def run():
# ensuring system allows forwarding. NOTE: probably not required for hardware unit as this is enabled by default.
IPTables.network_forwarding()
Log.notice('[startup] network forwarding set.')
# changing default action for IPv6 to block everything on all chains in main table
IPTables.block_ipv6()
Log.notice('[startup] IPv6 disabled.')
# loading IP Tables from file
IPTables().restore()
Log.notice('[startup] IPTables restored.')
reset_flask_key()
Log.notice('[startup] Webui/Flask key regenerated.')
# ensuring the default mac address of the wan interface is set. this should only change first time the system initializes
# setting the mac from None > interface mac. Once the flag has been set, it will not longer change modify default mac value
configure.set_default_mac_flag()
Log.debug('[startup] default mac flag check.')
create_database_tables()
Log.debug('[startup] database table maintenance.')
# exiting service manually due to LogHandler threads
os._exit(0)
def _snat_rules(action, form):
fields = SimpleNamespace(**form)
# TODO: make this code for snat (currently using dnat code as template)
if (action == 'remove'):
try:
# NOTE: validation needs to know the zone so it can ensure the position is valid
validate.del_nat_rule(fields)
except ValidationError as ve:
error = ve
else:
with IPTablesManager() as iptables:
iptables.delete_nat(fields)
elif (action == 'add'):
try:
validate.add_snat_rule(fields)
validate.ip_address(
ip_iter=[fields.orig_src_ip, fields.new_src_ip])
except ValidationError as ve:
error = ve
else:
with IPTablesManager() as iptables:
iptables.add_nat(fields)
else:
return INVALID_FORM
return error
def _dnat_rules(action, form):
error = None
fields = SimpleNamespace(**form)
if (action == 'remove'):
try:
# NOTE: validation needs to know the zone so it can ensure the position is valid
validate.del_nat_rule(fields)
except ValidationError as ve:
error = ve
else:
with IPTablesManager() as iptables:
iptables.delete_nat(fields)
configure.del_open_wan_protocol(fields)
elif (action == 'add'):
try:
# checking all required fields are present and some other basic rules are followed
# before validating values of standard fields.
validate.add_dnat_rule(fields)
if (fields.protocol in ['tcp', 'udp']):
validate.network_port(fields.dst_port)
validate.network_port(fields.host_port)
validate.ip_address(fields.host_ip)
if (fields.dst_ip != ''):
validate.ip_address(fields.dst_ip)
except ValidationError as ve:
error = ve
else:
with IPTablesManager() as iptables:
iptables.add_nat(fields)
configure.add_open_wan_protocol(fields)
else:
return INVALID_FORM
return error
def _ddos_inspect(self, packet):
# filter to make only icmp echo requests checked. This used to be done by the IP proxy, but after some
# optimizations it is much more suited here.
if (packet.protocol is PROTO.ICMP
and packet.icmp_type is not ICMP.ECHO):
return
ddos = self.ddos_tracker[packet.protocol]
with ddos.lock:
if not self._ddos_detected(ddos.tracker, packet): return
if (self._IPS.ids_mode):
Log.log(packet, IPS.LOGGED, engine=IPS.DDOS)
elif (self._IPS.ddos_prevention):
IPTablesManager.proxy_add_rule(packet.tracked_ip,
packet.timestamp,
table='raw',
chain='IPS')
Log.log(packet, IPS.FILTERED, engine=IPS.DDOS)
def _clear_ip_tables(self):
expired_hosts = System.ips_passively_blocked(
block_length=self.IPS.block_length)
if (not expired_hosts):
return
with IPTablesManager() as iptables:
for host, timestamp in expired_hosts:
iptables.proxy_del_rule(host,
timestamp,
table='raw',
chain='IPS')
# removing host from ips tracker/ suppression dictionary
self.IPS.fw_rules.pop(IPv4Address(host),
None) # should never return None
def configure_iptables():
progress('loading default iptables')
with IPTablesManager() as iptables:
iptables.apply_defaults(suppress=True)
def update_page(form):
# checking if button keys are present in form is easy first line validation to ensure valid form fields
if ('update_mgmt_access' in form):
try:
zone, service, action = form.get('update_mgmt_access').split(',')
except:
return INVALID_FORM
fields = SimpleNamespace(**{'zone': zone, 'service': service, 'action': action})
try:
validate.management_access(fields)
except ValidationError as ve:
return ve
else:
if (service in DISABLED_MANAGEMENT_SERVICES):
return f'{service.upper()} is disabled by the system and cannot be enabled at this time.'
with IPTablesManager() as ipt:
ipt.modify_management_access(fields)
configure.modify_management_access(fields)
return
# start/stop/restart services parsing.
valid_services = load_configuration('config')['services']
if ('restart_svc' in form):
service = form.get('restart_svc')
service = 'dnx-' + service.replace(' ', '-')
if (service not in valid_services):
return INVALID_FORM
system_action(module='webui', command='systemctl restart', args=service)
Services.restart(service)
elif ('start_svc' in form):
service = form.get('start_svc')
service = 'dnx-' + service.replace(' ', '-')
if (service not in valid_services):
return INVALID_FORM
system_action(module='webui', command='systemctl start', args=service)
elif ('stop_svc' in form):
service = form.get('stop_svc')
service = 'dnx-' + service.replace(' ', '-')
if (service not in valid_services):
return INVALID_FORM
system_action(module='webui', command='systemctl stop', args=service)
else:
return INVALID_FORM
def update_page(form):
# Matching logging update form and sending to configuration method.
if ('dnx_ddos_update' in form):
action = CFG.ADD if 'ddos' in form else CFG.DEL
ddos_limits = {}
for protocol in ['tcp', 'udp', 'icmp']:
form_limit = form.get(f'{protocol}_limit', None)
if (form_limit is None):
return INVALID_FORM
if (form_limit == ''): continue
limit = validate.convert_int(form_limit)
if (not limit):
return f'{protocol} limit must be an integer or left empty.'
if (not 5 <= limit <= 200):
return f'{protocol} limit must be in range 5-200.'
ddos_limits[protocol] = limit
configure.set_ips_ddos(action)
if (ddos_limits):
configure.set_ips_ddos_limits(ddos_limits)
elif ('dnx_portscan_update' in form):
enabled_settings = form.getlist('ps_settings', None)
try:
validate.portscan_settings(enabled_settings)
except ValidationError as ve:
return ve
else:
configure.set_ips_portscan(enabled_settings)
elif ('general_settings' in form):
ids_mode = True if 'ids_mode' in form else False
passive_block_length = form.get('passive_block_length', None)
if (not passive_block_length):
return INVALID_FORM
pb_length = validate.convert_int(passive_block_length)
try:
validate.ips_passive_block_length(pb_length)
except ValidationError as ve:
return ve
else:
configure.set_ips_general_settings(pb_length, ids_mode)
elif ('ips_wl_add' in form):
whitelist_ip = form.get('ips_wl_ip', None)
whitelist_name = form.get('ips_wl_name', None)
if (not whitelist_ip or not whitelist_name):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
validate.standard(whitelist_name)
except ValidationError as ve:
return ve
else:
configure.update_ips_ip_whitelist(whitelist_ip,
whitelist_name,
action=CFG.ADD)
elif ('ips_wl_remove' in form):
whitelist_ip = form.get('ips_wl_ip', None)
if (not whitelist_ip):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
except ValidationError as ve:
return ve
else:
configure.update_ips_ip_whitelist(whitelist_ip,
None,
action=CFG.DEL)
elif ('ips_wl_dns' in form):
action = CFG.ADD if 'dns_enabled' in form else CFG.DEL
configure.update_ips_dns_whitelist(action)
elif ('ips_pbl_remove' in form):
host_info = form.get('ips_pbl_remove', DATA.INVALID)
if (host_info is DATA.INVALID):
return INVALID_FORM
try:
host_ip, timestamp = host_info.split('/')
validate.ip_address(host_ip)
except:
return INVALID_FORM
if (validate.convert_int(timestamp) is DATA.INVALID):
return INVALID_FORM
else:
with IPTablesManager() as iptables:
iptables.remove_passive_block(host_ip, timestamp)
else:
return INVALID_FORM