def testInterfacesNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-i ! eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(in_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
rule = netfilter.parser.parse_rule(
'-o ! eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(out_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -i eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(in_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
rule = netfilter.parser.parse_rule(
'! -o eth0 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(out_interface='! eth0',
jump=Target('LOG', '--log-prefix "Martians "')))
def addFilter(self, start, end, destination, duration, message):
if debug_cleanup:
duration = 10
with self.lock:
ip = toips(start)
l = end - start + 1
slash = tobits(l)
for s, e in self.rules:
if start >= s and start <= e:
print 'overlapping rule ignored (start) %s/%d' % (ip,
slash)
return
if end >= s and end <= e:
print 'overlapping rule ignored (end) %s/%d' % (ip, slash)
return
rule = Rule(protocol='tcp',
source='%s/%d' % (ip, slash),
matches=[Match('tcp', '--destination-port 587')],
jump=Target(option['jump'],
'--to-destination %s' % destination))
if not self.debug:
self.table.append_rule(option['chain'], rule)
self.database.insert(start, end, duration, message)
self.rules[(start, end)] = rule
print "added %s/%d" % (ip, slash)
def testProtocolNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-p ! tcp -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(protocol='! tcp',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -p tcp -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(protocol='! tcp',
jump=Target('LOG', '--log-prefix "Martians "')))
def testSourceNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-s ! 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(source='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -s 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(source='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
def testDestinationNegated(self):
# iptables < 1.4.3
rule = netfilter.parser.parse_rule(
'-d ! 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(destination='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
# iptables >= 1.4.3
rule = netfilter.parser.parse_rule(
'! -d 10.1.0.0/20 -j LOG --log-prefix "Martians "')
self.assertEqual(
rule,
Rule(destination='! 10.1.0.0/20',
jump=Target('LOG', '--log-prefix "Martians "')))
def redirectHttp(self, interface, proxy_port):
if self.__ipv6: return
self.printMessage("redirect HTTP to port %s" % proxy_port, interface)
self.nat.append_rule(
'PREROUTING',
Rule(in_interface=interface,
protocol='tcp',
matches=[Match('tcp', '--dport 80')],
jump=Target('REDIRECT', '--to-port %s' % proxy_port)))
def testInit(self):
rule = Rule(jump=Target('ACCEPT'))
self.assertEqual(rule.protocol, None)
self.assertEqual(rule.in_interface, None)
self.assertEqual(rule.out_interface, None)
self.assertEqual(rule.source, None)
self.assertEqual(rule.destination, None)
self.assertEqual(rule.jump.name(), 'ACCEPT')
self.assertEqual(rule.jump.options(), {})
self.assertEqual(rule.specbits(), ['-j', 'ACCEPT'])
def add_rule(chain, source, to):
"""Adds a rule to the given table."""
rule = Rule(protocol='tcp')
if chain == 'PREROUTING':
interface = outbound_network_interface()
rule.in_interface = interface
else:
rule.out_interface = 'lo'
interface = 'lo'
rule.matches = [Match('tcp', '--dport {0}'.format(source))]
rule.jump = Target('REDIRECT', '--to-port {0}'.format(to))
table.prepend_rule(chain, rule)
log.debug('Added a redirect for %s to %s on %s.', source, to,
interface)
def testInit(self):
target = Target('ACCEPT')
self.assertEqual(target.name(), 'ACCEPT')
self.assertEqual(target.options(), {})
def testTargetLog(self):
rule = Rule(jump=Target(
'LOG', '--log-prefix "ICMP accepted : " --log-level 4'))
self.assertEqual(rule.specbits(), [
'-j', 'LOG', '--log-level', '4', '--log-prefix', 'ICMP accepted : '
])
def testNotEqualOptions(self):
target1 = Target('ACCEPT')
target2 = Target('ACCEPT', '--foo bar')
self.assertEqual(target1 == target2, False)
self.assertEqual(target1 != target2, True)
def testEqualOutOfOrder(self):
target1 = Target('ACCEPT', '--foo bar --wiz bang')
target2 = Target('ACCEPT', '--wiz bang --foo bar')
self.assertEqual(target1 == target2, True)
self.assertEqual(target1 != target2, False)
def testInitOptions(self):
target = Target('REDIRECT', '--wiz bang --foo bar')
self.assertEqual(target.name(), 'REDIRECT')
self.assertEqual(target.options(), {'foo': ['bar'], 'wiz': ['bang']})
from netfilter.rule import Rule, Match, Target
from netfilter.table import Table
rule = Rule(
in_interface='eth0',
#protocol='tcp',
#matches=[Match('tcp')],
jump=Target('DNAT', '--to-destination 192.168.137.1'))
#rule.jump.options="--to-source 123.123.123.123"
table = Table('nat')
table.append_rule('PREROUTING', rule)
print rule
#table.delete_rule('POSTROUTING', rule)
def createRules(s, clients):
# Create firewall rules for all connections
for key in clients:
# Get robot by anchor
r = s.db.query(Robot)\
.join('container')\
.filter(Robot.anchor==key)\
.first()
if not r:
# robot doesn't exist - skip
s.log.critical('Robot {0} does NOT exist'.format(key))
continue
# Get virtual address of client from dict
vaddress = clients[key]['Virtual Address']
# Gen WebSocket port
r.wsport = s.ws_port.gen()
s.log.debug('Gen WebSocket port {0} for robot {1}'.format(
r.wsport, key))
# Save container external WebSocket port in database
s.db.add(r)
s.db.commit()
# Make client firewall rules
s.log.info('Create firewall rule for: {0} -> {1}'.format(
vaddress, r.container.address))
client_rule = Rule(protocol='tcp',
destination=r.container.address,
source=vaddress,
in_interface='tun0',
jump=Target(
'DNAT', '--to-destination {0}'.format(
r.container.address)))
# Make container firewall rules
s.log.info('Create firewall rule for: {0} <- {1}'.format(
vaddress, r.container.address))
container_rule = Rule(protocol='tcp',
source=r.container.address,
destination=vaddress,
in_interface='veth.{0}'.format(r.anchor),
jump=Target(
'DNAT',
'--to-destination {0}'.format(vaddress)))
master_rule = Rule(
protocol='tcp',
source=r.container.address,
destination=GATEWAY_ADDRESS,
in_interface='veth.{0}'.format(r.anchor),
matches=[Match('tcp', '--dport 11311')],
jump=Target('DNAT',
'--to-destination {0}:11311'.format(vaddress)))
s.log.info('Create firewall rule for: WebSocket -> {0}'.format(
r.container.address))
websock_rule = Rule(
protocol='tcp',
matches=[Match('tcp', '--dport {0}'.format(r.wsport))],
jump=Target(
'DNAT',
'--to-destination {0}:9090'.format(r.container.address)))
# Append rules to table
s.table.append_rule('PREROUTING', client_rule)
s.table.append_rule('PREROUTING', container_rule)
s.table.append_rule('PREROUTING', master_rule)
s.table.append_rule('PREROUTING', websock_rule)
# Append rules to internal list
s.rules[r.anchor] = {
'client': client_rule,
'container': container_rule,
'master': master_rule,
'websock': websock_rule
}