Beispiel #1
0
def block_rules():
    nattable = Table('nat')
    filtable = Table('filter')

    filtable.set_policy('INPUT', 'ACCEPT')

    nattable.flush_chain('POSTROUTING')
    filtable.flush_chain('FORWARD')
    filtable.flush_chain('OUTPUT')
    filtable.flush_chain('INPUT')
    #nattable.delete_chain()

    rulessh = Rule(protocol='tcp',
                   matches=[Match('tcp', '--dport 22')],
                   jump='ACCEPT')
    filtable.append_rule('INPUT', rulessh)

    rulecs = Rule(in_interface='wlan0',
                  out_interface='eth0',
                  protocol='udp',
                  matches=[Match('udp', '--dport 32100')],
                  jump='ACCEPT')
    filtable.append_rule('FORWARD', rulecs)

    rulefreturn = Rule(in_interface='eth0',
                       out_interface='wlan0',
                       jump='ACCEPT',
                       matches=[Match('state', '--state RELATED,ESTABLISHED')])
    filtable.append_rule('FORWARD', rulefreturn)

    rule0 = Rule(jump='ACCEPT',
                 matches=[Match('state', '--state RELATED,ESTABLISHED')])
    filtable.append_rule('INPUT', rule0)

    rule1 = Rule(out_interface='eth0', jump='MASQUERADE')
    nattable.append_rule('POSTROUTING', rule1)

    rule2 = Rule(out_interface='wlan0', jump='ACCEPT')
    filtable.append_rule('OUTPUT', rule2)

    rule3 = Rule(out_interface='eth0', jump='ACCEPT')
    filtable.append_rule('OUTPUT', rule3)

    rule4 = Rule(in_interface='wlan0', jump='ACCEPT')
    filtable.append_rule('INPUT', rule4)

    rule5 = Rule(in_interface='lo', jump='ACCEPT')
    filtable.append_rule('INPUT', rule5)

    rule6 = Rule(out_interface='lo', jump='ACCEPT')
    filtable.append_rule('OUTPUT', rule6)

    filtable.set_policy('FORWARD', 'DROP')
    filtable.set_policy('INPUT', 'DROP')
    filtable.set_policy('OUTPUT', 'DROP')
Beispiel #2
0
    def __init__(self, *args, **kwargs):
        # Files for processing.
        self.pidfile = kwargs["pidfile"]
        self.portknocker_logfile = "/var/log/portknocker_daemon.log"
        self.iptables_logfile = "/dev/shm/iptables.log"
        self.dumpfile = os.path.dirname(
            os.path.realpath(__file__)) + os.sep + "portknocker.dmp"

        # Logger parameters for daemon.
        self.logger = logging.getLogger(__name__)
        self.logger.setLevel(logging.INFO)
        self.fh = logging.FileHandler(self.portknocker_logfile)
        self.fh.setLevel(logging.INFO)
        self.formatstr = '%(asctime)s - %(levelname)s - %(message)s'
        self.formatter = logging.Formatter(self.formatstr)
        self.fh.setFormatter(self.formatter)
        self.logger.addHandler(self.fh)

        # Netfilter table for setting rules.
        self.table = Table("filter")

        # Reserved ports {"in_int:port":"src_ip"}.
        self.ports = dict()

        # Clean for start, stop and restart daemon.
        self.clean()
Beispiel #3
0
def unblock_outgoing_packets(proto,
                             ipsrc=None,
                             portsrc=None,
                             ipdst=None,
                             portdst=None):
    """
    Unblocks outgoing packets coming from the kernel using iptables command.
    """
    matches = []
    if portsrc:
        matches.append(Match('tcp', '--sport ' + str(portsrc)))
    if portdst:
        matches.append(Match('tcp', '--dport ' + str(portdst)))
    rule = Rule(
        #in_interface=interface,
        protocol=proto,
        source=ipsrc,
        destination=ipdst,
        matches=matches,
        jump='DROP')

    table = Table('filter')
    try:
        table.delete_rule('OUTPUT', rule)
    except IptablesError:
        print("Unknown rule !", proto, ipsrc, portsrc, ipdst, portdst)
Beispiel #4
0
def rule_manager():
    filtable = Table('filter')
    firewalliot.block_rules()
    db.create_all()
    db.session.query(AuthConns).delete()
    db.session.commit()
    open('/var/log/firewall', 'w').close()
    while True:
        for row in db.session.query(AuthConns):
            if int(row.sessiontime) <= int(time.time()):
                try:
                    rule0 = Rule(
                        jump='ACCEPT',
                        protocol='udp',
                        matches=[Match('udp', '--dst ' + str(row.ip_addr))])
                    filtable.delete_rule('FORWARD', rule0)
                except IptablesError as e:
                    pass
                db.session.delete(
                    AuthConns.query.filter(AuthConns.id == row.id).first())
            elif not row.fw_status:
                rule0 = Rule(
                    jump='ACCEPT',
                    protocol='udp',
                    matches=[Match('udp', '--dst ' + str(row.ip_addr))])
                filtable.prepend_rule('FORWARD', rule0)
                cwfwrule = AuthConns.query.filter_by(id=row.id).first()
                cwferule.fw_status = True
            elif not row.ip_port:
                log_lookup()
                manage_logging()
            else:
                pass
        db.session.commit()
        time.sleep(15)
Beispiel #5
0
def block_icmp_port_unreachable():
    """
    Blocks ICMP port unreachable packets sent by the kernel when a UDP port is hit without any service listening.
    """
    match = Match('icmp', '--icmp-type port-unreachable')
    rule = Rule(protocol="icmp", matches=[match], jump='DROP')
    Table('filter').append_rule('OUTPUT', rule)
Beispiel #6
0
def replace_redirect(port, port_real):
    """Sets up an iptables rule to redirect traffic."""
    table = Table('nat')

    def add_rule(chain, source, to):
        """Adds a rule to the given table."""
        rule = Rule(protocol='tcp')
        if chain == 'PREROUTING':
            interface = outbound_network_interface()
            rule.in_interface = interface
        else:
            rule.out_interface = 'lo'
            interface = 'lo'
        rule.matches = [Match('tcp', '--dport {0}'.format(source))]
        rule.jump = Target('REDIRECT', '--to-port {0}'.format(to))
        table.prepend_rule(chain, rule)
        log.debug('Added a redirect for %s to %s on %s.', source, to,
                  interface)

    def clean_chain(chain, port_pairs):
        """Removes all but the first rules matching the given port pairs."""
        for rule in table.list_rules(chain):
            log.debug('Processing rule: %s', rule)
            if rule.protocol != 'tcp':
                log.debug('Skipping.. its not a tcp rule.')
                continue
            for match in rule.matches:
                dport = match.options().get('dport', [None])[0]
                if dport != str(port_real):
                    log.debug('Rule is not for a port we care about: %s',
                              dport)
                    continue
                if not rule.jump:
                    log.debug('Rule has no target defined.')
                    continue
                jump_port = rule.jump.options().get('to-ports', [None])[0]
                pair = (int(dport), int(jump_port))
                if pair in port_pairs:
                    log.debug('Keeping the first instance of the pair: %s',
                              pair)
                    port_pairs.remove(pair)
                    continue
                log.debug('Removing the rule.')
                table.delete_rule(chain, rule)

    # Redirect rules
    add_rule('PREROUTING', port_real, port)
    add_rule('OUTPUT', port_real, port)

    # Generate a list of port pairs we want to keep through the chains.
    port_pairs = [(port_real, port)]
    clean_chain('PREROUTING', set(port_pairs))
    clean_chain('OUTPUT', set(port_pairs))

    # Success
    log.debug('Done setting up iptables.')
Beispiel #7
0
def unblock_icmp_port_unreachable():
    """
    Remove the rule that blocks ICMP port unreachable.
    """

    match = Match('icmp', '--icmp-type port-unreachable')
    rule = Rule(protocol="icmp", matches=[match], jump='DROP')
    try:
        Table('filter').delete_rule('OUTPUT', rule)
    except IptablesError:
        print("Try to remove unexisting icmp port-unreachable")
Beispiel #8
0
def force_add(ip_addr):
    filtable = Table('filter')
    rule0 = Rule(jump='ACCEPT',
                 protocol='udp',
                 matches=[Match('udp', '--dst ' + ip_addr)])
    filtable.prepend_rule('FORWARD', rule0)

    rule1 = Rule(jump='LOG',
                 protocol='udp',
                 matches=[
                     Match('udp', '--dst ' + ip_addr),
                     Match('limit', '--limit 1/hour --limit-burst 1')
                 ])
    filtable.prepend_rule('FORWARD', rule1)
Beispiel #9
0
    def __init__(s, logger, session):

        # Save logger
        s.log = logger

        # Save database connection session
        s.db = session

        # Purge NAT table
        s.log.debug('Init NAT firewall table')
        s.table = Table('nat')
        s.table.flush_chain()
        s.table.delete_chain()

        # Init port generator
        s.ws_port = PortGenerator(WS_START_PORT)

        # Init rules dictionary
        s.rules = {}
Beispiel #10
0
def force_remove(ip_addr):
    filtable = Table('filter')
    try:
        rule0 = Rule(jump='ACCEPT',
                     protocol='udp',
                     matches=[Match('udp', '--dst ' + str(ip_addr))])
        filtable.delete_rule('FORWARD', rule0)
    except IptablesError as e:
        pass

    try:
        rule1 = Rule(jump='LOG',
                     protocol='udp',
                     matches=[
                         Match('udp', '--dst ' + ip_addr),
                         Match('limit', '--limit 1/hour --limit-burst 1')
                     ])
        filtable.delete_rule('FORWARD', rule1)
    except IptablesError as e:
        pass
Beispiel #11
0
def manage_logging():
    filtable = Table('filter')
    for row in db.session.query(AuthConns):
        if row.ip_port and not row.port_status:

            rule0 = Rule(jump='ACCEPT',
                         protocol='udp',
                         matches=[
                             Match(
                                 'udp', '--dst ' + str(row.ip_addr) +
                                 ' --dport ' + str(row.ip_port))
                         ])
            filtable.prepend_rule('FORWARD', rule0)

            try:
                rule1 = Rule(jump='LOG',
                             protocol='udp',
                             matches=[
                                 Match('udp', '--dst ' + str(row.ip_addr)),
                                 Match('limit',
                                       '--limit 1/hour --limit-burst 1')
                             ])
                filtable.delete_rule('FORWARD', rule1)
            except IptablesError as e:
                pass
            try:
                rule2 = Rule(
                    jump='ACCEPT',
                    protocol='udp',
                    matches=[Match('udp', '--dst ' + str(row.ip_addr))])
                filtable.delete_rule('FORWARD', rule2)
            except IptablesError as e:
                pass

            row.port_status = True

        else:
            pass
Beispiel #12
0
 def get(self, request):
     try:
         from netfilter.table import Table
         table = Table('raw')
         print(table.list_chains())
     except netfilter.table.IptablesError as e:
         return ('error', {
             'title':
             'IPTables',
             'error':
             'Unable to initialize IPTables. Do you need to insmod?',
             'fixes': [{
                 'text':
                 'IPTables must be inserted as a module into the linux kernel.',
                 'command': 'modprobe ip_tables'
             }, {
                 'text': 'Update your installed packages.',
                 'command': 'yum -y update'
             }, {
                 'text': 'Update your kernel. Then, restart your system.',
                 'command': 'yum -y update kernel'
             }]
         })
     return ('overview.html')
Beispiel #13
0
if debug_option:
    option.display()
    print "debug cleanup ", debug_cleanup
    print "debug database", debug_database
    print "+" * 80

if debug_cleanup:
    cleanup_time = 5
else:
    cleanup_time = 60

# setup/check of netfilter

try:
    _table = Table(option['table'])
    if option['chain'] not in _table.list_chains():
        print 'can not find the chain name provided:', option['chain']
        sys.exit(1)
except IptablesError, e:
    print 'can not find the table specified:', option['table']
    sys.exit(1)

# connection to database

from scavenger.tools.database.connection import Connection


class Database(object):
    _create = """
create table if not exists tracking
Beispiel #14
0
from netfilter.rule import Rule, Match

from netfilter.table import Table

x = 0
while x == 0:
    table_name = input('table_name : ')
    chain_name = input('chain_name : ')

    rule = Rule(
        in_interface=input('in_interface : '),
        protocol=input('protocol : '),
        matches=[Match(input('name : '), '--dport ' + input('dport : '))],
        jump=input('jump : '))

    table = Table(table_name)

    table.append_rule(chain_name, rule)
    y = input('Do you want Exit ?')
    if y == 'yes':
        x = 1
Beispiel #15
0
from netfilter.rule import Rule, Match, Target
from netfilter.table import Table

rule = Rule(
    in_interface='eth0',
    #protocol='tcp',
    #matches=[Match('tcp')],
    jump=Target('DNAT', '--to-destination 192.168.137.1'))

#rule.jump.options="--to-source 123.123.123.123"

table = Table('nat')
table.append_rule('PREROUTING', rule)
print rule

#table.delete_rule('POSTROUTING', rule)
Beispiel #16
0
def desbloqueaIP(ip):
	regla = Rule(source = ip, jump = 'DROP')
	tabla = Table('filter')
	tabla.delete_rule('INPUT', regla)
Beispiel #17
0
def bloqueaIP(ip):
	regla = Rule(source = ip, jump='DROP')
	tabla = Table('filter')
	tabla.append_rule('INPUT', regla)