def stop_service(service):
"""
(Service) -> None
"""
chain="fm_"+service.name
jump_rule = services_conf.Rule()
jump_rule.action=chain
my_cond = {}
my_cond["type"]=u"Portequals"
my_cond["value"]=service.port
jump_rule.condition=services_conf.Condition(my_cond)
delete_rule(jump_rule,"iptables")
iptables.delete_chain(chain)
def start_service(service):
"""
(Service) -> None
"""
chain=u"fm_"+service.name
iptables.delete_chain(chain)
iptables.add_chain(chain)
jump_rule = services_conf.Rule()
jump_rule.action=chain
my_cond = {}
my_cond["type"]=u"Portequals"
my_cond["value"]=service.port
jump_rule.condition=services_conf.Condition(my_cond)
# TODO: if service is called init or final, add at start or end
add_rule(jump_rule, "iptables", "INPUT", service.transport)
# A service doesn't really need rules.
if hasattr(service,'rules'):
for rule in service.rules:
add_rule(rule, "iptables", chain, service.transport)
def delete_iptables_rules():
iptables.delete_nfqueue_rules(2)
iptables.delete_rules(RULES)
iptables.delete_chain('fq_INPUT')
iptables.delete_chain('fq_OUTPUT')
iptables.delete_chain('fq_FORWARD')
def iptables_apply(self):
"""
This method executes the needed funtions to create the iptables rules that will make possible the redirection stated by the endpoint.
The method is able to detect wether the names of the rules are already occupied or not. If the names needed for the rules are occuppied,
depending on the configuration, the method will delete the existing rules or not.
# solucion de nat loopback: en postrouting, si el source es la LAN y el destino es
# iptables -t nat -A ipfl-rule-0-POSTROUTING -s 10.3.0.5/24 -d 10.3.0.5/32 -p tcp --dport 22 -j SNAT --to-source 10.0.0.69
"""
result, msg = True, ""
table = iptc.Table(iptc.Table.NAT)
table.refresh()
table.autocommit = False
rule_return = iptc.Rule()
rule_return.target = iptc.Target(rule_return, "RETURN")
try:
# OUTPUT Rules
if iptables.chain_exists(table, "ipfl-rule-%s-OUTPUT" % self.id):
if OVERWRITE_RULES:
iptables.unlink_chains(table, "ipfloater-OUTPUT", "ipfl-rule-%s-OUTPUT" % self.id)
iptables.delete_chain(table, "ipfl-rule-%s-OUTPUT" % self.id)
else:
msg = _LOGGER.log("chain ipfl-rule-%s-OUTPUT already exists" % self.id, logging.WARNING)
raise Exception(msg)
if iptables.chain_exists(table, "ipfl-rule-%s-PREROUTING" % self.id):
if OVERWRITE_RULES:
iptables.unlink_chains(table, "ipfloater-PREROUTING", "ipfl-rule-%s-PREROUTING" % self.id)
iptables.delete_chain(table, "ipfl-rule-%s-PREROUTING" % self.id)
else:
msg = _LOGGER.log("chain ipfl-rule-%s-PREROUTING already exists" % self.id, logging.WARNING)
raise Exception(msg)
if iptables.chain_exists(table, "ipfl-rule-%s-POSTROUTING" % self.id):
if OVERWRITE_RULES:
iptables.unlink_chains(table, "ipfloater-POSTROUTING", "ipfl-rule-%s-POSTROUTING" % self.id)
iptables.delete_chain(table, "ipfl-rule-%s-POSTROUTING" % self.id)
else:
msg = _LOGGER.log("chain ipfl-rule-%s-POSTROUTING already exists" % self.id, logging.WARNING)
raise Exception(msg)
chain_out = table.create_chain("ipfl-rule-%s-OUTPUT" % self.id)
rule_out = iptc.Rule()
if self.private_port != 0:
rule_out.protocol = "tcp"
match = iptc.Match(rule_out, "tcp")
match.dport = str(self.public_port)
rule_out.add_match(match)
rule_out.dst = "%s/32" % self.public_ip
rule_out.target = rule_out.create_target("DNAT")
if self.public_port == 0:
rule_out.target.to_destination = self.private_ip
else:
rule_out.target.to_destination = "%s:%d" % (self.private_ip, self.private_port)
chain_out.append_rule(rule_out)
# chain_out.append_rule(rule_return)
iptables.link_chains(table, "ipfloater-OUTPUT", "ipfl-rule-%s-OUTPUT" % self.id)
# PREROUTING RULES
chain_pre = table.create_chain("ipfl-rule-%s-PREROUTING" % self.id)
chain_pre.append_rule(rule_out)
# chain_pre.append_rule(rule_return)
iptables.link_chains(table, "ipfloater-PREROUTING", "ipfl-rule-%s-PREROUTING" % self.id)
# POSTROUTING RULES
chain_post = table.create_chain("ipfl-rule-%s-POSTROUTING" % self.id)
rule_post = iptc.Rule()
if self.public_port != 0:
rule_post.protocol = "tcp"
match = iptc.Match(rule_post, "tcp")
match.dport = str(self.private_port)
rule_post.add_match(match)
rule_post.src = "%s/32" % self.private_ip
rule_post.target = rule_post.create_target("SNAT")
if self.public_port == 0:
rule_post.target.to_source = self.public_ip
else:
rule_post.target.to_source = "%s:%d" % (self.public_ip, self.public_port)
chain_post.append_rule(rule_post)
# chain_post.append_rule(rule_return)
iptables.link_chains(table, "ipfloater-POSTROUTING", "ipfl-rule-%s-POSTROUTING" % self.id)
table.commit()
table.autocommit = True
except:
result = False
return result, msg
def delete_iptables_rules():
iptables.delete_rules(RULES)
iptables.delete_nfqueue_rules(2)
iptables.delete_chain('scramble_INPUT')
iptables.delete_chain('scramble_OUTPUT')
iptables.delete_chain('scramble_FORWARD')
def delete_iptables_rules():
iptables.delete_rules(RULES)
iptables.delete_chain('fp_PREROUTING')
iptables.delete_chain('fp_OUTPUT')
def delete_iptables_rules():
iptables.delete_rules(RULES)
iptables.delete_chain('fp_PREROUTING')
iptables.delete_chain('fp_OUTPUT')
