def _build_iptables_drop_rule(self, port):
rule = Rule()
rule.protocol = "tcp"
match = rule.create_match("tcp")
match.dport = str(port)
target = rule.create_target("DROP")
chain = Chain(Table(Table.FILTER), "INPUT")
return chain, rule
def _build_iptables_accept_rule(self, port, client):
src, src_port = client
rule = Rule()
rule.protocol = "tcp"
rule.src = src
match = rule.create_match("tcp")
match.dport = str(port)
match.sport = str(src_port)
target = rule.create_target("ACCEPT")
chain = Chain(Table(Table.FILTER), "INPUT")
return chain, rule
def _init_netfilter(self):
self.nat_table = Table(Table.NAT)
prerouting_chain = Chain(self.nat_table, "PREROUTING")
for rule in prerouting_chain.rules:
if rule.target.name == "UPF":
prerouting_chain.delete_rule(rule)
self.upf_chain = Chain(self.nat_table, "UPF")
if self.upf_chain in self.nat_table.chains:
self.upf_chain.flush()
else:
self.nat_table.create_chain(self.upf_chain)
self.nat_table.refresh()
upf_rule = Rule()
upf_rule.src = self.ue_subnet
upf_rule.create_target("UPF")
prerouting_chain.insert_rule(upf_rule)
self.nat_table.refresh()
def _get_base_rule(self, match):
rule = Rule()
rule.protocol = match.ip_proto_num
rule.dst = "%s/%s" % (match.dst_ip, match.netmask)
if match.dst_port != 0:
ipt_match = IPT_Match(rule,
self._prot_port_supp[match.ip_proto_num])
ipt_match.dport = str(match.dst_port)
rule.add_match(ipt_match)
return rule
def create_conntrack_rule(self, target, param_key, param_value):
"""creates a connection tracking rule, for example :
StateFulFireWall.create_conntrack_rule("ACCEPT", "ctstate", "RELATED")
"""
print("adding rule %s" % param_value)
conntrack_rule = Rule()
conntrack_rule.create_target(target)
conntrack_match = conntrack_rule.create_match("conntrack")
conntrack_match.set_parameter(param_key, param_value)
comment_match = conntrack_rule.create_match("comment")
comment_match.comment = self.identifier + ":" + param_value
return conntrack_rule
def insert_rule(self):
if not self.rule:
rule = Rule()
rule.protocol = 'tcp'
rule.target = rule.create_target(self.target)
match = rule.create_match('comment')
match.comment = self._comment
match = rule.create_match('set')
match.match_set = [self.ipset_name, self.match_set_flag]
self.rule = rule
log.info(
'''Inserting a rule with target %s into chain %s (table %s) for ipset "%s" (with comment "%s", rule position: %s)''',
self.target, self.chain_name, self.table_name, self.ipset_name, self._comment, self.rule_pos)
self.chain.insert_rule(rule, position=self.rule_pos)
def create_rule(self, offender: Offender) -> None:
"""
Create a firewall rule that will disable communication between the from_ip and
to_ip on the desired interface for the specified protocol.
Args:
offender - The offending flow to write a rule for.
"""
# Currently stub out the firewall rule creation
self.logger.info(f"Creating rule for: {offender.connection}")
return
# Unpack some variables
interface_info: dict = self.interface_data[self.ip_version]
local_ip: str = interface_info["address"]
# Get the from ip and to ip from the offendesr src
from_ip, to_ip = offender.connection.split("/")
ip = from_ip if from_ip == local_ip else to_ip
# Create a rule to drop packets for this connection on the currently hooked
# up interface
rule: Rule = Rule()
rule.in_interface = self.interface
rule.src = ip
rule.target = Target(rule, "DROP")
# Iterate through all of the communication channels
# and add matches for them
for port, protocol in list(offender.port_mappings):
match: Match = Match(rule, protocol)
match.dport = port
rule.add_match(match)
# Choose which chain to create the rule for
if offender.outgoing:
self.output_chain.insert_rule(rule)
else:
self.input_chain.insert_rule(rule)
def setup_routing2(client_host, server_host):
table = Table(Table.NAT)
table.flush()
chain_pre = [ch for ch in table.chains if 'PREROUTING' in ch.name][0]
chain_post = [ch for ch in table.chains if 'POSTROUTING' in ch.name][0]
snat_r1 = Rule()
snat_r1.src = server_host.ip_real
snat_r1.dst = client_host.ip_virtual
snat_r1.target = snat_r1.create_target("SNAT")
snat_r1.target.to_source = server_host.ip_virtual
chain_post.append_rule(snat_r1)
snat_r2 = Rule()
snat_r2.src = client_host.ip_real
snat_r2.dst = server_host.ip_virtual
snat_r2.target = snat_r2.create_target("SNAT")
snat_r2.target.to_source = client_host.ip_virtual
chain_post.append_rule(snat_r2)
dnat_r1 = Rule()
dnat_r1.dst = server_host.ip_virtual
dnat_r1.target = dnat_r1.create_target("DNAT")
dnat_r1.target.to_destination = server_host.ip_real
chain_pre.append_rule(dnat_r1)
dnat_r2 = Rule()
dnat_r2.dst = client_host.ip_virtual
dnat_r2.target = dnat_r2.create_target("DNAT")
dnat_r2.target.to_destination = client_host.ip_real
chain_pre.append_rule(dnat_r2)
ip_route_one_args = "ip route add " + client_host.ip_virtual + " dev " + server_host.name
ip_route_two_args = "ip route add " + server_host.ip_virtual + " dev " + client_host.name
arp_one_args = "arp -i " + server_host.name + " -s " + client_host.ip_virtual + " " + client_host.mac
arp_two_args = "arp -i " + client_host.name + " -s " + server_host.ip_virtual + " " + server_host.mac
show_route = "ip route show table main".split(" ")
iptables_list = "iptables -t nat -L".split(" ")
call(ip_route_one_args.split(" "))
call(arp_one_args.split(" "))
call(ip_route_two_args.split(" "))
call(arp_two_args.split(" "))
call(iptables_list)
call(show_route)
def start(self, **args):
print("adding rule icmp")
rule = Rule()
rule.create_target("ACCEPT")
rule.protocol = "icmp"
icmp_match = rule.create_match("icmp")
icmp_match.set_parameter("icmp-type", "8")
comment_match = rule.create_match("comment")
comment_match.comment = self.identifier + ":icmp"
self.input_chain.append_rule(rule)
# Top rule should be to allow related, established connections.
related_rule = self.create_conntrack_rule("ACCEPT", "ctstate",
"RELATED,ESTABLISHED")
self.input_chain.insert_rule(related_rule)
# Drop igmp packets before logging.
drop_igmp_rule = Rule()
drop_igmp_rule.create_target("DROP")
drop_igmp_rule.protocol = "igmp"
self.input_chain.append_rule(drop_igmp_rule)
# Log all that is refused in INPUT chain.
log_rule = self.create_log_rule("not in allowed services", group="1")
self.input_chain.append_rule(log_rule)
# Drop invalid packets - as diagnosed by the conntrack processor.
# Note that this rule is useless because packets would be dropped anyway.
invalid_rule = self.create_conntrack_rule("DROP", "ctstate", "INVALID")
self.input_chain.append_rule(invalid_rule)
super().start(**args) # commits the table if relevant
def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""):
"""create and return a rule (or two if no proto given).
name can be any string
target is a string saying what to do, like
"ACCEPT", "DENY", "DROP", "LOG"
proto (if not defined, is assumed both udp and tcp)
src is a realm in the form XXX.XXX.XXX.XXX/YY
sport is source port. Currently ignored
dst is a realm in the same form as src
dport is destination port
siface is the source interface
diface is the destination interface
"""
#print("adding rule %s" % name)
if (dport or sport) and not proto:
return [ self.create_rule(name,
target,
dst,
dport,
src,
sport,
proto,
siface,
diface) for proto in ("tcp", "udp") ]
rule = Rule()
rule.create_target(target)
if dst:
rule.dst = dst
if dport:
proto_match = rule.create_match(proto)
proto_match.dport = str(dport)
rule.protocol = proto
if diface:
rule.in_interface = diface
if src:
if src.count("-"):
iprange_match = rule.create_match("iprange")
iprange_match.src_range = src
rule.add_match(iprange_match)
else:
rule.src = src
if sport:
proto_match = rule.create_match(proto)
proto_match.sport = str(sport)
rule.protocol = proto
if siface:
rule.out_interface = siface
# Add a signature as a comment.
comment_match = rule.create_match("comment")
comment_match.comment = self.identifier + ":" + name
rule.final_check()
return rule