The iptables modules handles iptables rules


Add/remove/update iptables chains.

iptables.chain(name, present=True, table='filter', policy=None, version=4)
  • name: the name of the chain

  • present: whether the chain should exist

  • table: the iptables table this chain should belong to

  • policy: the policy this table should have

  • version: whether to target iptables or ip6tables


These can only be applied to system chains (FORWARD, INPUT, OUTPUT, etc).


Add/remove iptables rules.

    chain, jump, present=True, table='filter', append=True, version=4, protocol=None,
    not_protocol=None, source=None, not_source=None, destination=None, not_destination=None,
    in_interface=None, not_in_interface=None, out_interface=None, not_out_interface=None,
    to_destination=None, to_source=None, to_ports=None, log_prefix=None,
    destination_port=None, source_port=None, extras=''
  • chain: the chain this rule should live in

  • jump: the target of the rule

  • table: the iptables table this rule should belong to

  • append: whether to append or insert the rule (if not present)

  • version: whether to target iptables or ip6tables

Iptables args:

  • protocol/not_protocol: filter by protocol (tcp or udp)

  • source/not_source: filter by source IPs

  • destination/not_destination: filter by destination IPs

  • in_interface/not_in_interface: filter by incoming interface

  • out_interface/not_out_interface: filter by outgoing interface

  • to_destination: where to route to when jump=DNAT

  • to_source: where to route to when jump=SNAT

  • to_ports: where to route to when jump=REDIRECT

  • log_prefix: prefix for the log of this rule when jump=LOG


  • extras: a place to define iptables extension arguments (eg –limit, –physdev)

  • destination_port: destination port (requires protocol)

  • source_port: source port (requires protocol)


# Block SSH traffic

    'INPUT', 'DROP',

# NAT traffic on from to

    'PREROUTING', 'DNAT', table='nat',
    source='', destination_port=53,