{"id":15679612,"url":"https://github.com/adamcooke/riptables","last_synced_at":"2025-10-14T09:31:34.303Z","repository":{"id":23592490,"uuid":"26961050","full_name":"adamcooke/riptables","owner":"adamcooke","description":"A Ruby DSL for generating iptables configuration","archived":true,"fork":false,"pushed_at":"2015-08-13T13:33:52.000Z","size":172,"stargazers_count":12,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-08-03T01:32:55.987Z","etag":null,"topics":["devops","dsl","firewall","firewall-configuration","iptables","ipv4","ipv6","linux","ruby"],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adamcooke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-21T13:26:45.000Z","updated_at":"2024-11-27T16:18:03.000Z","dependencies_parsed_at":"2022-08-22T02:50:36.397Z","dependency_job_id":null,"html_url":"https://github.com/adamcooke/riptables","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/adamcooke/riptables","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamcooke%2Friptables","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamcooke%2Friptables/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamcooke%2Friptables/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamcooke%2Friptables/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adamcooke","download_url":"https://codeload.github.com/adamcooke/riptables/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adamcooke%2Friptables/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279018630,"owners_count":26086404,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","dsl","firewall","firewall-configuration","iptables","ipv4","ipv6","linux","ruby"],"created_at":"2024-10-03T16:33:38.334Z","updated_at":"2025-10-14T09:31:34.004Z","avatar_url":"https://github.com/adamcooke.png","language":"Ruby","readme":"# Riptables\n\nRiptables (pronounced ri-pee-tables) is a Ruby DSL for generating configuration\nfor IP tables. The following design goals were employed for development:\n\n* Must support IPv4 and IPv6 rules\n* Must allow a single file to contain configuration for multiple environments\n  based on a given `role` and `zone`.\n* Must support any type of table or chain.\n* Must support any rule or action without limitation.\n* Must include a command line tool for exporting configuration.\n* Should be simple to understand the configuration syntax.\n* Should be well documentated.\n\n## `FirewallFile` Syntax\n\nRiptables works with `FirewallFile` which contains the complete configuration for\nall servers where this configuration will be distributed. In this example, we're\njust going to configure a single rule to drop everything except SSH.\n\n```ruby\n# Using the `table` method we define a new table. In this case, we'll be\n# configuring a simple firewall.\ntable :filter do\n\n  # Set some default actions for the three main chains in the filter table.\n  # The action you enter will simply be passed to iptables. If it is a symbol\n  # it will be uppercased otherwise it will be passed through un-touched.\n  default_action :input,    :drop\n  default_action :forward,  :accept\n  default_action :output,   :accept\n\n  # In it's most basic form, you can add rules by simply calling the name of the\n  # chain and a description.\n  input \"Allow SSH\" do\n    # Set the conditions for the rule you want to apply. This is passed unfettered\n    # to iptables so you can write anything you would normally before the -j flag.\n    rule \"-p tcp --dport 22\"\n    # Set the action to take if the rule is matched. If this is a symbol it will\n    # be uppercased automatically. If it's a string, it will be passed stright\n    # through after a -j flag.\n    action :accept\n  end\n\nend\n```\n\n### Permutations\n\nIf you have rules which are always similar to other rules (for example a set of\nIP ranges which must all be permitted) you can use permutations.\n\n```ruby\ninput \"Allow web access\" do\n  rule \"-p tcp --dport {{port}}\"\n  action :accept\n  permutation \"Insecure\", :port =\u003e \"80\"\n  permutation \"Secure\",   :port =\u003e \"443\"\nend\n```\n\nEach permutation will be applied as its own rule using the base rule as a template.\nUsing the variable interpolation, you can insert any variable you wish in each\npermutation. The final `:v =\u003e 4` option sets that this should only apply to the\nIPv4 firewall - it can be set to 6 to only apply them to IPv6 firewalls.\n\n### Zones \u0026 Roles\n\nIf you have different types of servers and want to apply different rules based\non what and where a machine is, you can do so. You can either limit whole rules\nor just permutations within a rule.\n\n```ruby\n# Any rules which are defined within this role block will only be included when\n# you generate an iptables config for the `vpn` role.\nrole :vpn do\n\n  input \"Allow management access\" do\n    rule \"-s {{ip}}\"\n    action :accept\n    permutation \"Allow Internal\",   :ip =\u003e '10.0.0.0/16',           :v =\u003e 4\n    permutation \"Allow IPv6\",       :ip =\u003e '2a00:67a0:a:123::/64',  :v =\u003e 6\n\n    # Any permutations within this block will only be included when you generate\n    # an iptavles config for any `eu-east` zone or 'us-west-4'.\n    zone /eu\\-east\\-(\\d+)/, \"us-west-4\" do\n      permutation \"aTech Media\",    :ip =\u003e \"185.22.208.0/25\",     :v =\u003e 4\n    end\n  end\n\nend\n```\n\n### IPv4 vs. IPv6\n\nBy default, any rule you configure will apply to both your IPv4 firewall and your\nIPv6 firewall. However, you can define rule or permutations to only use one or\nthe other.\n\n```ruby\ninput \"Block nasty IPv6 person\" do\n  rule \"-s 2a00:67a0:abc::1234/128\"\n  action :drop\n  # Add the `version` option to restrict this rule to the IPv6 firewall only.\n  # You can also use `4` for the IPv4 firewall.\n  version 6\nend\n```\n\nYou'll see in the previous example, you can pass the `:v` option to permutations\nto restrict which firewall they belong to. Default rules will always apply to\nboth and cannot currently be different depending on IP version.\n\nWhen using the `:ip` option on a permutation, riptables will automatically detect\nv4 or v6 addresses and will add the permutation to the rule as appropriate.\n\n```ruby\npermutation \"Allow IPv4\",   :ip =\u003e '10.0.0.0/16'\npermutation \"Allow IPv6\",   :ip =\u003e '2a00:67a0::/32'\n```\n\n### Host Groups\n\nYou can configure groups of IP addresses which can be used to automatically create\npermutations.\n\n```ruby\n# Create a host group containing all the hosts you want. You don't need to specify\n# both IPv4 and v6 addresses.\nhost_group :web_servers do\n  host 'web01', 4 =\u003e \"123.123.123.101\", 6 =\u003e \"2a00:67a0:b:1::101\"\n  host 'web02', 4 =\u003e \"123.123.123.102\", 6 =\u003e \"2a00:67a0:b:1::102\"\n  host 'web03', 4 =\u003e \"123.123.123.103\", 6 =\u003e \"2a00:67a0:b:1::103\"\nend\n\n# Create a rule with a permutation with the option :ip with a symbol relating to\n# the host group you want to allow. This will then add a rule for each host in the\n# host group.\ntable :filter do\n  forward \"Allow traffic to web servers\" do\n    rule \"-p tcp --dport {{port}} -d {{ip}}\"\n    permutation \"Insecure\", :port =\u003e 80, :ip =\u003e :web_servers\n    permutation \"Secure\", :port =\u003e 443, :ip =\u003e :web_servers\n  end\nend\n```\n\n## Command Line\n\nThe `riptables` command is used to generate your iptables-save files. These can\nthen be used with `iptables-restore`.\n\n### Installing\n\n* Ensure you have Ruby 2.0 or higher installed.\n* Ensure you have RubyGems install.\n\n```text\ngem install riptables\n```\n\n### Usage\n\n```text\n$ riptables\n```\n\nThe following options are supported and can be used interchagably:\n\n* `-4` - return the IPv4 configuration (default)\n* `-6` - return the IPv6 configuration (defaults to v4)\n* `-f [PATH]` - path to your FirewallFile (defaults to ./FirewallFile)\n* `--zone [ZONE]` - set the zone to export configuration for\n* `--role [ROLE]` - set the role to export configuration for\n* `--color` - return a [colorized output](http://s.adamcooke.io/14/Vmzd2.png) (useful for debugging)\n* `--no-timestamp` - do not include the timestamp in the generated output\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadamcooke%2Friptables","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadamcooke%2Friptables","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadamcooke%2Friptables/lists"}