def rfw_init_rules(rfwconf):
"""Clean and insert the rfw init rules.
The rules block all INPUT/OUTPUT traffic on rfw ssl port except for whitelisted IPs.
Here are the rules that should be created assuming that that the only whitelisted IP is 127.0.0.1:
Rule(chain='INPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='127.0.0.1', destination='0.0.0.0/0', extra='tcp dpt:7393')
Rule(chain='INPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp dpt:7393')
Rule(chain='OUTPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='127.0.0.1', extra='tcp spt:7393')
Rule(chain='OUTPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp spt:7393')
"""
rfw_port = rfwconf.outward_server_port()
ipt = Iptables.load()
###
log.info('Delete existing init rules')
# find 'drop all packets to and from rfw port'
drop_input = ipt.find({'target': ['DROP'], 'chain': ['INPUT'], 'prot': ['tcp'], 'extra': ['tcp dpt:' + rfw_port]})
log.info(drop_input)
log.info('Existing drop input to rfw port {} rules:\n{}'.format(rfw_port, '\n'.join(map(str, drop_input))))
# breaking things to make it start
#for r in drop_input:
# Iptables.exe_rule('D', r)
drop_output = ipt.find({'target': ['DROP'], 'chain': ['OUTPUT'], 'prot': ['tcp'], 'extra': ['tcp spt:' + rfw_port]})
log.info('Existing drop output to rfw port {} rules:\n{}'.format(rfw_port, '\n'.join(map(str, drop_output))))
# breaking things to make it start
#for r in drop_output:
# Iptables.exe_rule('D', r)
###
log.info('Insert DROP rfw port init rules')
# breaking things to make it start
#Iptables.exe(['-I', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-j', 'DROP'])
#Iptables.exe(['-I', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-j', 'DROP'])
###
log.info('Insert ACCEPT whitelist IP rfw port init rules')
def rfw_init_rules(rfwconf):
"""Clean and insert the rfw init rules.
The rules block all INPUT/OUTPUT traffic on rfw ssl port except for whitelisted IPs.
Here are the rules that should be created assuming that that the only whitelisted IP is 127.0.0.1:
Rule(chain='INPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='127.0.0.1', destination='0.0.0.0/0', extra='tcp dpt:7393')
Rule(chain='INPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp dpt:7393')
Rule(chain='OUTPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='127.0.0.1', extra='tcp spt:7393')
Rule(chain='OUTPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp spt:7393')
"""
rfw_port = rfwconf.outward_server_port()
ipt = Iptables.load()
###
log.info('Delete existing init rules')
# find 'drop all packets to and from rfw port'
drop_input = ipt.find({
'target': ['DROP'],
'chain': ['INPUT'],
'prot': ['tcp'],
'extra': ['tcp dpt:' + rfw_port]
})
log.info(drop_input)
log.info('Existing drop input to rfw port {} rules:\n{}'.format(
rfw_port, '\n'.join(map(str, drop_input))))
for r in drop_input:
Iptables.exe_rule('D', r)
drop_output = ipt.find({
'target': ['DROP'],
'chain': ['OUTPUT'],
'prot': ['tcp'],
'extra': ['tcp spt:' + rfw_port]
})
log.info('Existing drop output to rfw port {} rules:\n{}'.format(
rfw_port, '\n'.join(map(str, drop_output))))
for r in drop_output:
Iptables.exe_rule('D', r)
###
log.info('Insert DROP rfw port init rules')
Iptables.exe(
['-I', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-j', 'DROP'])
Iptables.exe(
['-I', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-j', 'DROP'])
###
log.info('Insert ACCEPT whitelist IP rfw port init rules')
for ip in rfwconf.whitelist():
try:
Iptables.exe([
'-D', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-s', ip,
'-j', 'ACCEPT'
])
Iptables.exe([
'-D', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-d', ip,
'-j', 'ACCEPT'
])
except subprocess.CalledProcessError, e:
pass # ignore
Iptables.exe([
'-I', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-s', ip, '-j',
'ACCEPT'
])
Iptables.exe([
'-I', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-d', ip, '-j',
'ACCEPT'
])
rfwconf = rfwconfig.RfwConfig(args.configfile)
except IOError, e:
perr(e.message)
create_args_parser().print_usage()
sys.exit(1)
# Initialize Iptables with configured path to system iptables
Iptables.ipt_path = rfwconf.iptables_path()
startup_sanity_check()
# Install signal handlers
signal.signal(signal.SIGTERM, __sigTERMhandler)
signal.signal(signal.SIGINT, __sigTERMhandler)
# TODO we may also need to ignore signal.SIGHUP in daemon mode
rules = Iptables.load().rules
# TODO make logging more efficient by deferring arguments evaluation
log.debug("===== rules =====\n{}".format("\n".join(map(str, rules))))
log.info("Starting rfw server")
log.info("Whitelisted IP addresses that will be ignored:")
for a in rfwconf.whitelist():
log.info(' {}'.format(a))
# recreate rfw init rules related to rfw port
rfw_init_rules(rfwconf)
expiry_queue = PriorityQueue()
cmd_queue = Queue()
rfwthreads.CommandProcessor(cmd_queue, rfwconf.whitelist(), expiry_queue,
perr(e.message)
create_args_parser().print_usage()
sys.exit(1)
# Initialize Iptables with configured path to system iptables
Iptables.ipt_path = rfwconf.iptables_path()
startup_sanity_check()
# Install signal handlers
signal.signal(signal.SIGTERM, __sigTERMhandler)
signal.signal(signal.SIGINT, __sigTERMhandler)
# TODO we may also need to ignore signal.SIGHUP in daemon mode
rules = Iptables.load().rules
# TODO make logging more efficient by deferring arguments evaluation
log.debug("===== rules =====\n{}".format("\n".join(map(str, rules))))
log.info("Starting rfw server")
log.info("Whitelisted IP addresses that will be ignored:")
for a in rfwconf.whitelist():
log.info(' {}'.format(a))
# recreate rfw init rules related to rfw port
rfw_init_rules(rfwconf)
expiry_queue = PriorityQueue()
cmd_queue = Queue()
rfwthreads.CommandProcessor(cmd_queue,
