LibIPTables provides a simple C API for iptables
1. Include the header file:
#include <libiptables/iptables.h>
2. Get a connection to iptables:
ipt_connection *c = ipt_connect(NULL);
3. Add/remove rules:
ipt_add_rule_str( c, 1, IPT_TABLE_NAT, "-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1" ); ipt_delete_match( c, IPT_TABLE_NAT, "-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1" );
4. Close the connection:
ipt_close(c);
The above will add a rule, then delete that same rule from iptables, the rule will be in effect between the add/delete calls.
ipt_connect: connect to iptables
ipt_connection *ipt_connect(ipt_connection *c);
c should be NULL, unless this is being called to re-connect
returns NULL on error
may set one of the following errors:
IPT_EMALLOC
IPT_EGET
IPT_ECONN_PIPE
ipt_flush: flushes the connection buffer, this is not the same as flushing iptables, it won't delete anything
void ipt_flush(ipt_connection* c);
c should be a pointer to an ipt_connection created with ipt_connect()
may set one of the following errors:
IPT_EPIPE_Rw
ipt_close: closes the connection to iptables, this will call ipt_flush() before closing
void ipt_close(ipt_connection* c);
c should be a pointer to an ipt_connection created with ipt_connect()
may set one of the following errors:
IPT_EPIPE_Rw
ipt_geterror: get the last error code from libiptables
int ipt_geterror(void); returns the last error
ipt_list_write: write all current rules to f
int ipt_list_write(ipt_connection *c, FILE *f); c should be a pointer to an ipt_connection created with ipt_connect() f is a pointer to a file handle to write to, stdout/stderr also works if f is NULL the rules will be sent to iptables returns the number of rules written
ipt_list_write_type: write all current rules from table type to f
int ipt_list_write_type(ipt_connection *c, ipt_table_t type, FILE *f); c should be a pointer to an ipt_connection created with ipt_connect() f is a pointer to a file handle to write to, stdout/stderr also works if f is NULL the rules will be sent to iptables returns the number of rules written
ipt_list_print: prints all current rules to stdout
int ipt_list_print(ipt_connection *c);
c should be a pointer to an ipt_connection created with ipt_connect()
returns the number of rules written
ipt_delete_all: delete all current rules
void ipt_delete_all(ipt_connection *c);
c should be a pointer to an ipt_connection created with ipt_connect()
may set one of the following errors:
IPT_ECONN_NULL
ipt_delete_type: delete all current rules from table type
void ipt_delete_type(ipt_connection *c, ipt_table_t type);
c should be a pointer to an ipt_connection created with ipt_connect()
may set one of the following errors:
IPT_ECONN_NULL
IPT_ETYPE
ipt_delete_id: delete rule of id from table type
int ipt_delete_id(ipt_connection *c, ipt_table_t type, int id);
c should be a pointer to an ipt_connection created with ipt_connect()
returns the number of rules deleted
may set one of the following errors:
IPT_ECONN_NULL
IPT_ETYPE
ipt_delete_match: delete all rules that match rule from table type
int ipt_delete_match(ipt_connection *c, ipt_table_t type, char* rule, ipt_rule_opt *r); c should be a pointer to an ipt_connection created with ipt_connect() type is the table to delete rules from rule is a rule in string format or NULL r is a rule in ipt_rule_opt format or NULL only one of rule or r need to be set, the other can be NULL returns the number of rules deleted may set one of the following errors: IPT_ECONN_NULL IPT_ETYPE
ipt_add_rule: add rule to iptables
int ipt_add_rule(ipt_connection *c, ipt_table_t type, ...); c should be a pointer to an ipt_connection created with ipt_connect() type is the table the rule should be added to this should be followed by option/value pairs terminated by IPT_OPT_END eg: ipt_add_rule( c, // connection IPT_TABLE_NAT, // add to the nat table IPT_OPT_APPEND, // option "PREROUTING", // value IPT_OPT_DEST, // option "1.2.3.4", // value IPT_OPT_PRTCL, // option "tcp", // value IPT_OPT_DSTPT, // option "80", // value IPT_OPT_JUMP, // option "DNAT", // value IPT_OPT_TODEST, // option "192.168.1.1", // value IPT_OPT_END // end of rule options ); returns the number of rules added may set one of the following errors: IPT_EPIPE_Rw IPT_ETYPE IPT_EMALLOC
ipt_add_rule_str: add rules to iptables
int ipt_add_rule_str(ipt_connection *c, int num, ...); c should be a pointer to an ipt_connection created with ipt_connect() num is the number of rules to add this should be followed by table/rule pairs eg: ipt_add_rule_str( c, // connection 1, // add 1 rules IPT_TABLE_NAT, // add to the nat table "-A PREROUTING -d 1.2.3.4/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1" // the rule to add ); returns the number of rules added may set one of the following errors: IPT_EPIPE_Rw IPT_ETYPE
ipt_add_rule_file: add rules to iptables from a file
int ipt_add_rule_file(ipt_connection *c, char* file); c should be a pointer to an ipt_connection created with ipt_connect() file is a path/filname of a file containing the rules to be added, the file should be in the format created by iptables-save or ipt_list_write() returns the number of rules added may set one of the following errors: IPT_EPIPE_Rw IPT_EFILE
ipt_connection holds a connection for interfacing with iptables
ipt_rule_opt holds a single iptables rule in option/value format
ipt_rule holds a single iptables rule
ipt_rule_list holds a number of ipt_rule objects
ipt_table_t table types for rules as follows: IPT_TABLE_NAT IPT_TABLE_MANGLE IPT_TABLE_FILTER
ipt_error_t error types used by libiptables as follows: IPT_ERROR_NONE // no error IPT_ECONN_PIPE // connection error IPT_ESYS // system error IPT_EPIPE_Rw // read/write error IPT_ECONN_NULL // connection is null IPT_EGET // error fetching rules IPT_EMALLOC // malloc failed IPT_ETYPE // invalid table type IPT_EOPT // invalid option IPT_EFILE // could not open file IPT_ERULE // invalid rule
ipt_opt_t option types for rules, as per cli iptables interface: IPT_OPT_APPEND // -A IPT_OPT_DELETE // -D IPT_OPT_REPLCE // -R IPT_OPT_INSERT // -I IPT_OPT_POLICY // -P IPT_OPT_NEWCHN // -N --new-chain IPT_OPT_DELCHN // -X --delete-chain IPT_OPT_FLUSH // -F --flush IPT_OPT_LIST // -L --list IPT_OPT_NUM // -n IPT_OPT_ZERO // -Z --zero IPT_OPT_MATCH // -m --match IPT_OPT_SRC // -s --source --src IPT_OPT_SRC_INV // --source ! IPT_OPT_DEST // -d --destination --dst IPT_OPT_DEST_INV // --destination ! IPT_OPT_PRTCL // -p --protocol IPT_OPT_PRTCL_INV // --protocol ! IPT_OPT_INIF // -i --in-interface IPT_OPT_INIF_INV // --in-interface ! IPT_OPT_OUTIF // -o --out-interface IPT_OPT_OUTIF_INV // --out-interface ! IPT_OPT_FRGMNT // -f --fragment IPT_OPT_FRGMNT_INV // --fragment ! IPT_OPT_JUMP // -j IPT_OPT_TCP_FLG // --tcp-flags IPT_OPT_TCP_FLG_INV // --tcp-flags ! IPT_OPT_TCP_OPT // --tcp-option IPT_OPT_TCP_OPT_INV // --tcp-option ! IPT_OPT_TCP_SYN // --syn IPT_OPT_TCP_SYN_INV // ! --syn IPT_OPT_SRCPT // --source-port --sport IPT_OPT_SRCPT_INV // --source-port ! IPT_OPT_DSTPT // --destination-port --dport IPT_OPT_DSTPT_INV // --destination-port ! IPT_OPT_TODEST // --to --to-destination IPT_OPT_TOPORT // --to-port IPT_OPT_ICMPT // --icmp-type IPT_OPT_ICMPT_INV // --icmp-type ! IPT_OPT_MACSRC // --mac-source IPT_OPT_MACSRC_INV // --mac-source ! IPT_OPT_STATE // --state IPT_OPT_STATE_INV // ! --state IPT_OPT_LIMIT // --limit IPT_OPT_LIMITB // --limit-burst IPT_OPT_UID // --uid-owner userid IPT_OPT_GID // --gid-owner groupid IPT_OPT_PID // --pid-owner processid IPT_OPT_SID // --sid-owner sessionid IPT_OPT_LOGLVL // --log-level IPT_OPT_LOGPFX // --log-prefix IPT_OPT_REJWTH // --reject-with IPT_OPT_END // end of options