def __add_nat_rules(self, chain: str, subnet: str): BASE = "sudo iptables -t nat" MASQUERADE = "MASQUERADE --to-ports 1024-65535" shell(f"{BASE} -A {chain} -s {subnet} -d 224.0.0.0/24 -j RETURN") shell(f"{BASE} -A {chain} -s {subnet} -d 255.255.255.255/32 -j RETURN") shell(f"{BASE} -A {chain} -s {subnet} ! -d {subnet} -p tcp -j {MASQUERADE}") shell(f"{BASE} -A {chain} -s {subnet} ! -d {subnet} -p udp -j {MASQUERADE}") shell(f"{BASE} -A {chain} -s {subnet} ! -d {subnet} -j MASQUERADE")
def __add_forward_rules(self, chain: str, subnet: str): BASE = "sudo iptables" br_name = self.br.name ESTABLISHED = "-m conntrack --ctstate RELATED,ESTABLISHED" ICMP_UNREACHABLE_REJECT = "REJECT --reject-with icmp-port-unreachable" shell(f"{BASE} -A {chain} -i {br_name} -o {br_name} -j ACCEPT") # FW cross shell(f"{BASE} -A {chain} -d {subnet} -o {br_name} {ESTABLISHED} -j ACCEPT") # FW in shell(f"{BASE} -A {chain} -o {br_name} -j {ICMP_UNREACHABLE_REJECT}") # FW in shell(f"{BASE} -A {chain} -s {subnet} -i {br_name} -j ACCEPT") # FW out shell(f"{BASE} -A {chain} -i {br_name} -j {ICMP_UNREACHABLE_REJECT}") # FW out
def __add_output_rules(self, chain: str): BASE = "sudo iptables" br_name = self.br.name shell(f"{BASE} -A {chain} -o {br_name} -p udp -m udp --dport 53 -j ACCEPT") shell(f"{BASE} -A {chain} -o {br_name} -p tcp -m tcp --dport 53 -j ACCEPT") shell(f"{BASE} -A {chain} -o {br_name} -p udp -m udp --dport 68 -j ACCEPT") shell(f"{BASE} -A {chain} -o {br_name} -p tcp -m tcp --dport 68 -j ACCEPT")
def __add_direct_forward_rules(self, chain: str): BASE = "sudo iptables" br_name = self.br.name ICMP_UNREACHABLE_REJECT = "REJECT --reject-with icmp-port-unreachable" shell(f"{BASE} -A {chain} -i {br_name} -o {br_name} -j ACCEPT") shell(f"{BASE} -A {chain} -o {br_name} -j {ICMP_UNREACHABLE_REJECT}") shell(f"{BASE} -A {chain} -i {br_name} -j {ICMP_UNREACHABLE_REJECT}")
def __delete_chain(self, chain: str, parent: str, table: str = "filter"): shell(f"sudo iptables -t {table} -F {chain}") shell(f"sudo iptables -t {table} -D {parent} -j {chain}") shell(f"sudo iptables -t {table} -X {chain}")
def __create_chain(self, chain: str, parent: str, table: str = "filter"): shell(f"sudo iptables -t {table} -N {chain}") shell(f"sudo iptables -t {table} -A {parent} -j {chain}")
def create_with_cloud_localds(self, user_data: UserData, network_config: NetworkConfig): shell(f"cloud-localds {self.path} {user_data.path} -N {network_config.path}") return self
def __resize(self, size: int): shell(f"qemu-img resize {self.path} {size}G")
def __add_no_output_rules(self, chain: str): BASE = "sudo iptables" br_name = self.br.name ICMP_UNREACHABLE_REJECT = "REJECT --reject-with icmp-port-unreachable" shell(f"{BASE} -A {chain} -o {br_name} -j {ICMP_UNREACHABLE_REJECT}")
def __create(self): shell(f"sudo ip link add {self.name} type bridge")
def __up(self): shell(f"sudo ip link set {self.name} up")
def __set_ip(self, ip): shell(f"sudo ip addr add dev {self.name} {ip}")
def __delete(self): shell(f"sudo ip link del {self.name}")