Ejemplo n.º 1
0
    def _build_iptables_drop_rule(self, port):
        rule = Rule()
        
        rule.protocol = "tcp"
        match = rule.create_match("tcp")
        match.dport = str(port)

        target = rule.create_target("DROP")

        chain = Chain(Table(Table.FILTER), "INPUT")
        return chain, rule
Ejemplo n.º 2
0
    def _build_iptables_accept_rule(self, port, client):
        src, src_port = client

        rule = Rule()
        rule.protocol = "tcp"
        rule.src = src
        match = rule.create_match("tcp")
        match.dport = str(port)
        match.sport = str(src_port)

        target = rule.create_target("ACCEPT")
        chain = Chain(Table(Table.FILTER), "INPUT")
        return chain, rule
Ejemplo n.º 3
0
    def _init_netfilter(self):

        self.nat_table = Table(Table.NAT)
        prerouting_chain = Chain(self.nat_table, "PREROUTING")

        for rule in prerouting_chain.rules:
            if rule.target.name == "UPF":
                prerouting_chain.delete_rule(rule)

        self.upf_chain = Chain(self.nat_table, "UPF")
        if self.upf_chain in self.nat_table.chains:
            self.upf_chain.flush()
        else:
            self.nat_table.create_chain(self.upf_chain)

        self.nat_table.refresh()

        upf_rule = Rule()
        upf_rule.src = self.ue_subnet
        upf_rule.create_target("UPF")
        prerouting_chain.insert_rule(upf_rule)

        self.nat_table.refresh()
Ejemplo n.º 4
0
    def _get_base_rule(self, match):

        rule = Rule()
        rule.protocol = match.ip_proto_num
        rule.dst = "%s/%s" % (match.dst_ip, match.netmask)

        if match.dst_port != 0:
            ipt_match = IPT_Match(rule,
                                  self._prot_port_supp[match.ip_proto_num])
            ipt_match.dport = str(match.dst_port)
            rule.add_match(ipt_match)

        return rule
Ejemplo n.º 5
0
    def create_conntrack_rule(self, target, param_key, param_value):
        """creates a connection tracking rule, for example :

        StateFulFireWall.create_conntrack_rule("ACCEPT", "ctstate", "RELATED")
        """
        print("adding rule %s" % param_value)
        conntrack_rule = Rule()
        conntrack_rule.create_target(target)
        conntrack_match = conntrack_rule.create_match("conntrack")
        conntrack_match.set_parameter(param_key, param_value)
        comment_match = conntrack_rule.create_match("comment")
        comment_match.comment = self.identifier + ":" + param_value
        return conntrack_rule
Ejemplo n.º 6
0
    def insert_rule(self):
        if not self.rule:
            rule = Rule()
            rule.protocol = 'tcp'
            rule.target = rule.create_target(self.target)
            match = rule.create_match('comment')
            match.comment = self._comment

            match = rule.create_match('set')
            match.match_set = [self.ipset_name, self.match_set_flag]
            self.rule = rule
            log.info(
                '''Inserting a rule with target %s into chain %s (table %s) for ipset "%s" (with comment "%s", rule position: %s)''',
                self.target, self.chain_name, self.table_name, self.ipset_name, self._comment, self.rule_pos)
            self.chain.insert_rule(rule, position=self.rule_pos)
Ejemplo n.º 7
0
    def create_rule(self, offender: Offender) -> None:
        """
            Create a firewall rule that will disable communication between the from_ip and
            to_ip on the desired interface for the specified protocol.

            Args:
                offender - The offending flow to write a rule for.
        """
        # Currently stub out the firewall rule creation
        self.logger.info(f"Creating rule for: {offender.connection}")
        return

        # Unpack some variables
        interface_info: dict = self.interface_data[self.ip_version]
        local_ip: str = interface_info["address"]

        # Get the from ip and to ip from the offendesr src
        from_ip, to_ip = offender.connection.split("/")

        ip = from_ip if from_ip == local_ip else to_ip

        # Create a rule to drop packets for this connection on the currently hooked
        # up interface
        rule: Rule = Rule()
        rule.in_interface = self.interface
        rule.src = ip
        rule.target = Target(rule, "DROP")

        # Iterate through all of the communication channels
        # and add matches for them
        for port, protocol in list(offender.port_mappings):
            match: Match = Match(rule, protocol)
            match.dport = port
            rule.add_match(match)

        # Choose which chain to create the rule for
        if offender.outgoing:
            self.output_chain.insert_rule(rule)
        else:
            self.input_chain.insert_rule(rule)
Ejemplo n.º 8
0
def setup_routing2(client_host, server_host):

    table = Table(Table.NAT)
    table.flush()

    chain_pre = [ch for ch in table.chains if 'PREROUTING' in ch.name][0]
    chain_post = [ch for ch in table.chains if 'POSTROUTING' in ch.name][0]

    snat_r1 = Rule()
    snat_r1.src = server_host.ip_real
    snat_r1.dst = client_host.ip_virtual
    snat_r1.target = snat_r1.create_target("SNAT")
    snat_r1.target.to_source = server_host.ip_virtual
    chain_post.append_rule(snat_r1)

    snat_r2 = Rule()
    snat_r2.src = client_host.ip_real
    snat_r2.dst = server_host.ip_virtual
    snat_r2.target = snat_r2.create_target("SNAT")
    snat_r2.target.to_source = client_host.ip_virtual
    chain_post.append_rule(snat_r2)

    dnat_r1 = Rule()
    dnat_r1.dst = server_host.ip_virtual
    dnat_r1.target = dnat_r1.create_target("DNAT")
    dnat_r1.target.to_destination = server_host.ip_real
    chain_pre.append_rule(dnat_r1)

    dnat_r2 = Rule()
    dnat_r2.dst = client_host.ip_virtual
    dnat_r2.target = dnat_r2.create_target("DNAT")
    dnat_r2.target.to_destination = client_host.ip_real
    chain_pre.append_rule(dnat_r2)

    ip_route_one_args = "ip route add " + client_host.ip_virtual + " dev " + server_host.name
    ip_route_two_args = "ip route add " + server_host.ip_virtual + " dev " + client_host.name
    arp_one_args = "arp -i " + server_host.name + " -s " + client_host.ip_virtual + " " + client_host.mac
    arp_two_args = "arp -i " + client_host.name + " -s " + server_host.ip_virtual + " " + server_host.mac
    show_route = "ip route show table main".split(" ")
    iptables_list = "iptables -t nat -L".split(" ")

    call(ip_route_one_args.split(" "))
    call(arp_one_args.split(" "))
    call(ip_route_two_args.split(" "))
    call(arp_two_args.split(" "))

    call(iptables_list)
    call(show_route)
Ejemplo n.º 9
0
    def start(self, **args):
        print("adding rule icmp")
        rule = Rule()
        rule.create_target("ACCEPT")
        rule.protocol = "icmp"
        icmp_match = rule.create_match("icmp")
        icmp_match.set_parameter("icmp-type", "8")
        comment_match = rule.create_match("comment")
        comment_match.comment = self.identifier + ":icmp"
        self.input_chain.append_rule(rule)

        # Top rule should be to allow related, established connections.
        related_rule = self.create_conntrack_rule("ACCEPT", "ctstate",
                                                  "RELATED,ESTABLISHED")
        self.input_chain.insert_rule(related_rule)

        # Drop igmp packets before logging.
        drop_igmp_rule = Rule()
        drop_igmp_rule.create_target("DROP")
        drop_igmp_rule.protocol = "igmp"
        self.input_chain.append_rule(drop_igmp_rule)
        # Log all that is refused in INPUT chain.
        log_rule = self.create_log_rule("not in allowed services", group="1")
        self.input_chain.append_rule(log_rule)

        # Drop invalid packets - as diagnosed by the conntrack processor.
        # Note that this rule is useless because packets would be dropped anyway.
        invalid_rule = self.create_conntrack_rule("DROP", "ctstate", "INVALID")
        self.input_chain.append_rule(invalid_rule)

        super().start(**args)  # commits the table if relevant
Ejemplo n.º 10
0
    def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""):
        """create and return a rule (or two if no proto given).

        name can be any string
        target is a string saying what to do, like
                "ACCEPT", "DENY", "DROP", "LOG"
        proto (if not defined, is assumed both udp and tcp)
        src is a realm in the form XXX.XXX.XXX.XXX/YY
        sport is source port. Currently ignored
        dst is a realm in the same form as src
        dport is destination port
        siface is the source interface
        diface is the destination interface
        """
        #print("adding rule %s" % name)
        if (dport or sport) and not proto:
            return [ self.create_rule(name,
                                      target,
                                      dst,
                                      dport,
                                      src,
                                      sport,
                                      proto,
                                      siface,
                                      diface) for proto in ("tcp", "udp") ]
        rule = Rule()
        rule.create_target(target)
        if dst:
            rule.dst = dst
        if dport:
            proto_match = rule.create_match(proto)
            proto_match.dport = str(dport)
            rule.protocol = proto
        if diface:
            rule.in_interface = diface
        if src:
            if src.count("-"):
                iprange_match = rule.create_match("iprange")
                iprange_match.src_range = src
                rule.add_match(iprange_match)
            else:
                rule.src = src
        if sport:
            proto_match = rule.create_match(proto)
            proto_match.sport = str(sport)
            rule.protocol = proto
        if siface:
            rule.out_interface = siface
        # Add a signature as a comment.
        comment_match = rule.create_match("comment")
        comment_match.comment = self.identifier + ":" + name
        rule.final_check()
        return rule