def start_bandwitdh_shaping(self, TrafficShaper):
# We'll use Hierarchical Token Bucket (HTB) to shape bandwidth.
# For detailed configuration options, please consult Linux man
# page.
iface_name = TrafficShaper.interface_name
iface_addr = TrafficShaper.interface_address
dwld = None
if TrafficShaper.download_limit is not None:
dwld = str(TrafficShaper.download_limit) + "mbit"
upld = None
if TrafficShaper.upload_limit is not None:
upld = str(TrafficShaper.upload_limit) + "mbit"
# Filter options for limiting the intended interface.
U32 = "tc filter add dev " + iface_name + " protocol ip parent 1:0 prio 1 u32"
Bash("tc qdisc add dev " + iface_name + " root handle 1: htb default 30")
if dwld is not None:
Bash("tc class add dev " + iface_name + " parent 1: classid 1:1 htb rate " + dwld)
if upld is not None:
Bash("tc class add dev " + iface_name + " parent 1: classid 1:2 htb rate " + upld)
if dwld is not None:
Bash(U32 + " match ip dst " + iface_addr + "/32 flowid 1:1")
if upld is not None:
Bash(U32 + " match ip src " + iface_addr + "/32 flowid 1:2")
def start_iperf_server(self, iperf_server):
cmd = "iperf3 --server " + iperf_server.address + \
" --port " + iperf_server.port + \
" --one-off"
logging.debug("iperf server cmd: " + cmd)
bash = Bash(cmd)
result = bash.get_output()
print(result)
return result
def set_configuration(self, json_configuration):
json_interfaces = self.firewallParser.parse_interfaces(
json_configuration)
for json_iface in json_interfaces:
self.configure_interface(json_iface)
conf_firewall = self.firewallParser.parse_firewall_configuration(
json_configuration)
self.set_wan_interface(conf_firewall)
assert len(self.transparent_intefaces
) == 2, "Error: transparent interfaces have to be 2"
logging.debug(
"Found " + str(len(self.transparent_intefaces)) +
" transparent interfaces, now create a bridge between them")
to_lan_interface = None
to_wan_interface = None
for tr_iface in self.transparent_intefaces:
if tr_iface.name == self.wan_interface:
to_wan_interface = tr_iface
else:
to_lan_interface = tr_iface
logging.debug("to_wan_interface : " + to_wan_interface.__str__())
logging.debug("to_lan_interface : " + to_lan_interface.__str__())
bridge = Bridge("br0", to_lan_interface.name, to_wan_interface.name)
logging.debug("Bridge to create: " + bridge.__str__())
if self.create_bridge(bridge) is True:
Bash('route del default')
Bash('/usr/sbin/dhclient ' + bridge.name + ' -nw')
br_iface = self.interfaceController.get_interface_by_name(
bridge.name)
policy = Policy(
description="drop all traffic from fw_host to lan_iface",
action="drop",
protocol="ipv4",
out_interface=to_lan_interface.name,
src_address=br_iface.ipv4_configuration.address)
self.policyController.add_policy(policy,
table="FILTER",
chain="OUTPUT")
#Bash('ebtables -A OUTPUT -p IPv4 --ip-src ' + br_iface.ipv4_configuration.address + ' --out-interface ' + to_lan_interface + ' -j DROP')
json_policies = self.policyParser.parse_policies(conf_firewall)
for json_policy in json_policies[::-1]:
self.add_policy(json_policy)
json_blacklist = self.blacklistParser.parse_blacklist(conf_firewall)
for json_url in json_blacklist:
url = self.blacklistParser.parse_url(json_url)
self.add_blacklist_url(url)
json_whitelist = self.whitelistParser.parse_whitelist(conf_firewall)
for json_url in json_whitelist:
url = self.whitelistParser.parse_url(json_url)
self.add_whitelist_url(url)
def start_iperf_client(self, iperf_client):
cmd = "iperf3 --client " + iperf_client.server_address + \
" --port " + iperf_client.server_port + \
" --time " + str(iperf_client.duration)
if iperf_client.protocol.__eq__("udp"):
cmd += " --udp"
if iperf_client.bidirectional is True:
cmd += " --reverse"
if iperf_client.bitrate is not None:
cmd += " --bitrate " + str(iperf_client.bitrate)
logging.debug("iperf client cmd: " + cmd)
bash = Bash(cmd)
result = bash.get_output()
print(result)
return result
def _add_policy_in_iptables(self, policy, table, chain):
# table: FILTER | NAT
# chain: INPUT | FORWARD | OUTPUT
table_name = table.upper()
chain_name = chain.upper()
protocol = policy.protocol.lower()
cmd = "iptables -A " + chain_name + " -p " + protocol
if (policy.src_address is not None):
cmd += " -s " + policy.src_address
if (not protocol.__eq__("all") and policy.src_port is not None):
cmd += " --sport " + policy.src_port
if (policy.dst_address is not None):
cmd += " -d " + policy.dst_address
if (not protocol.__eq__("all") and policy.dst_port is not None):
cmd += " --dport " + policy.dst_port
cmd += " -j " + policy.action.upper()
if (policy.description is not None):
cmd += " -m comment --comment '" + policy.description + "'"
logging.debug(cmd)
Bash(cmd)
def _add_broker_rule(self, broker_url, management_iface):
"""
This method add a route in the routing table that allow the vnf to contact the broker
:param broker_url: read by the metadata file format: tcp://address:url
:return:
"""
broker_address = (broker_url.split(':')[1])[2:]
logging.debug('route add ' + broker_address + ' dev ' +
management_iface)
Bash('route add ' + broker_address + ' dev ' + management_iface)
def set_configuration(self, network_to_defend):
str = "# Setup the network addresses you are protecting\n"
str += "ipvar HOME_NET " + network_to_defend + "\n\n"
str += "# Set up the external network addresses. Leave as 'any' in most situations\n"
str += "ipvar EXTERNAL_NET any\n"
with open("/etc/snort/snort.conf", "w") as text_file:
print("{}".format(str), file=text_file)
Bash('cat /my_snort.conf >> /etc/snort/snort.conf')
def configure_interface_ipv4Configuration(self, ifname,
ipv4_configuration):
#print("interface configured... fake! ahah")
#pass
if ipv4_configuration.configuration_type == "static" or ipv4_configuration.configuration_type == "not_defined":
self.configure_interface_ipv4Configuration_address(
ifname, ipv4_configuration.address)
if ipv4_configuration.netmask is not None:
self.configure_interface_ipv4Configuration_netmask(
ifname, ipv4_configuration.netmask)
if ipv4_configuration.default_gw is not None:
self.configure_interface_ipv4Configuration_default_gw(
ifname, ipv4_configuration.default_gw)
elif ipv4_configuration.configuration_type == "dhcp":
if ipv4_configuration.default_gw is not None:
Bash('route del default gw ' + ipv4_configuration.default_gw)
Bash('ifconfig ' + ifname + ' 0')
Bash(
'if [ ! -e "/usr/sbin/dhclient" ]; then cp /sbin/dhclient /usr/sbin/dhclient; fi'
)
Bash('/usr/sbin/dhclient ' + ifname + ' -v')
def create_bridge(self, bridge):
Bash('ifconfig ' + bridge.iface1 + ' 0')
Bash('ifconfig ' + bridge.iface2 + ' 0')
Bash('brctl addbr ' + bridge.name)
Bash('brctl addif ' + bridge.name + ' ' + bridge.iface1)
Bash('brctl addif ' + bridge.name + ' ' + bridge.iface2)
Bash('ifconfig ' + bridge.name + ' up')
def _add_policy_in_ebtables(self, policy, table, chain):
# table: FILTER | NAT
# chain: INPUT | FORWARD | OUTPUT
table_name = table.upper()
chain_name = chain.upper() + " "
protocols = []
if policy.protocol != "all":
if policy.protocol == "ipv4":
protocols.append("-p IPv4 ")
else:
protocols.append("-p ip --ip-proto " + str(policy.protocol) +
" ")
else:
protocols.append("-p ip --ip-proto tcp ")
protocols.append("-p ip --ip-proto udp ")
protocols.append("-p ip --ip-proto icmp ")
action = policy.action.upper()
in_interface = ""
if (policy.in_interface is not None):
in_interface = "--in-interface " + str(policy.in_interface) + " "
out_interface = ""
if (policy.out_interface is not None):
out_interface = "--out-interface " + str(
policy.out_interface) + " "
src_address = ""
if (policy.src_address is not None):
src_address = "--ip-src " + str(policy.src_address) + " "
dst_address = ""
if (policy.dst_address is not None):
dst_address = "--ip-dst " + str(policy.dst_address) + " "
src_port = ""
if (policy.src_port is not None):
src_port = "--ip-source-port " + str(policy.src_port) + " "
dst_port = ""
if (policy.dst_port is not None):
dst_port = "--ip-destination-port " + str(policy.dst_port) + " "
for protocol in protocols:
Bash('ebtables -I ' + chain_name + protocol + in_interface +
src_address + src_port + out_interface + dst_address +
dst_port + '-j ' + action)
def start_bandwitdh_shaping(self, TrafficShaper):
iface_name = TrafficShaper.interface_name
dwld = 0
if TrafficShaper.download_limit is not None:
dwld = str(TrafficShaper.download_limit * 1024)
upld = 0
if TrafficShaper.upload_limit is not None:
upld = str(TrafficShaper.upload_limit * 1024)
cmd = "wondershaper " + iface_name + " " + dwld + " " + upld
logging.debug(cmd)
Bash(cmd)
def stop_bandwitdh_shaping(self, iface_name):
cmd = "wondershaper clear " + iface_name
logging.debug(cmd)
Bash(cmd)
def configure_dhcp_server(self, dhcp_server):
'''
example of configuration
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "mydomain.example";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
range 192.168.1.150 192.168.1.200;
}
'''
try:
with open('/etc/dhcp/dhcpd.conf', 'w') as dhcpd_file:
dhcpd_file.write('default-lease-time ' +
dhcp_server.default_lease_time + ';\n')
dhcpd_file.write('max-lease-time ' +
dhcp_server.max_lease_time + ';\n')
dhcpd_file.write('option subnet-mask ' +
dhcp_server.subnet_mask + ';\n')
dhcpd_file.write('option routers ' + dhcp_server.router +
';\n')
dhcpd_file.write('option domain-name-servers ' +
dhcp_server.dns_primary_server)
if dhcp_server.dns_secondary_server is not None:
dhcpd_file.write(', ' + dhcp_server.dns_secondary_server)
dhcpd_file.write(';\n')
dhcpd_file.write('option domain-name "' +
dhcp_server.dns_domain_name + '";\n')
dhcpd_file.write('subnet ' + dhcp_server.subnet + ' netmask ' +
dhcp_server.subnet_mask + ' {\n')
for section in dhcp_server.sections:
dhcpd_file.write(' range ' + section.start_ip + ' ' +
section.end_ip + ';\n')
dhcpd_file.write('}')
dhcpd_file.truncate()
except Exception as e:
raise IOError(
"Error during the creation of file: /etc/dhcp/dhcpd.conf \n" +
str(e))
interfacesController = InterfaceController()
interfaces = interfacesController.get_interfaces()
isc_dhcp_server = 'INTERFACES="'
k = 0
for interface in interfaces:
if k != 0:
isc_dhcp_server += ' '
isc_dhcp_server += interface.name
k += 1
isc_dhcp_server += '"'
try:
with open('/etc/default/isc-dhcp-server',
'w') as isc_dhcp_server_file:
isc_dhcp_server_file.write(isc_dhcp_server)
isc_dhcp_server_file.truncate()
except Exception as e:
raise IOError(
"Unable to create file: /etc/default/isc-dhcp-server")
# Restart service
Bash('service isc-dhcp-server restart')
if len(interfaces) == 0:
Bash('service isc-dhcp-server stop')
def configure_url(self, url):
Bash('iptables -I FORWARD -s ' + url +
' -j ACCEPT -m comment --comment=whitelist:' + url)
Bash('iptables -I FORWARD -d ' + url +
' -j ACCEPT -m comment --comment=whitelist:' + url)
def delete_url(self, url):
Bash('iptables -D FORWARD -s ' + url +
' -j ACCEPT -m comment --comment=whitelist:' + url)
Bash('iptables -D FORWARD -d ' + url +
' -j ACCEPT -m comment --comment=whitelist:' + url)
def configure_url(self, url):
Bash('iptables -I FORWARD -s ' + url +
' -j DROP -m comment --comment=blacklist:' + url)
Bash('iptables -I FORWARD -d ' + url +
' -j DROP -m comment --comment=blacklist:' + url)
def delete_url(self, url):
Bash('iptables -D FORWARD -s ' + url +
' -j DROP -m comment --comment=blacklist:' + url)
Bash('iptables -D FORWARD -d ' + url +
' -j DROP -m comment --comment=blacklist:' + url)
def set_ip_forward(self, public_interface_name):
Bash('echo 1 > /proc/sys/net/ipv4/ip_forward')
Bash('iptables -t nat -A POSTROUTING -o ' + public_interface_name +
' -j MASQUERADE')
def start_ids(self):
Bash("snort -c /etc/snort/snort.conf -i eth1 -D")
def update_bridge(self, bridge):
Bash('ifconfig ' + bridge.iface1 + ' down')
Bash('ifconfig ' + bridge.iface2 + ' down')
Bash('ifconfig ' + bridge.iface1 + ' 0')
Bash('ifconfig ' + bridge.iface2 + ' 0')
Bash('brctl delif ' + bridge.name + ' ' + bridge.iface1 + ' ' +
bridge.iface2)
Bash('ifconfig ' + bridge.name + ' down')
Bash('brctl delbr ' + bridge.name)
Bash('brctl addbr ' + bridge.name)
Bash('brctl addif ' + bridge.name + ' ' + bridge.iface1)
Bash('brctl addif ' + bridge.name + ' ' + bridge.iface2)
Bash('route del default')
Bash('/usr/sbin/dhclient ' + bridge.name + ' -v')
def configure_interface_ipv4Configuration_default_gw(
self, ifname, default_gw):
Bash('route add default gw ' + default_gw + ' ' + ifname)
def delete_arp_entry(self, ip_address):
Bash('arp -d ' + ip_address)
def enable_forwarding(self):
Bash('echo 1 > /proc/sys/net/ipv4/ip_forward')
def stop_bandwitdh_shaping(self, iface_name):
Bash("tc qdisc del dev " + iface_name + " root")
def reset_interface(self, name):
Bash('ifconfig ' + name + ' 0.0.0.0')
def get_status(self, iface_name):
bash = Bash("tc -s qdisc ls dev " + iface_name)
result = bash.get_output()
logging.debug(result)
return result
def configure_interface_ipv4Configuration_address(self, ifname, address):
Bash('ifconfig ' + ifname + ' ' + address)
def configure_interface_ipv4Configuration_netmask(self, ifname, netmask):
Bash('ifconfig ' + ifname + ' netmask ' + netmask)
def add_arp_entry(self, ip_address, mac_address):
Bash('arp -s ' + ip_address + ' ' + mac_address)