def testInterfacesNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-i ! eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(in_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
rule = netfilter.parser.parse_rule(
'-o ! eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(out_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -i eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(in_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
rule = netfilter.parser.parse_rule(
'! -o eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(out_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
def testMatchMultiportDports(self):
print('Running Test Match Mulitport Dports...')
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('multiport', '--dports 20,21,22,80,25,1720'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-m', 'multiport', '--dports', '20,21,22,80,25,1720', '-j', 'ACCEPT'])
print('...Done')
def testMatchMultiportDports(self):
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('multiport', '--dports 20,21,22,80,25,1720'))
self.assertEqual(rule.specbits(), [
'-m', 'multiport', '--dports', '20,21,22,80,25,1720', '-j',
'ACCEPT'
])
def testMatchTcpSport(self):
print('Running Test Match TCP SPort...')
rule = Rule(protocol='tcp', jump='ACCEPT')
rule.matches.append(Match('tcp', '--sport 1234'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--sport', '1234', '-j', 'ACCEPT'])
print('...Done')
def testMatchTcpNotFlags(self):
rule = Rule(protocol='tcp', jump='ACCEPT')
rule.matches.append(Match('tcp', '--tcp-flags ! ACK,SYN ACK'))
self.assertEqual(rule.specbits(), [
'-p', 'tcp', '-m', 'tcp', '--tcp-flags', '!', 'ACK,SYN', 'ACK',
'-j', 'ACCEPT'
])
def rule_manager():
filtable = Table('filter')
firewalliot.block_rules()
db.create_all()
db.session.query(AuthConns).delete()
db.session.commit()
open('/var/log/firewall', 'w').close()
while True:
for row in db.session.query(AuthConns):
if int(row.sessiontime) <= int(time.time()):
try:
rule0 = Rule(
jump='ACCEPT',
protocol='udp',
matches=[Match('udp', '--dst ' + str(row.ip_addr))])
filtable.delete_rule('FORWARD', rule0)
except IptablesError as e:
pass
db.session.delete(
AuthConns.query.filter(AuthConns.id == row.id).first())
elif not row.fw_status:
rule0 = Rule(
jump='ACCEPT',
protocol='udp',
matches=[Match('udp', '--dst ' + str(row.ip_addr))])
filtable.prepend_rule('FORWARD', rule0)
cwfwrule = AuthConns.query.filter_by(id=row.id).first()
cwferule.fw_status = True
elif not row.ip_port:
log_lookup()
manage_logging()
else:
pass
db.session.commit()
time.sleep(15)
def testMatchState(self):
print('Running Test Match State...')
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('state', '--state ESTABLISHED,RELATED'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT'])
print('...Done')
def testMatchTos(self):
print('Running Test Match TOS...')
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('tos', '--tos 0x10'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-m', 'tos', '--tos', '0x10', '-j', 'ACCEPT'])
print('...Done')
def testMatchMark(self):
print('Running Test Match Mark...')
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('mark', '--mark 0x64'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-m', 'mark', '--mark', '0x64', '-j', 'ACCEPT'])
print('...Done')
def testMatchTcpFlags(self):
print('Running Test Match TCP Flags...')
rule = Rule(protocol='tcp', jump='ACCEPT')
rule.matches.append(Match('tcp', '--tcp-flags ACK,SYN ACK'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--tcp-flags', 'ACK,SYN', 'ACK', '-j', 'ACCEPT'])
print('...Done')
def testInterfaces(self):
rule = Rule(in_interface="eth1", out_interface="eth2", jump="REJECT")
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, "eth1")
self.assertEqual(rule.out_interface, "eth2")
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.specbits(), ["-i", "eth1", "-o", "eth2", "-j", "REJECT"])
def testInterfaces(self):
rule = Rule(in_interface='eth1', out_interface='eth2', jump='REJECT')
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, 'eth1')
self.assertEqual(rule.out_interface, 'eth2')
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.specbits(),
['-i', 'eth1', '-o', 'eth2', '-j', 'REJECT'])
def testInterfacesNegated(self):
rule = Rule(in_interface='!eth1', out_interface='!eth2',
jump='REJECT')
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, '!eth1')
self.assertEqual(rule.out_interface, '!eth2')
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.specbits(), ['!', '-i', 'eth1', '!', '-o', 'eth2', '-j', 'REJECT'])
def testDestination(self):
rule = Rule(destination="192.168.1.3", jump="REJECT")
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, "192.168.1.3")
self.assertEqual(rule.jump.name(), "REJECT")
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ["-d", "192.168.1.3", "-j", "REJECT"])
def testInit(self):
rule = Rule(jump=Target('ACCEPT'))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['-j', 'ACCEPT'])
def testSource(self):
rule = Rule(source="192.168.1.2", jump="ACCEPT")
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, "192.168.1.2")
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), "ACCEPT")
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ["-s", "192.168.1.2", "-j", "ACCEPT"])
def testDestinationNegated(self):
rule = Rule(destination='! 192.168.1.3', jump='REJECT')
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, '! 192.168.1.3')
self.assertEqual(rule.jump.name(), 'REJECT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['!', '-d', '192.168.1.3', '-j', 'REJECT'])
def testSourceNegated(self):
rule = Rule(source='! 192.168.1.2', jump='ACCEPT')
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, '! 192.168.1.2')
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['!', '-s', '192.168.1.2', '-j', 'ACCEPT'])
def testInit(self):
rule = Rule(jump=Target('ACCEPT'))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['-j', 'ACCEPT'])
def testSourceDestinationProtocol(self):
rule = Rule(source="192.168.1.2", destination="192.168.1.3", protocol="tcp", jump="DROP")
self.assertEqual(rule.protocol, "tcp")
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, "192.168.1.2")
self.assertEqual(rule.destination, "192.168.1.3")
self.assertEqual(rule.jump.name(), "DROP")
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ["-p", "tcp", "-s", "192.168.1.2", "-d", "192.168.1.3", "-j", "DROP"])
def block_rules():
nattable = Table('nat')
filtable = Table('filter')
filtable.set_policy('INPUT', 'ACCEPT')
nattable.flush_chain('POSTROUTING')
filtable.flush_chain('FORWARD')
filtable.flush_chain('OUTPUT')
filtable.flush_chain('INPUT')
#nattable.delete_chain()
rulessh = Rule(protocol='tcp',
matches=[Match('tcp', '--dport 22')],
jump='ACCEPT')
filtable.append_rule('INPUT', rulessh)
rulecs = Rule(in_interface='wlan0',
out_interface='eth0',
protocol='udp',
matches=[Match('udp', '--dport 32100')],
jump='ACCEPT')
filtable.append_rule('FORWARD', rulecs)
rulefreturn = Rule(in_interface='eth0',
out_interface='wlan0',
jump='ACCEPT',
matches=[Match('state', '--state RELATED,ESTABLISHED')])
filtable.append_rule('FORWARD', rulefreturn)
rule0 = Rule(jump='ACCEPT',
matches=[Match('state', '--state RELATED,ESTABLISHED')])
filtable.append_rule('INPUT', rule0)
rule1 = Rule(out_interface='eth0', jump='MASQUERADE')
nattable.append_rule('POSTROUTING', rule1)
rule2 = Rule(out_interface='wlan0', jump='ACCEPT')
filtable.append_rule('OUTPUT', rule2)
rule3 = Rule(out_interface='eth0', jump='ACCEPT')
filtable.append_rule('OUTPUT', rule3)
rule4 = Rule(in_interface='wlan0', jump='ACCEPT')
filtable.append_rule('INPUT', rule4)
rule5 = Rule(in_interface='lo', jump='ACCEPT')
filtable.append_rule('INPUT', rule5)
rule6 = Rule(out_interface='lo', jump='ACCEPT')
filtable.append_rule('OUTPUT', rule6)
filtable.set_policy('FORWARD', 'DROP')
filtable.set_policy('INPUT', 'DROP')
filtable.set_policy('OUTPUT', 'DROP')
def testSourceDestinationProtocol(self):
rule = Rule(source='192.168.1.2', destination='192.168.1.3',
protocol='tcp', jump='DROP')
self.assertEqual(rule.protocol, 'tcp')
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, '192.168.1.2')
self.assertEqual(rule.destination, '192.168.1.3')
self.assertEqual(rule.jump.name(), 'DROP')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['-p', 'tcp', '-s', '192.168.1.2', '-d', '192.168.1.3', '-j', 'DROP'])
def testSourceNegated(self):
rule = Rule(source='! 192.168.1.2', jump='ACCEPT')
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, '! 192.168.1.2')
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(),
['!', '-s', '192.168.1.2', '-j', 'ACCEPT'])
def testDestinationNegated(self):
rule = Rule(destination='! 192.168.1.3', jump='REJECT')
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, '! 192.168.1.3')
self.assertEqual(rule.jump.name(), 'REJECT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(),
['!', '-d', '192.168.1.3', '-j', 'REJECT'])
def testInterfacesNegated(self):
print('Running Test Interfaces Negated...')
rule = Rule(in_interface='!eth0', out_interface='!eth2',
jump='REJECT')
print('\tRule: ' + str(rule))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, '!eth0')
self.assertEqual(rule.out_interface, '!eth2')
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.specbits(), ['!', '-i', 'eth0', '!', '-o', 'eth2', '-j', 'REJECT'])
print('...Done')
def testInit(self):
print('Rule Test Case Set:\nRunning Test Inital...')
rule = Rule(jump=Target('ACCEPT'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['-j', 'ACCEPT'])
print('...Done')
def testSourceNegated(self):
print('Running Test Source Negated...')
rule = Rule(source='! 104.236.221.27', jump='ACCEPT')
print('\tRule: ' + str(rule))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, '! 104.236.221.27')
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['!', '-s', '104.236.221.27', '-j', 'ACCEPT'])
print('...Done')
def testDestinationNegated(self):
print('Running Test Destination Negated...')
rule = Rule(destination='! 192.168.1.3', jump='REJECT')
print('\tRule: ' + str(rule))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, '! 192.168.1.3')
self.assertEqual(rule.jump.name(), 'REJECT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['!', '-d', '192.168.1.3', '-j', 'REJECT'])
print('...Done')
def setDefaultPolicy(self):
self.printMessage("set default policy", None)
self.filter.set_policy('INPUT', 'DROP')
self.filter.append_rule(
'INPUT',
Rule(matches=[Match('state', '--state ESTABLISHED,RELATED')],
jump='ACCEPT'))
self.filter.set_policy('OUTPUT', 'ACCEPT')
self.filter.set_policy('FORWARD', 'DROP')
self.filter.append_rule(
'FORWARD',
Rule(matches=[Match('state', '--state ESTABLISHED,RELATED')],
jump='ACCEPT'))
def force_add(ip_addr):
filtable = Table('filter')
rule0 = Rule(jump='ACCEPT',
protocol='udp',
matches=[Match('udp', '--dst ' + ip_addr)])
filtable.prepend_rule('FORWARD', rule0)
rule1 = Rule(jump='LOG',
protocol='udp',
matches=[
Match('udp', '--dst ' + ip_addr),
Match('limit', '--limit 1/hour --limit-burst 1')
])
filtable.prepend_rule('FORWARD', rule1)
def testSourceDestinationProtocol(self):
print('Running Test Source Destination Protocol...')
rule = Rule(source='104.236.221.27', destination='192.168.1.3',
protocol='tcp', jump='DROP')
print('\tRule: ' + str(rule))
self.assertEqual(rule.protocol, 'tcp')
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, '104.236.221.27')
self.assertEqual(rule.destination, '192.168.1.3')
self.assertEqual(rule.jump.name(), 'DROP')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['-p', 'tcp', '-s', '104.236.221.27', '-d', '192.168.1.3', '-j', 'DROP'])
print('...Done')
def testSourceDestinationProtocol(self):
rule = Rule(source='192.168.1.2',
destination='192.168.1.3',
protocol='tcp',
jump='DROP')
self.assertEqual(rule.protocol, 'tcp')
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, '192.168.1.2')
self.assertEqual(rule.destination, '192.168.1.3')
self.assertEqual(rule.jump.name(), 'DROP')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), [
'-p', 'tcp', '-s', '192.168.1.2', '-d', '192.168.1.3', '-j', 'DROP'
])
def testProtocolNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-p ! tcp -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(protocol='! tcp',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -p tcp -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(protocol='! tcp',
jump=Target('LOG', '--log-prefix "Martians "')))
def testSourceNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-s ! 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(source='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -s 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(source='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
def block_icmp_port_unreachable():
"""
Blocks ICMP port unreachable packets sent by the kernel when a UDP port is hit without any service listening.
"""
match = Match('icmp', '--icmp-type port-unreachable')
rule = Rule(protocol="icmp", matches=[match], jump='DROP')
Table('filter').append_rule('OUTPUT', rule)
def testDestinationNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-d ! 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(destination='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -d 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(destination='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
def testJump(self):
table = netfilter.table.Table('test_table', False)
table.append_rule('test_chain', Rule(jump='ACCEPT'))
buffer = table.get_buffer()
self.assertEqual(buffer, [[
'iptables', '-t', 'test_table', '-A', 'test_chain', '-j', 'ACCEPT'
]])
def addFilter(self, start, end, destination, duration, message):
if debug_cleanup:
duration = 10
with self.lock:
ip = toips(start)
l = end - start + 1
slash = tobits(l)
for s, e in self.rules:
if start >= s and start <= e:
print 'overlapping rule ignored (start) %s/%d' % (ip,
slash)
return
if end >= s and end <= e:
print 'overlapping rule ignored (end) %s/%d' % (ip, slash)
return
rule = Rule(protocol='tcp',
source='%s/%d' % (ip, slash),
matches=[Match('tcp', '--destination-port 587')],
jump=Target(option['jump'],
'--to-destination %s' % destination))
if not self.debug:
self.table.append_rule(option['chain'], rule)
self.database.insert(start, end, duration, message)
self.rules[(start, end)] = rule
print "added %s/%d" % (ip, slash)
def unblock_outgoing_packets(proto,
ipsrc=None,
portsrc=None,
ipdst=None,
portdst=None):
"""
Unblocks outgoing packets coming from the kernel using iptables command.
"""
matches = []
if portsrc:
matches.append(Match('tcp', '--sport ' + str(portsrc)))
if portdst:
matches.append(Match('tcp', '--dport ' + str(portdst)))
rule = Rule(
#in_interface=interface,
protocol=proto,
source=ipsrc,
destination=ipdst,
matches=matches,
jump='DROP')
table = Table('filter')
try:
table.delete_rule('OUTPUT', rule)
except IptablesError:
print("Unknown rule !", proto, ipsrc, portsrc, ipdst, portdst)
def acceptForward(self, in_interface=None, out_interface=None):
self.printMessage("allow FORWARD", in_interface)
self.filter.append_rule(
'FORWARD',
Rule(in_interface=in_interface,
out_interface=out_interface,
jump='ACCEPT'))
def testMatch(self):
rule = netfilter.parser.parse_rule(
'-m state --state ESTABLISHED,RELATED')
self.assertEqual(
rule,
Rule(matches=[Match('state', '--state ESTABLISHED,RELATED')]))
self.assertEqual(rule.specbits(),
['-m', 'state', '--state', 'ESTABLISHED,RELATED'])
def redirectHttp(self, interface, proxy_port):
if self.__ipv6: return
self.printMessage("redirect HTTP to port %s" % proxy_port, interface)
self.nat.append_rule(
'PREROUTING',
Rule(in_interface=interface,
protocol='tcp',
matches=[Match('tcp', '--dport 80')],
jump=Target('REDIRECT', '--to-port %s' % proxy_port)))
def acceptIcmp(self, interface=None):
self.printMessage("allow selected icmp INPUT", interface)
if self.__ipv6:
self.filter.append_rule(
'INPUT',
Rule(in_interface=interface, protocol='icmpv6', jump='ACCEPT'))
else:
types = [
'echo-request', 'network-unreachable', 'host-unreachable',
'port-unreachable', 'fragmentation-needed', 'time-exceeded'
]
for type in types:
self.filter.append_rule(
'INPUT',
Rule(in_interface=interface,
protocol='icmp',
matches=[Match('icmp', "--icmp-type %s" % (type))],
jump='ACCEPT'))
def set_rule(self, in_int, port, src_ip):
'''
Make netfilter rule.
-I INPUT -i $int_in -p tcp --dport $port -j ACCEPT
'''
rule = Rule(in_interface=f"{in_int}",
source=f"{src_ip}",
protocol="tcp",
matches=[Match("tcp", f"--dport {port}")],
jump="ACCEPT")
return rule
def unblock_icmp_port_unreachable():
"""
Remove the rule that blocks ICMP port unreachable.
"""
match = Match('icmp', '--icmp-type port-unreachable')
rule = Rule(protocol="icmp", matches=[match], jump='DROP')
try:
Table('filter').delete_rule('OUTPUT', rule)
except IptablesError:
print("Try to remove unexisting icmp port-unreachable")
def force_remove(ip_addr):
filtable = Table('filter')
try:
rule0 = Rule(jump='ACCEPT',
protocol='udp',
matches=[Match('udp', '--dst ' + str(ip_addr))])
filtable.delete_rule('FORWARD', rule0)
except IptablesError as e:
pass
try:
rule1 = Rule(jump='LOG',
protocol='udp',
matches=[
Match('udp', '--dst ' + ip_addr),
Match('limit', '--limit 1/hour --limit-burst 1')
])
filtable.delete_rule('FORWARD', rule1)
except IptablesError as e:
pass
def manage_logging():
filtable = Table('filter')
for row in db.session.query(AuthConns):
if row.ip_port and not row.port_status:
rule0 = Rule(jump='ACCEPT',
protocol='udp',
matches=[
Match(
'udp', '--dst ' + str(row.ip_addr) +
' --dport ' + str(row.ip_port))
])
filtable.prepend_rule('FORWARD', rule0)
try:
rule1 = Rule(jump='LOG',
protocol='udp',
matches=[
Match('udp', '--dst ' + str(row.ip_addr)),
Match('limit',
'--limit 1/hour --limit-burst 1')
])
filtable.delete_rule('FORWARD', rule1)
except IptablesError as e:
pass
try:
rule2 = Rule(
jump='ACCEPT',
protocol='udp',
matches=[Match('udp', '--dst ' + str(row.ip_addr))])
filtable.delete_rule('FORWARD', rule2)
except IptablesError as e:
pass
row.port_status = True
else:
pass
def add_rule(chain, source, to):
"""Adds a rule to the given table."""
rule = Rule(protocol='tcp')
if chain == 'PREROUTING':
interface = outbound_network_interface()
rule.in_interface = interface
else:
rule.out_interface = 'lo'
interface = 'lo'
rule.matches = [Match('tcp', '--dport {0}'.format(source))]
rule.jump = Target('REDIRECT', '--to-port {0}'.format(to))
table.prepend_rule(chain, rule)
log.debug('Added a redirect for %s to %s on %s.', source, to,
interface)
def acceptProtocol(self,
interface,
protocol,
ports,
destination=None,
source=None):
port_str = ','.join(ports)
self.printMessage(
"allow selected %s INPUT (ports: %s)" % (protocol, port_str),
interface)
self.filter.append_rule(
'INPUT',
Rule(in_interface=interface,
destination=destination,
source=source,
protocol=protocol,
matches=[
Match('state', '--state NEW'),
Match('multiport', "--destination-port %s" % port_str)
],
jump='ACCEPT'))
def testMatchTcpNotFlags(self):
rule = Rule(protocol='tcp', jump='ACCEPT')
rule.matches.append(Match('tcp', '--tcp-flags ! ACK,SYN ACK'))
self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--tcp-flags', '!', 'ACK,SYN', 'ACK', '-j', 'ACCEPT'])
def testMatchState(self):
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('state', '--state ESTABLISHED,RELATED'))
self.assertEqual(rule.specbits(), ['-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT'])
def testMatchMultiportDports(self):
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('multiport', '--dports 20,21,22,80,25,1720'))
self.assertEqual(rule.specbits(), ['-m', 'multiport', '--dports', '20,21,22,80,25,1720', '-j', 'ACCEPT'])
def testMatchMark(self):
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('mark', '--mark 0x64'))
self.assertEqual(rule.specbits(), ['-m', 'mark', '--mark', '0x64', '-j', 'ACCEPT'])
def testTargetLog(self):
rule = Rule(jump=Target('LOG', '--log-prefix "ICMP accepted : " --log-level 4'))
self.assertEqual(rule.specbits(), ['-j', 'LOG', '--log-level', '4', '--log-prefix', 'ICMP accepted : '])
def testMatchTos(self):
rule = Rule(jump="ACCEPT")
rule.matches.append(Match("tos", "--tos 0x10"))
self.assertEqual(rule.specbits(), ["-m", "tos", "--tos", "0x10", "-j", "ACCEPT"])
def testMatchTcpSport(self):
rule = Rule(protocol="tcp", jump="ACCEPT")
rule.matches.append(Match("tcp", "--sport 1234"))
self.assertEqual(rule.specbits(), ["-p", "tcp", "-m", "tcp", "--sport", "1234", "-j", "ACCEPT"])
def testMatchTcpSport(self):
rule = Rule(protocol='tcp', jump='ACCEPT')
rule.matches.append(Match('tcp', '--sport 1234'))
self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--sport', '1234', '-j', 'ACCEPT'])
def sourceNAT(self, interface):
if self.__ipv6: return
self.printMessage("enable SNAT", interface)
self.nat.append_rule('POSTROUTING',
Rule(out_interface=interface, jump='MASQUERADE'))
def testMatchTos(self):
rule = Rule(jump='ACCEPT')
rule.matches.append(Match('tos', '--tos 0x10'))
self.assertEqual(rule.specbits(), ['-m', 'tos', '--tos', '0x10', '-j', 'ACCEPT'])
def testTargetLog(self):
print('Running Test Target Log...')
rule = Rule(jump=Target('LOG', '--log-prefix "ICMP accepted : " --log-level 4'))
print('\tRule: ' + str(rule))
self.assertEqual(rule.specbits(), ['-j', 'LOG', '--log-level', '4', '--log-prefix', 'ICMP accepted : '])
print('...Done')
