Firewall and netfilter

v0.1.3

iptables, nftables, conntrack, and traffic-control inspection plus narrow operator actions for incident response (block IP, unblock IP, flush chain). Rule edits are not persisted across iptables service reload — use IaC for permanent rules.

Pack ID

firewall

Vendor

emisar

linux

Actions

Required binaries: iptables. Actions that call a missing binary fail at run time — install these on the host before relying on the pack.

Install

emisar pack install validates the pack and verifies its content hash before copying it into /etc/emisar/packs. The --hash below pins the install to the exact bytes on this page — a tampered copy is rejected. After install, reload the runner; it re-reads the catalog and advertises every action.

content hash: sha256:e2fc202015e73e8bbc7c98898b3ff75cb56221dc5d5dd155fe3d90793698c190

on the runner host

sudo emisar pack install firewall \
  --hash sha256:e2fc202015e73e8bbc7c98898b3ff75cb56221dc5d5dd155fe3d90793698c190 \
  --dest /etc/emisar/packs

# Reload so the runner re-reads the catalog:
sudo systemctl reload emisar

Actions 11 total

View on GitHub

fw.conntrack_count exec low

conntrack count
fw.conntrack_list exec low

conntrack -L (capped)
fw.ip_rule_show exec low

ip rule show
fw.iptables_block_ip exec high

iptables -I INPUT -s <ip> -j DROP
fw.iptables_filter exec low

iptables -L -nv (filter table)
fw.iptables_flush_chain exec critical

iptables -F <chain>
fw.iptables_mangle exec low

iptables -L -nv (mangle table)
fw.iptables_nat exec low

iptables -L -nv (nat table)
fw.iptables_unblock_ip exec high

iptables -D INPUT -s <ip> -j DROP
fw.nft_list_ruleset exec low

nft list ruleset
fw.tc_qdisc_show exec low

tc -s qdisc show

← Back to registry

Pack reference Publish your own →