |
Examples
Request Body
In this example, a ruleset named test_ipt_rs contains two iptables rules.
Note
Each iptables rule can contain multiple statements.
{
"name": "test_ipt_rs",
"enabled": true,
"scopes": [
[
{ "label": { "href": "/orgs/1/labels/24" } },
{ "label": { "href": "/orgs/1/labels/27" } },
{ "label": { "href": "/orgs/1/labels/21" } }
],
],
"ip_tables_rules": [
{
"enabled": true,
"actors": [{"label": { "href": "/orgs/1/labels/11" }}],
"statements": [
{
"table_name": "mangle",
"chain_name": "PREROUTING",
"parameters": "-i eth0 -p tcp --dport 2222 -j MARK --set-mark 2222"
},
{
"table_name": "nat",
"chain_name": "PREROUTING",
"parameters": "-i eth0 -p tcp -m mark --mark 2222 -j REDIRECT --to-port 3333"
},
{
"table_name": "filter",
"chain_name": "INPUT",
"parameters": "-i eth0 -p tcp -m mark --mark 2222 -j ACCEPT"
}
],
"ip_version": "4"
},
{
"enabled": true,
"actors": [{ "actors": "ams" }],
"statements": [
{
"table_name": "nat",
"chain_name": "POSTROUTING",
"parameters": "-o eth1 -s 192.0.2.10! -d 198.51.100.0/24 -j MASQUERADE"
}
],
"ip_version": "4"
}
]
}Create Custom iptables Rule.
curl -i -X POST https://pce.my-company.com:8443/api/v2/orgs/2/sec_policy/draft/rule_sets -H "Content-Type:application/json" -u $KEY:$TOKEN-d '{"name":"test_ipt_rs","enabled":true,"scopes":[{[],[]}],"ip_tables_rules":[{"enabled":true,"actors":[{"label":{"href":"/orgs/1/labels/11"}}],"statements": [{"table_name":"mangle","chain_name":"PREROUTING","parameters":"-i eth0 -p tcp --dport 2222 -j MARK --set-mark 2222"},{"table_name":"nat","chain_name":"PREROUTING","parameters":"-i eth0 -p tcp -m mark --mark 2222 -j REDIRECT --to-port 3333"},{"table_name":"filter","chain_name":"INPUT","parameters":"-i eth0 -p tcp -m mark --mark 2222 -j ACCEPT"}], "ip_version":"4"},{"enabled":true,"actors":[{"actors":"ams"}],"statements":[{"table_name":"nat", "chain_name":"POSTROUTING","parameters":"-o eth1 -s 10.0.0.2 ! -d 172.17.0.0/16 -j MASQUERADE"}], "ip_version":"4"}]}' Response Body
Property | Description | Type |
|---|---|---|
| Identifier for the resource | String |
Response
{
"href": "/orgs/1/sec_policy/draft/rule_sets/17",
"created_at": "2023-02-24T23:19:01.020Z",
"updated_at": "2023-02-24T23:19:01.020Z",
"deleted_at": null,
"created_by": {
"href": "/users/1"
},
"updated_by": {
"href": "/users/1"
},
"deleted_by": null,
"name": "test_ipt_rs",
"description": null,
"enabled": true,
"scopes": [
[
{ "label": { "href": "/orgs/1/labels/24" } },
{ "label": { "href": "/orgs/1/labels/27" } },
{ "label": { "href": "/orgs/1/labels/21" } }
],
[
{ "label": { "href": "/orgs/1/labels/15" } },
{ "label": { "href": "/orgs/1/labels/16" } },
{ "label": { "href": "/orgs/1/labels/17" } }
]
],
],
"rules": [],
"ip_tables_rules": [
{
"href": "/orgs/1/sec_policy/draft/rule_sets/17/ip_tables_rules/20",
"created_at": "2023-02-24T23:19:01.280Z",
"updated_at": "2023-02-24T23:19:01.280Z",
"deleted_at": null,
"created_by": {
"href": "/users/1"
},
"updated_by": {
"href": "/users/1"
},
"deleted_by": null,
"description": null,
"enabled": true,
"actors": [
{
"actors": "ams"
}
],
"ip_version": "4",
"statements": [
{
"table_name": "nat",
"chain_name": "POSTROUTING",
"parameters": "-o eth1 -s 192.0.2.0 ! -d 198.51.100.0/24 -j MASQUERADE"
}
]
},
{
"href": "/orgs/1/sec_policy/draft/rule_sets/17/ip_tables_rules/18",
"created_at": "2023-02-24T23:19:01.229Z",
"updated_at": "2023-02-24T23:19:01.229Z",
"deleted_at": null,
"created_by": {
"href": "/users/1"
},
"updated_by": {
"href": "/users/1"
},
"deleted_by": null,
"description": null,
"enabled": true,
"actors": [
{
"label": {
"href": "/orgs/1/labels/11",
"key": "loc",
"value": "test"
}
}
],
"ip_version": "4",
"statements": [
{
"table_name": "filter",
"chain_name": "INPUT",
"parameters": "-i eth0 -p tcp -m mark --mark 2222 -j ACCEPT"
},
{
"table_name": "nat",
"chain_name": "PREROUTING",
"parameters": "-i eth0 -p tcp -m mark --mark 2222 -j REDIRECT --to-port 3333"
},
{
"table_name": "mangle",
"chain_name": "PREROUTING",
"parameters": "-i eth0 -p tcp --dport 2222 -j MARK --set-mark 2222"
}
]
}
]
}