def start(self, **args):
print("adding rule icmp")
rule = Rule()
rule.create_target("ACCEPT")
rule.protocol = "icmp"
icmp_match = rule.create_match("icmp")
icmp_match.set_parameter("icmp-type", "8")
comment_match = rule.create_match("comment")
comment_match.comment = self.identifier + ":icmp"
self.input_chain.append_rule(rule)
# Top rule should be to allow related, established connections.
related_rule = self.create_conntrack_rule("ACCEPT", "ctstate",
"RELATED,ESTABLISHED")
self.input_chain.insert_rule(related_rule)
# Drop igmp packets before logging.
drop_igmp_rule = Rule()
drop_igmp_rule.create_target("DROP")
drop_igmp_rule.protocol = "igmp"
self.input_chain.append_rule(drop_igmp_rule)
# Log all that is refused in INPUT chain.
log_rule = self.create_log_rule("not in allowed services", group="1")
self.input_chain.append_rule(log_rule)
# Drop invalid packets - as diagnosed by the conntrack processor.
# Note that this rule is useless because packets would be dropped anyway.
invalid_rule = self.create_conntrack_rule("DROP", "ctstate", "INVALID")
self.input_chain.append_rule(invalid_rule)
super().start(**args) # commits the table if relevant
def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""):
"""create and return a rule (or two if no proto given).
name can be any string
target is a string saying what to do, like
"ACCEPT", "DENY", "DROP", "LOG"
proto (if not defined, is assumed both udp and tcp)
src is a realm in the form XXX.XXX.XXX.XXX/YY
sport is source port. Currently ignored
dst is a realm in the same form as src
dport is destination port
siface is the source interface
diface is the destination interface
"""
#print("adding rule %s" % name)
if (dport or sport) and not proto:
return [ self.create_rule(name,
target,
dst,
dport,
src,
sport,
proto,
siface,
diface) for proto in ("tcp", "udp") ]
rule = Rule()
rule.create_target(target)
if dst:
rule.dst = dst
if dport:
proto_match = rule.create_match(proto)
proto_match.dport = str(dport)
rule.protocol = proto
if diface:
rule.in_interface = diface
if src:
if src.count("-"):
iprange_match = rule.create_match("iprange")
iprange_match.src_range = src
rule.add_match(iprange_match)
else:
rule.src = src
if sport:
proto_match = rule.create_match(proto)
proto_match.sport = str(sport)
rule.protocol = proto
if siface:
rule.out_interface = siface
# Add a signature as a comment.
comment_match = rule.create_match("comment")
comment_match.comment = self.identifier + ":" + name
rule.final_check()
return rule
def _build_iptables_drop_rule(self, port):
rule = Rule()
rule.protocol = "tcp"
match = rule.create_match("tcp")
match.dport = str(port)
target = rule.create_target("DROP")
chain = Chain(Table(Table.FILTER), "INPUT")
return chain, rule
def _get_base_rule(self, match):
rule = Rule()
rule.protocol = match.ip_proto_num
rule.dst = "%s/%s" % (match.dst_ip, match.netmask)
if match.dst_port != 0:
ipt_match = IPT_Match(rule,
self._prot_port_supp[match.ip_proto_num])
ipt_match.dport = str(match.dst_port)
rule.add_match(ipt_match)
return rule
def _build_iptables_accept_rule(self, port, client):
src, src_port = client
rule = Rule()
rule.protocol = "tcp"
rule.src = src
match = rule.create_match("tcp")
match.dport = str(port)
match.sport = str(src_port)
target = rule.create_target("ACCEPT")
chain = Chain(Table(Table.FILTER), "INPUT")
return chain, rule
def insert_rule(self):
if not self.rule:
rule = Rule()
rule.protocol = 'tcp'
rule.target = rule.create_target(self.target)
match = rule.create_match('comment')
match.comment = self._comment
match = rule.create_match('set')
match.match_set = [self.ipset_name, self.match_set_flag]
self.rule = rule
log.info(
'''Inserting a rule with target %s into chain %s (table %s) for ipset "%s" (with comment "%s", rule position: %s)''',
self.target, self.chain_name, self.table_name, self.ipset_name, self._comment, self.rule_pos)
self.chain.insert_rule(rule, position=self.rule_pos)
