def filterRules(self, acls, forward_chains, custom_rules):
for line in longComment("filter table"):
yield line
yield "*filter"
for chain in ("INPUT", "FORWARD", "OUTPUT"):
decision = self.default_decisions.getDecision(chain)
if decision == 'REJECT':
decision = 'DROP'
yield Counters(chain, decision=decision)
for chain_obj in forward_chains:
yield chain_obj.create
if self.options.deny_all:
return
for line in self.defaultFilterRules():
yield line
for line in self.userPreRules('filter'):
yield line
for line in self.customRules(custom_rules, 'filter-pre'):
yield line
for line in comment("Dispatch FORWARD to the different chains"):
yield line
for line in dispatchRules(forward_chains):
yield line
for line in aclsRules(self, acls):
yield line
for line in self.customRules(custom_rules, 'filter-post'):
yield line
for line in self.userPostRules('filter'):
yield line
for line in self.filterDrop(forward_chains):
yield line
def defaultFilterRules(self):
if self.options.gateway:
chains = ("FORWARD", "INPUT", "OUTPUT")
else:
chains = ("INPUT", "OUTPUT")
for line in comment("Default filter rules"):
yield line
# Accept packets related to established connections
for chain in chains:
yield Arguments(
"-A", chain,
"-m", "state", "--state", "RELATED,ESTABLISHED",
"-j", "ACCEPT")
# Drop invalid packets?
if self.config['drop_invalid']:
for chain in chains:
if chain == 'INPUT':
continue
args = Arguments("-A", chain)
if self.options.ipv6:
args += Arguments("!", "-p", "icmpv6")
args += Arguments("-m", "state", "--state", "INVALID")
if self.config['log_invalid']:
yield args + self.logRule("DROP", "Drop INVALID %s" % chain)
yield args + Arguments("-j", "DROP")
# Accept all packets from loopback interface
yield Arguments("-A", "INPUT",
"-i", "lo",
"-j", "ACCEPT") + self._comment("Trust loopback")
yield Arguments("-A", "OUTPUT",
"-o", "lo",
"-j", "ACCEPT") + self._comment("Trust loopback")
def aclRules(self, acl, chain):
title = unicode(acl)
if not acl.enabled:
title += ' (disabled)'
for line in comment(title, extra=acl.comment, empty_line=self.empty_line):
yield line
rules = AclRule(acl, chain, self.iptables)
rule_number = 1
for rule in rules.generateRules(rule_number):
yield rule
rule_number += 1
def userRules(self, table, suffix):
if self.options.ipv6:
dirname = LOCAL_RULES_IPV6_DIR
else:
dirname = LOCAL_RULES_IPV4_DIR
pattern = path_join(dirname, '%s*.rules' % table) + suffix
for filename in glob(pattern):
text = "User rules: %s" % filename
for line in comment(text):
yield line
with open(filename) as user_file:
for line in user_file:
line = line.strip()
if not line:
continue
if not line.startswith("#"):
line = REMOVE_COMMENT.sub('', line)
yield line
for line in closeComment(text):
yield line
def dropRules(self, table, chains):
if not chains:
return
for line in comment("Default decisions"):
yield line
for chain in chains:
if isinstance(chain, IptablesChain):
if chain.isGeneric():
yield u"# No default drop for chain %s" % chain
continue
chain_key = (chain.input.id, chain.output.id)
else:
# chain is a string (eg. 'FORWARD')
chain_key = chain
decision, use_log = self.default_decisions.get(chain_key)
if (table == "mangle") and (decision == 'REJECT'):
# It's not possible to reject packets in mangle table
decision = "DROP"
if use_log:
yield self.logDrop(chain, decision)
yield Arguments("-A", chain, "-j", decision) + self._comment("Default decision")
def iptableRules(iptables, nat, empty_line, apply_rules):
ruleset = nat.ruleset
if iptables.options.format == "iptables":
prefix = Arguments("iptables", "-t", "nat")
else:
prefix = Arguments()
# Create header (title and comment)
title = unicode(nat)
if not nat.enabled:
title += u' (disabled)'
for line in comment(title, extra=nat.comment, empty_line=empty_line):
yield line
# Create source and destination parameters
chain = nat.createChainKey()
# Create protocols
protocols = list(flattenObjectList(nat.filters))
if not protocols:
protocols = (None,)
# Get nated sources
if len(nat.nated_sources):
nated_src = getFirst(nat.nated_sources)
else:
nated_src = None
# Get nated destinations
if len(nat.nated_destinations):
nated_dst = getFirst(nat.nated_destinations)
else:
nated_dst = None
if nat.type != NAT_TRANSLATE:
suffix = Arguments('-j', 'ACCEPT')
elif chain == u'POSTROUTING' and isinstance(nated_src, FirewallResource):
suffix = Arguments('-j', 'MASQUERADE')
elif chain == u'POSTROUTING':
source = getFirstAddress(nat, nated_src, apply_rules)
if isinstance(nated_src, (NetworkResource, IPsecNetworkResource)):
suffix = Arguments('-j', 'NETMAP', '--to', source)
else:
suffix = Arguments('-j', 'SNAT', '--to-source', source)
elif chain == u'PREROUTING':
dest = getFirstAddress(nat, nated_dst, apply_rules)
if len(nat.nated_filters):
newproto = getFirst(nat.nated_filters)
dest += u':%s' % newproto.dport
if isinstance(nated_dst, (NetworkResource, IPsecNetworkResource)):
suffix = Arguments('-j', 'NETMAP', '--to', dest)
else:
suffix = Arguments('-j', 'DNAT', '--to-destination', dest)
rule_number = 1
for network_args in formatSrcDst(ruleset.resources, nat, chain):
for proto in protocols:
iptable_rule = prefix
if not nat.enabled:
iptable_rule += Arguments("#")
iptable_rule += Arguments('-A', chain)
iptable_rule += network_args
if proto:
iptable_rule += formatProtocol(proto, chain)
iptable_rule += suffix
if iptables.options.format != "iptables":
iptable_rule += iptables.ruleComment(nat, rule_number)
rule_number += 1
yield iptable_rule
