Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/paurkedal/iplogic

A DSL for generating iptables firewall scripts.
https://github.com/paurkedal/iplogic

dsl firewall iptables ocaml

Last synced: 21 days ago
JSON representation

A DSL for generating iptables firewall scripts.

Host: GitHub
URL: https://github.com/paurkedal/iplogic
Owner: paurkedal
License: gpl-3.0
Created: 2013-06-09T08:44:41.000Z (over 11 years ago)
Default Branch: master
Last Pushed: 2018-09-27T19:04:57.000Z (over 6 years ago)
Last Synced: 2025-01-15T07:42:16.722Z (26 days ago)
Topics: dsl, firewall, iptables, ocaml
Language: OCaml
Size: 99.6 KB
Stars: 7
Watchers: 7
Forks: 1
Open Issues: 1
Metadata Files:
- Readme: README.md
- Changelog: CHANGES.md
- License: COPYING

Awesome Lists containing this project

README

        # iplogic - Firewall Script Generator

## Synopsis

This generates `iptables` shell scripts from a domain specific language

which

  - provides variable definitions and control structures at the

    outer level while staying close to the `iptables` command in the

    details.

  - supports IP numbers, networks, and unions of networks as first-class objects

    which can be manipulated by set-operators.

  - allows literal host names which will be resolved at

    compile-time, so that the final script is independent of DNS lookups.

Please note that the project is at an early stage.  It is wise to inspect

the generated scripts before using them.

## Installation

This package can be installed with [opam](http://opam.ocaml.org/),

    opam repo add paurkedal https://github.com/paurkedal/opam-repo-paurkedal.git

    opam install iplogic

It provides two programs `iplogic`, which compiles scripts into shell code,

and `iplogic-depend`, which generates dependencies to include in makefiles.

## Example

    # Define some commonly used conditions for convenince.  These are better

    # put in a separate file and included.

    con tcp is -p "tcp"

    con udp is -p "udp"

    # Some IP numbers and network ranges.

    val my_work_computers is 192.0.2.42, 192.0.2.100

    val my_isp_range is 203.0.113.0/24

    val ssh_clients is my_work_computers, my_isp_range

    # Accept incoming http and selected ssh connections, as well as

    # connections from eth1.

    chain INPUT policy drop

        if -m "state" --state "RELATED,ESTABLISHED" accept

        if -p "icmp" accept

        if -i "lo" accept

        if -i "eth0"

            if -s ssh_clients tcp --dport 22 accept

            if --dport 80 accept

            continue

        if -i "eth1" -s 192.168.10.0/24 accept

        continue