def __init__(self, fwconfigpath, changelogfile): self.fwconfigpath = fwconfigpath self.changelogfile = changelogfile self.configarr = [] self.configvar = '' try: self.abyle_changelog = xml.dom.minidom.parse(self.fwconfigpath+self.changelogfile) except IOError, msg: abyle_output(self.changelogfile+"_xmlparsing", "", "", str(msg))
def __init__(self, fwconfigpath, changelogfile): self.fwconfigpath = fwconfigpath self.changelogfile = changelogfile self.configarr = [] self.configvar = '' try: self.abyle_changelog = xml.dom.minidom.parse(self.fwconfigpath+self.changelogfile) except (IOError): abyle_output(self.changelogfile+"_xmlparsing", "", "", str(sys.exc_info()[1]))
def __init__(self, fwconfigpath, interface, xmlconfig): self.fwconfigpath = fwconfigpath self.pinterface = interface self.xmlconfig = xmlconfig self.configarr = [] self.configvar = '' try: if self.pinterface == "default": self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+self.xmlconfig) else: self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig) except IOError, msg: abyle_output(self.interface+"_config_xmlparsing", "", "", str(msg))
def __init__(self, fwconfigpath, interface, xmlconfig): self.fwconfigpath = fwconfigpath self.pinterface = interface self.xmlconfig = xmlconfig self.xmlfile = "" self.buildednode = "" try: if self.pinterface == "default": self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+self.xmlconfig) self.xmlfile = self.fwconfigpath+self.xmlconfig else: self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig) self.xmlfile = self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig except (IOError): abyle_output(self.interface+"_config_xmlwriter", "", "", str(sys.exc_info()[1]))
def AddBuildedNode(self,xpathstring): if not self.buildednode == "": parentnode = xpath.Evaluate(xpathstring , self.abyle_config) newnode_blanktextnode = self.abyle_config.createTextNode("\n") parentnode[0].appendChild(self.buildednode) parentnode[0].appendChild(newnode_blanktextnode) xmlfileWriteHandle = open(self.xmlfile,"wb+") writer = codecs.lookup('utf-8')[3](xmlfileWriteHandle) self.abyle_config.writexml(writer, encoding='utf-8', newl="") writer.close() else: abyle_output("error abyle_xml_writer has not created a new node yet.", "", "", str(msg), "red") sys.exit(1) return
def __init__(self, fwconfigpath, interface, rulesfile, ipt_xmlconfig, excludedInterfaces): self.fwconfigpath = fwconfigpath self.pinterface = interface self.rulesfile = rulesfile self.iptflagsfile = ipt_xmlconfig self.rulesarray = [] self.iptflags_dict = {} self.excludedInterfaces = excludedInterfaces self.allowping = "" try: self.iptflags_config = xml.dom.minidom.parse(self.fwconfigpath+self.iptflagsfile).documentElement if self.excludedInterfaces.count(self.pinterface) > 0: self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile) elif self.pinterface == "default": self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile) else: self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.rulesfile) except IOError, msg: abyle_output(self.pinterface+"_xmlparsing", "", "", str(msg))
def getAbstractXmlRules(self, xpathToMainNode): self.abstractRulesArray = [] self.iptflags_indecies = [] if self.allowping == "yes": self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile) if xpathToMainNode.find("masquerading") > 0: self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.rulesfile) # parse the iptables flags config file, getIpTablesFlags returns: # - a dict of iptablesflags e.g.: 11 -> destination or 12 -> destination-port # - a sorted array of all available index numbers e.g: 1,2,3,...,12 # - the iptables cli switch for the interface argument: e.g: -i # - special flag iptables cli switch for portforwarding destination # - transparent proxy to-port flag # - masquerading interface flag (outside instead of inside) # - subflag dictionary self.iptflags_dict, interface, portfwdDestFlag, transproxyToPortFlag, outsideInterfaceFlag, subflags_dict, subflags_cliswitch_dict = self.getIpTablesFlags() # extract keys (index numbers) in an array and sort it self.iptflags_indecies = self.iptflags_dict.keys() self.iptflags_indecies.sort(self.compnum) if xpathToMainNode.find("head") > 0: blockchain = xpath.Evaluate("/interface/blockruleshead/@blockchain", self.rules_config) blockchain = blockchain[0].firstChild.nodeValue blockchain_create_string = " -N "+blockchain self.abstractRulesArray.append(blockchain_create_string) if xpathToMainNode.find("masquerading") > 0: self.interfacestr = outsideInterfaceFlag+' '+self.pinterface+' ' else: # set the interface string to e.g.: -i eth0 self.interfacestr = interface+' '+self.pinterface+' ' # get list of rules e.g. all traffic nodes or all portforwarding nodes abstractNodes = xpath.Evaluate(xpathToMainNode, self.rules_config) cnt=0 for node in abstractNodes: # get list of all attributes of an rule node abstractAttributeNodes = xpath.Evaluate("./@*", abstractNodes[cnt]) self.attributestr = "" tempDestIpStr = "" tempDestPortStr = "" tempForwardPortStr = "" # loop through iptables flags index number list to build the right order for indexNumber in self.iptflags_indecies: # get the value of a flag out if the iptables flag dict, e.g.: indexNumber=12 then flag_value = destination flag_value = self.iptflags_dict[indexNumber] # loop through all found attribute nodes for attribute in abstractAttributeNodes: # test if the attribute name is equal to the string in flag value if attribute.name == flag_value: try: # parse the file with xpath and get the attributenode cli_switch under cfgname which has the searched indexNumber flag_cli_arg_node = xpath.Evaluate("/flags/flag[@index="+indexNumber+"]/cfgname/@cli_switch", self.iptflags_config) # extract the value if the attribute node [0] = assuming that the index is unique flag_cli_arg = flag_cli_arg_node[0].firstChild.nodeValue # check and build the attribute string with flagCheck() attributeTmpstr = self.flagCheck(attribute.value,flag_cli_arg, indexNumber, self.iptflags_config) except KeyError, msg: abyle_output("abyle_xmlparser.py: parsing error @ iptables flags:", "", "", str(msg), "red") sys.exit(1) if xpathToMainNode.find("portforwarding") > 0 and attribute.name == "destination" : tempDestIpStr = attribute.value elif xpathToMainNode.find("portforwarding") > 0 and attribute.name == "destination-port": tempDestPortStr = attribute.value elif xpathToMainNode.find("portforwarding") > 0 and attribute.name == "forward-port": tempForwardPortStr = attribute.value elif xpathToMainNode.find("transparentproxy") > 0 and attribute.name == "destination": tempDestIpStr = attribute.value elif xpathToMainNode.find("transparentproxy") > 0 and attribute.name == "destination-port": tempDestPortStr = attribute.value else: # append the temp string to the self.attributestr self.attributestr = self.attributestr+attributeTmpstr hasSubflags = "no" for key in subflags_dict.keys(): if str(key) == str(indexNumber): hasSubflags = "yes" if hasSubflags == "yes": subattributeTmpstr = "" tempSubflagsArray = subflags_dict[indexNumber].split(';') tempSubflagsCliswitchArray = subflags_cliswitch_dict[indexNumber].split(';') subflagcnt = 0 for subflag_value in tempSubflagsArray: for attribute in abstractAttributeNodes: if attribute.name == subflag_value: subattributeTmpstr = self.flagCheck(attribute.value,tempSubflagsCliswitchArray[subflagcnt], indexNumber, self.iptflags_config) self.attributestr = self.attributestr+subattributeTmpstr subflagcnt = subflagcnt + 1 cnt = cnt + 1 self.attributestrForward = "" if xpathToMainNode.find("portforwarding") > 0: # append interface string to the attribute string # build the iptablescommand for the PREROUTING chain of the nat table and the FORWARD chain if not self.pinterface == "default": self.attributestr = self.interfacestr+self.attributestr self.attributestrForward = self.attributestr self.attributestrForward = re.sub("PREROUTING","FORWARD",self.attributestrForward) self.attributestrForward = re.sub("DNAT","ACCEPT",self.attributestrForward) self.attributestrForward = re.sub("-t nat","",self.attributestrForward) self.attributestrForward = re.sub("--dport \d{1,5}","",self.attributestrForward) self.attributestrForward = self.attributestrForward+" --destination-port "+tempDestPortStr+" --destination "+tempDestIpStr self.attributestr = self.attributestr+"--dport "+tempForwardPortStr+" "+portfwdDestFlag+' '+tempDestIpStr+":"+tempDestPortStr elif xpathToMainNode.find("transparentproxy") > 0: self.attributestr = self.interfacestr+self.attributestr+transproxyToPortFlag+' '+tempDestPortStr else: if not self.pinterface == "default": self.attributestr = self.interfacestr+self.attributestr # append the string to the rules array self.abstractRulesArray.append(self.attributestr) if not self.attributestrForward == "": self.abstractRulesArray.append(self.attributestrForward)
from xml.dom.minidom import * import re import sys #from xml.dom.minidom import Node from abyle_output import abyle_output try: from xml import xpath except ImportError, msg: abyle_output("xml parser import error, please install python xpath modules", "", "", str(msg), "red") sys.exit(1) class abyleparse: def __init__(self, fwconfigpath, interface, rulesfile, ipt_xmlconfig, excludedInterfaces): self.fwconfigpath = fwconfigpath self.pinterface = interface self.rulesfile = rulesfile self.iptflagsfile = ipt_xmlconfig self.rulesarray = [] self.iptflags_dict = {} self.excludedInterfaces = excludedInterfaces self.allowping = "" try: self.iptflags_config = xml.dom.minidom.parse(self.fwconfigpath+self.iptflagsfile).documentElement if self.excludedInterfaces.count(self.pinterface) > 0: self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile) elif self.pinterface == "default": self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile) else:
import sys from abyle_output import abyle_output from xml.dom.minidom import * import codecs try: from oldxml import xpath except (ImportError): abyle_output("xml config parser import error, please install python xpath modules", "", "", str(sys.exc_info()[1]), "red") sys.exit(1) class abyle_config_write: def __init__(self, fwconfigpath, interface, xmlconfig): self.fwconfigpath = fwconfigpath self.pinterface = interface self.xmlconfig = xmlconfig self.xmlfile = "" self.buildednode = "" try: if self.pinterface == "default": self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+self.xmlconfig) self.xmlfile = self.fwconfigpath+self.xmlconfig else: self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig) self.xmlfile = self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig except (IOError): abyle_output(self.interface+"_config_xmlwriter", "", "", str(sys.exc_info()[1]))
def buildUp(self,protectedif,fwconfigpath, verbose): self.verbose = verbose self.protectedif = protectedif self.fwconfigpath = fwconfigpath abyle_output("", "", "", "", "blue", self.logfile, self.verbose) abyle_output("", "", "", "", "blue", self.logfile, self.verbose) abyle_output("", "", "", "Interface: "+self.protectedif, "green", self.logfile, self.verbose) abyle_output("", "", "", "", "blue", self.logfile, self.verbose) abyle_output("", "", "", "", "blue", self.logfile, self.verbose) if not self.verbose: self.output = abyle_output("","","","","default", self.logfile, self.verbose) self.output.startup("securing "+self.protectedif) if os.path.exists(self.fwconfigpath+'/'+'interfaces/'+self.protectedif) or self.excludedInterfaces.count(self.protectedif) > 0: if self.excludedInterfaces.count(self.protectedif) == 0: tempFileStr = self.fwconfigpath+'interfaces/'+self.protectedif+'/'+self.xmlconfig checkWellformed = self.check_well_formedness(tempFileStr) if checkWellformed != "ok": abyle_output("","","",checkWellformed, "red", self.logfile, self.verbose) sys.exit(1) else: abyle_output("","","",self.fwconfigpath+'interfaces/'+self.protectedif+'/'+self.xmlconfig + " is a well-formed xml", "green", self.logfile, self.verbose) #parse the config file self.if_config = abyle_config_parse(self.fwconfigpath, self.protectedif, self.xmlconfig) try: self.antispoofing = self.if_config.getConfig("antispoofing") except IndexError: self.antispoofing = "NO" try: self.proxyarp = self.if_config.getConfig("proxyarp") except IndexError: self.proxyarp = "NO" try: self.srouting = self.if_config.getConfig("sourcerouting") except IndexError: self.srouting = "NO" try: self.icmprdrs = self.if_config.getConfig("icmpredirects") except IndexError: self.icmprdrs = "NO" try: self.sicmprdrs = self.if_config.getConfig("secureicmpredirects") except IndexError: self.sicmprdrs = "NO" try: self.martians = self.if_config.getConfig("martianslogging") except IndexError: self.martians = "NO" try: self.bootprelay = self.if_config.getConfig("drop0slash8packets") except IndexError: self.bootprelay = "NO" try: self.logging = self.if_config.getConfig("logging") except IndexError: self.logging = "NO" try: self.allowping = self.if_config.getConfig("allowping") except IndexError: self.allowping = "NO" try: self.masquerading = self.if_config.getConfig("masquerading") except IndexError: self.masquerading = "NO" try: self.portforwarding = self.if_config.getConfig("portforwarding") except IndexError: self.portforwarding = "NO" try: self.tproxy = self.if_config.getConfig("transparent_proxy") except IndexError: self.tproxy = "NO" # end parse the config file self.antispoofing = string.upper(self.antispoofing) self.proxyarp = string.upper(self.proxyarp) self.srouting = string.upper(self.srouting) self.icmprdrs = string.upper(self.icmprdrs) self.sicmprdrs = string.upper(self.sicmprdrs) self.martians = string.upper(self.martians) self.bootprelay = string.upper(self.bootprelay) self.logging = string.upper(self.logging) self.allowping = string.upper(self.allowping) self.masquerading = string.upper(self.masquerading) self.portforwarding = string.upper(self.portforwarding) self.tproxy = string.upper(self.tproxy) # interface specific protections abyle_output("","","","PROXY ARP:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.proxyarp == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.proxyarp_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "proxy arp activated for "+self.protectedif+"","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.proxyarp_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "proxy arp deactivated for "+self.protectedif+"","default", self.logfile, self.verbose) abyle_output("","","","SOURCE ROUTING:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.srouting == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.srouting_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "allow source routing activated for "+self.protectedif+"","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.srouting_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "allow source routing deactivated for "+self.protectedif+"","default", self.logfile, self.verbose) abyle_output("","","","ICMP REDIRECTS:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.icmprdrs == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.icmpredirects_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "icmp redirects activated for "+self.protectedif+"","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.icmpredirects_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "icmp redirects deactivated for "+self.protectedif+"","default", self.logfile, self.verbose) abyle_output("","","","SECURE ICMP REDIRECTS:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.sicmprdrs == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.secureicmpredirects_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "secure icmp redirects activated for "+self.protectedif+"","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.secureicmpredirects_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "secure icmp redirects deactivated for "+self.protectedif+"","default", self.logfile, self.verbose) abyle_output("","","","LOG MARTIAN-IPs:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.martians == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.martians_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "martians logging activated for "+self.protectedif+"","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.martians_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "martians logging deactivated for "+self.protectedif+"","default", self.logfile, self.verbose) abyle_output("","","","Drop 0/8 packets.", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.bootprelay == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.bootprelay_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "dropping packets from 0/8 activated for "+self.protectedif+"","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.bootprelay_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "dropping packets from 0/8 deactivated for "+self.protectedif+"","default", self.logfile, self.verbose) abyle_output("","","","ANTI SPOOFING:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.antispoofing == "YES": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4conf_path+self.protectedif+'/'+self.antispoofing_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "anti spoofing for "+self.protectedif+" activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4conf_path+self.protectedif+'/'+self.antispoofing_file, self.dryrun) abyle_output("abyle_firewall_buildUp", stdErr, stdOut, "anti spoofing for "+self.protectedif+" deactivated","default", self.logfile, self.verbose) self.if_config = abyleparse(self.fwconfigpath, self.protectedif, self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces) self.rules = self.if_config.getRules() abyle_output("","","","RULES:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") for rule in self.rules: time.sleep(self.naptime / 1000.0) abyle_output("abyle_firewall_buildUp_rules", "", "", self.protectedif+" "+rule,"default", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+rule, self.dryrun) if self.excludedInterfaces.count(self.protectedif) > 0: abyle_output("","","","", "blue", self.logfile, self.verbose) abyle_output("","","","interface "+self.protectedif+" excluded.", "green", self.logfile, self.verbose) abyle_output("","","","", "blue", self.logfile, self.verbose) if not self.verbose: try: con_size = string.join(os.popen("stty size 2>/dev/null").readlines()) arr_con_size = string.split(con_size," ") size = string.atoi(arr_con_size[1])-13 size = size+4 a = string.join(os.popen("echo -n \033[$(("+str(size)+"))G && echo -n [EXCLUDED] ")) self.output.startup(a, "green", "yes") except IndexError: self.output.startup("[EXCLUDED]\n") if self.excludedInterfaces.count(self.protectedif) == 0: abyle_output("","","","PORTFORWARDING:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.portforwarding == "YES": self.portforwarding = self.if_config.getPortforwarding() for portfwd in self.portforwarding: abyle_output("abyle_firewall_buildUp_portfwd", "", "", self.protectedif+" "+portfwd, "default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+portfwd, self.dryrun) else: abyle_output("abyle_firewall_buildUp_portfwd", "", "", self.protectedif+" "+"PORTFORWARDING DISABLED", "default", self.logfile, self.verbose) abyle_output("","","","TRANSPARENT PROXY:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.tproxy == "YES": self.tproxy = self.if_config.getTproxy() for transproxy in self.tproxy: abyle_output("abyle_firewall_buildUp_transproxy", "", "", self.protectedif+" "+transproxy, "default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+transproxy, self.dryrun) else: abyle_output("abyle_firewall_buildUp_tproxy", "", "", self.protectedif+" "+"TRANSPARENT PROXY DISABLED", "default", self.logfile, self.verbose) abyle_output("","","","LOGGING:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.logging == "YES": self.logging = self.if_config.getLogging() for log in self.logging: abyle_output("abyle_firewall_buildUp_log", "", "", self.protectedif+" "+log, "default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+log, self.dryrun) else: abyle_output("abyle_firewall_buildUp_logging", "", "", self.protectedif+" "+"LOGGING DISABLED", "default", self.logfile, self.verbose) abyle_output("","","","ALLOW PING:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.allowping == "YES": self.allowping = self.if_config.getAllowPing() for ap in self.allowping: abyle_output("abyle_firewall_buildUp_allowping", "", "", self.protectedif+" "+ap, "default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+ap, self.dryrun) else: abyle_output("abyle_firewall_buildUp_allowping", "", "", self.protectedif+" "+"ALLOWPING DISABLED", "default", self.logfile, self.verbose) abyle_output("","","","MASQUERADING:", "blue", self.logfile, self.verbose) if not self.verbose: self.output.startup(".") if self.masquerading == "YES": self.masquerading = self.if_config.getMasquerading() for mg in self.masquerading: abyle_output("abyle_firewall_buildUp_masquerading", "", "", self.protectedif+" "+mg, "default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+mg, self.dryrun) else: abyle_output("abyle_firewall_buildUp_masquerading", "", "", self.protectedif+" "+"MASQUERADING DISABLED", "default", self.logfile, self.verbose) if not self.verbose: try: con_size = string.join(os.popen("stty size 2>/dev/null").readlines()) arr_con_size = string.split(con_size," ") size = string.atoi(arr_con_size[1])-13 size = size+4 a = string.join(os.popen("echo -n \033[$(("+str(size)+"))G && echo -n [DONE] ")) self.output.startup(a, "blue", "yes") except IndexError: self.output.startup("[DONE]\n") #self.output.startup("[DONE]", "blue") else: abyle_output("abyle_firewall", "", "", "ERROR: No directory found for interface "+self.protectedif+" in "+self.fwconfigpath+'interfaces/', "red", self.logfile, self.verbose)
def buildUpFinish(self, verbose): self.verbose = verbose now = datetime.datetime.now() now = now.strftime("%Y/%m/%d %H:%M:%S") self.defaultrules = self.default_config.getDefaultRules("foot") abyle_output("","","","SETTING UP DEFAULT RULES:", "blue", self.logfile, self.verbose) for drule in self.defaultrules: abyle_output("abyle_firewall_buildUpFinish_foot", "", "", "default-rule: "+drule, "default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+drule, self.dryrun) abyle_output("", "", "", "", "blue", self.logfile, self.verbose) abyle_output("", "", "", "Startup done - "+now,"blue", self.logfile, self.verbose) abyle_output("", "", "", "", "blue", self.logfile, self.verbose) abyle_output("", "", "", "######################################### END #########################################","green", self.logfile, self.verbose) abyle_output("", "", "", "", "blue", self.logfile, self.verbose)
def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose): self.naptime = 10 # milliseconds self.dryrun = dryrun self.iptablesbin = iptablesbin self.fwconfigpath = fwconfigpath self.rulesfile = rulesfile self.ipt_xmlconfig = ipt_xmlconfig self.xmlconfig = xmlconfig self.logfile = logfile self.verbose = verbose self.executioner = abyle_execute() self.echocmd = echocmd global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig) self.excludedInterfaces = global_config.getConfig("excluded_interfaces") try: self.tcpabort_file = global_config.getConfig("tcpabortfile") except IndexError: self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow" try: self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile") except IndexError: self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" try: self.dynaddresshack_file = global_config.getConfig("dynaddresshackfile") except IndexError: self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr" try: self.ipv4conf_path = global_config.getConfig("ipv4confpath") except IndexError: self.ipv4conf_path = "/proc/sys/net/ipv4/conf/" try: self.antispoofing_file = global_config.getConfig("antispoofingfile") except IndexError: self.antispoofing_file = "rp_filter" try: self.syncookiefile = global_config.getConfig("syncookiefile") except IndexError: self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies" try: self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile") except IndexError: self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward" try: self.syncookie = string.upper(global_config.getConfig("syncookie")) except IndexError: self.syncookie = "YES" try: self.ipv4forward = string.upper(global_config.getConfig("ipv4forward")) except IndexError: self.syncookie = "NO" try: self.tcpabort = string.upper(global_config.getConfig("aborttcp")) except IndexError: self.tcpabort = "NO" try: self.icmpbcastreply = string.upper(global_config.getConfig("answericmpbroadcast")) except IndexError: self.icmpbcastreply = "NO" try: self.dynaddresshack = string.upper(global_config.getConfig("dynaddresshack")) except IndexError: self.dynaddresshack = "NO" try: self.proxyarp_file = global_config.getConfig("proxyarpfile") except IndexError: self.proxyarp_file = "proxy_arp" try: self.srouting_file = global_config.getConfig("sroutingfile") except IndexError: self.srouting_file = "accept_source_route" try: self.icmpredirects_file = global_config.getConfig("icmprdrsfile") except IndexError: self.icmpredirects_file = "accept_redirects" try: self.secureicmpredirects_file = global_config.getConfig("icmpsecurerdrsfile") except IndexError: self.secureicmpredirects_file = "secure_redirects" try: self.martians_file = global_config.getConfig("martiansfile") except IndexError: self.martians_file = "log_martians" try: self.bootprelay_file = global_config.getConfig("bootprelayfile") except IndexError: self.bootprelay_file = "bootp_relay" now = datetime.datetime.now() now = now.strftime("%Y/%m/%d %H:%M:%S") abyle_output("", "", "", "","blue", self.logfile, self.verbose) abyle_output("", "", "", "######################################### STARTUP #########################################","green", self.logfile, self.verbose) abyle_output("", "", "", "","blue", self.logfile, self.verbose) abyle_output("", "", "", "startup time: "+now,"default", self.logfile, self.verbose) abyle_output("", "", "", "","blue", self.logfile, self.verbose) abyle_output("","","","IPv4 send RST on full tcp buffer:", "blue", self.logfile, self.verbose) if not self.tcpabort == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.tcpabort_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 send TCP-RST on full buffer is activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.tcpabort_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 send TCP-RST on full buffer is deactivated","default", self.logfile, self.verbose) abyle_output("","","","IPv4 Reply to ICMP Broadcast:", "blue", self.logfile, self.verbose) if not self.icmpbcastreply == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.icmpbcastreply_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 reply to ICMP Broadcasts is deactivated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.icmpbcastreply_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 reply to ICMP Broadcasts is activated","default", self.logfile, self.verbose) abyle_output("","","","IPv4 Dynamic-Address-Hack:", "blue", self.logfile, self.verbose) if not self.dynaddresshack == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.dynaddresshack_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 dynamic address hack activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.dynaddresshack_file, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 dynamic address hack deactivated","default", self.logfile, self.verbose) abyle_output("","","","IPv4 FORWARDING:", "blue", self.logfile, self.verbose) if not self.ipv4forward == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.ipv4forwardfile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 forwarding activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.ipv4forwardfile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "ipv4 forwarding deactivated","default", self.logfile, self.verbose) abyle_output("","","","SYNCOOKIE:", "blue", self.logfile, self.verbose) if not self.syncookie == "NO": stdOut, stdErr = self.executioner.run(self.echocmd+' 1 > '+self.syncookiefile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "syncookie activated","default", self.logfile, self.verbose) else: stdOut, stdErr = self.executioner.run(self.echocmd+' 0 > '+self.syncookiefile, self.dryrun) abyle_output("abyle_firewall", stdErr, stdOut, "syncookie deactivated","default", self.logfile, self.verbose) self.default_config = abyleparse(self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces) self.defaultrules = self.default_config.getDefaultRules("head") for drule in self.defaultrules: abyle_output("abyle_firewall_buildUpFinish_head", "", "", "default-rule: "+drule,"default", self.logfile, self.verbose) stdOut, stdErr = self.executioner.run(self.iptablesbin+' '+drule, self.dryrun)