def block_xmas_attack():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.protocol = "tcp"
match = rule.create_match("tcp")
match.tcp_flags = ['ALL', 'ALL']
target = iptc.Target(rule, "DROP")
rule.target = target
chain.insert_rule(rule)
print("Successfully Created")
def test_rule_from_iptc_mac_match():
rule = iptc.Rule()
rule.create_target('DROP')
rule.create_match('mac')
rule.matches[0].mac_source = '20:C9:D0:2B:6F:F3'
assert iptables.Rule.from_iptc(rule) == EMPTY_RULE._replace(
target='DROP',
matches=(('mac', (('mac_source', '20:C9:D0:2B:6F:F3'), )), ),
)
def setUp(self):
self.rule = iptc.Rule()
self.rule.src = "127.0.0.1"
self.rule.protocol = "udp"
self.rule.target = iptc.Target(self.rule, "ACCEPT")
self.match = iptc.Match(self.rule, "comment")
self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_comment")
iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
def set_public_firewall(port_list):
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
for port in port_list:
rule = iptc.Rule()
rule.target = iptc.Target(rule, "ACCEPT")
rule.protocol = "tcp"
match = iptc.Match(rule, "tcp")
match.dport = str(port)
rule.add_match(match)
chain.insert_rule(rule)
def _accept_loop():
LOGGER.info("Accept loop packet.")
rule = iptc.Rule()
rule.in_interface = 'lo'
rule.create_target(iptc.Policy.ACCEPT)
with L:
FILTER_INPUT_CHAIN.insert_rule(rule, position=0)
if not FILTER_TABLE.autocommit:
FILTER_TABLE.commit()
def remove_rule_packet_filter():
src = request.json['src']
dst = request.json['dst']
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),"FORWARD")
rule = iptc.Rule()
rule.set_src(src)
rule.set_dst(dst)
target = iptc.Target(rule,"DROP")
rule.target = target
chain.delete_rule(rule)
def blockIP(ip):
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.in_interface = "eth0"
target = iptc.Target(rule, "DROP")
rule.target = target
rule.src = ip
chain.insert_rule(rule)
os.system(f"iptables -A OUTPUT -d {ip} -j DROP")
def allowSpecificWebsite(anIP):
# IPTABLES -A FORWARD -d allowedSite -j ACCEPT
# IPTABELS -A FORWARD -s allowedSite -j ACCEPT
'''
# to do: need to allow DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
'''
# iptables -A FORWARD -s $IP_CLIENT -j ACCEPT
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
rule = iptc.Rule()
rule.src = anIP
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.append_rule(rule)
# iptables -A FORWARD -d $IP_CLIENT -j ACCEPT
rule2 = iptc.Rule()
rule2.dst = anIP
rule2.target = target
chain.append_rule(rule2)
def block_incoming_ping():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.protocol = "icmp"
match = rule.create_match("icmp")
match.icmp_type = "echo-reply"
target = iptc.Target(rule, "DROP")
rule.target = target
chain.insert_rule(rule)
print("Successfully Created")
def dropAll(ip):
rule = iptc.Rule()
rule.src = str(ip)
rule.protocol = "tcp"
rule_match = iptc.Match(rule, "tcp")
target = iptc.Target(rule, "DROP")
rule.add_match(rule_match)
rule.target = target
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
def add_ip(ipcliente):
rule = iptc.Rule()
rule.in_interface = interface
rule.src = ipcliente
rule.protocol = "tcp"
rule.target = rule.create_target("ACCEPT")
match = rule.create_match("comment")
match.comment = "Regra temporaria de INPUT"
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
def setUp(self):
self.rule = iptc.Rule()
self.rule.dst = "127.0.0.2"
self.rule.protocol = "tcp"
self.rule.out_interface = "eth0"
self.target = iptc.Target(self.rule, "MASQUERADE")
self.rule.target = self.target
self.chain = iptc.Chain(iptc.TABLE_NAT, "POSTROUTING")
def setUp(self):
self.rule = iptc.Rule()
self.rule.protocol = "tcp"
self.rule.target = iptc.Target(self.rule, "ACCEPT")
self.match = iptc.Match(self.rule, "iprange")
self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_iprange")
iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
def setNatRuleForMaliousIP(maliciousIP):
chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "PREROUTING")
rule = iptc.Rule()
rule.src = maliciousIP
target = iptc.Target(rule, "DNAT")
target.to_destination = honeyd_webMailServer_IP
rule.target = target
chain.insert_rule(rule)
print("Nat Rule has been set for malicious IP %s" %maliciousIP)
def fire_rule(rul):
print(rul, 'recieved')
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT')
rule = iptc.Rule()
rule.protocol = rul['protocol']
rule.src = rul['ip'] + "/255.255.255.0"
match = rule.create_match('tcp')
match.dport = str(rul['port'])
rule.target = iptc.Target(rule, rul['action'])
chain.insert_rule(rule)
def service_to_rule(service: Service) -> iptc.Rule:
rule = iptc.Rule()
rule.protocol = service.protocol
tgt = rule.create_target("DNAT")
tgt.to_destination = f"{service.host}:{service.port_range}"
m = rule.create_match(service.protocol)
m.dport = service.port_range
return rule
def iptablesSNAT(action, user_var):
table = iptc.Table(iptc.Table.NAT)
chain = iptc.Chain(table, "POSTROUTING")
rule = iptc.Rule()
rule.out_interface = user_var.interface
rule.create_target("MASQUERADE")
if action == 'insert':
chain.insert_rule(rule)
else:
chain.delete_rule(rule)
def to_iptc(self):
rule = iptc.Rule()
rule.protocol = self.protocol
rule.src = self.src
rule.dst = self.dst
rule.create_target(self.target)
for name, params in self.matches:
match = rule.create_match(name)
for key, value in params:
setattr(match, key, value)
return rule
def blockIP(ip):
#add rule to iptables-legacy
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.in_interface = "eth0"
target = iptc.Target(rule, "DROP")
rule.target = target
rule.src = ip # ip in string format
chain.insert_rule(rule)
os.system(f"iptables -A OUTPUT -d {ip} -j DROP") #add a rule to iptables as well
def create_rules(server_ip, server_port, router_port, gateway):
destination = server_ip + ':' + server_port
prerouting_rule = iptc.Rule()
prerouting_rule.protocol = "tcp"
prerouting_rule.dst = gateway
match = iptc.Match(prerouting_rule, "tcp")
match.dport = router_port
target = prerouting_rule.create_target("DNAT")
target.to_destination = destination
prerouting_rule.add_match(match)
prerouting_rule.target = target
postrouting_rule = iptc.Rule()
postrouting_rule.protocol = "tcp"
postrouting_rule.dst = server_ip
match = iptc.Match(postrouting_rule, "tcp")
match.dport = server_port
postrouting_rule.add_match(match)
postrouting_rule.target = iptc.Target(postrouting_rule, "MASQUERADE")
return prerouting_rule, postrouting_rule
def create_nat(host, container_ip):
with table(iptc.Table.NAT) as nat:
free_ips = list(secondary_ips() - ips_in_use())
free = free_ips[randint(1, len(free_ips)) - 1]
# Send packets that come in on the outer IP to the inner IP.
dnat = iptc.Rule()
dnat.dst = free
target = dnat.create_target('DNAT')
target.to_destination = container_ip
comment = dnat.create_match('comment')
comment.comment = 'ahab//' + host
iptc.Chain(nat, 'DOCKER').insert_rule(dnat)
# Rewrite packets from the inner IP so they go out on the outer IP.
snat = iptc.Rule()
snat.src = container_ip
target = snat.create_target('SNAT')
target.to_source = free
comment = snat.create_match('comment')
comment.comment = 'ahab//' + host
iptc.Chain(nat, 'POSTROUTING').insert_rule(snat)
def __init__(self, type, target_name=None):
self.type = type
if type == IPV4:
self._rule = iptc.Rule()
else:
assert (type == IPV6)
self._rule = iptc.Rule6()
if target_name is not None:
self._rule.create_target(target_name)
def setNatRulesForUnusedPorts():
os.system(addNatRulesForUnunsedTCPPorts_cmd)
os.system(addNatRulesForUnunsedUDPPorts_cmd)
chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING")
rule = iptc.Rule()
target = iptc.Target(rule, "MASQUERADE")
rule.target = target
chain.insert_rule(rule)
print("Nat rules have been set for unused ports for both TCP and UDP")
def blockIpTable(ip):
table = iptc.Table(iptc.Table.FILTER)
chain = iptc.Chain(table, "INPUT")
rule = iptc.Rule()
rule.src = ip
rule.target = rule.create_target("DROP")
rule.match = rule.create_match("comment").comment = str(
datetime.datetime.strftime(
datetime.datetime.now() + datetime.timedelta(minutes=1),
"%y-%m-%d %H:%M:%S"))
chain.insert_rule(rule)
def open_interface(self, data):
print(f"data: {data}")
# create keypair
import pysodium
from base64 import b64encode
keys = pysodium.crypto_box_keypair()
# TODO: open interface
router = Router()
#self.gateway.router.interface.create(ifname=data['device_id'], ip='10.0.42.15/16', privatekey=b64encode(keys[1]),
# listenport=42001)
# new interface/wg control
router.interface.create(ifname=data['device_id'],
ip='10.0.42.15/16',
privatekey=b64encode(keys[1]),
listenport=42001)
# router.interface.addpeer(ifname=data['device_id'], publickey=data['wgpubkey'], endpointaddr=data['ip'], endpointport=42001, keepalive=10)
router.interface.addpeer(ifname=data['device_id'],
publickey=data['wgpubkey'],
keepalive=10,
allowedips={'0.0.0.0/0'})
# iptables for wg-interface
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
rule = iptc.Rule()
rule.out_interface = "tf-0815"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.insert_rule(rule)
chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING")
rule = iptc.Rule()
rule.out_interface = "eth0"
target = iptc.Target(rule, "MASQUERADE")
rule.target = target
chain.insert_rule(rule)
return b64encode(keys[0])
def test_rule_compare(self):
r1 = iptc.Rule()
r1.src = "127.0.0.2/255.255.255.0"
r1.dst = "224.1.2.3/255.255.0.0"
r1.protocol = "tcp"
r1.fragment = False
r1.in_interface = "wlan+"
r1.out_interface = "eth1"
r2 = iptc.Rule()
r2.src = "127.0.0.2/255.255.255.0"
r2.dst = "224.1.2.3/255.255.0.0"
r2.protocol = "tcp"
r2.fragment = False
r2.in_interface = "wlan+"
r2.out_interface = "eth1"
self.failUnless(r1 == r2)
r1.src = "127.0.0.1"
self.failIf(r1 == r2)
def allowLoopback(self):
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT')
rule = iptc.Rule()
rule.in_interface = 'lo'
rule.target = iptc.Target(rule, 'ACCEPT')
chain.insert_rule(rule)
ip = request.environ.get(
'HTTP_X_FORWARDED_FOR') or request.environ.get('REMOTE_ADDR')
iprecord = Ipfilters(ip, "ACCEPT", "allowLoopback", "lo")
db.session.add(iprecord)
db.session.commit()
def setUp(self):
self.rule = iptc.Rule()
self.rule.dst = "127.0.0.2"
self.rule.protocol = "tcp"
self.rule.out_interface = "eth0"
self.target = iptc.Target(self.rule, "MASQUERADE")
self.rule.target = self.target
self.chain = iptc.Chain(iptc.Table(iptc.Table.NAT),
"iptc_test_masquerade")
iptc.Table(iptc.Table.NAT).create_chain(self.chain)
def _allow_established(chains):
"""
Adds rule to allow established and related
connections.
(connections that I created and connections
that are created by those)
"""
rule = iptc.Rule()
match = rule.create_match('state')
match.state = "RELATED,ESTABLISHED"
rule.target = iptc.Target(rule, 'ACCEPT')
chains[INPUT].insert_rule(rule)
def test_rule_from_dict(self):
rule = iptc.Rule()
rule.protocol = "tcp"
rule.src = "127.0.0.1/32"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
rule2 = iptc.easy.encode_iptc_rule({
"protocol": "tcp",
"src": "127.0.0.1/32",
"target": "ACCEPT"
})
self.assertEqual(rule, rule2)
