Esempio n. 1
0
def set_public_firewall(port_list):
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
    for port in port_list:
        rule = iptc.Rule()
        rule.target = iptc.Target(rule, "ACCEPT")
        rule.protocol = "tcp"
        match = iptc.Match(rule, "tcp")
        match.dport = str(port)
        rule.add_match(match)
        chain.insert_rule(rule)
Esempio n. 2
0
def dropAll(ip):
    rule = iptc.Rule()
    rule.src = str(ip)
    rule.protocol = "tcp"
    rule_match = iptc.Match(rule, "tcp")
    target = iptc.Target(rule, "DROP")
    rule.add_match(rule_match)
    rule.target = target
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
    chain.insert_rule(rule)
Esempio n. 3
0
    def setUp(self):
        self.rule = iptc.Rule()
        self.rule.protocol = "tcp"
        self.rule.target = iptc.Target(self.rule, "ACCEPT")

        self.match = iptc.Match(self.rule, "iprange")

        self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
                                "iptc_test_iprange")
        iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
Esempio n. 4
0
    def setUp(self):
        self.rule = iptc.Rule()
        self.rule.src = "127.0.0.1"
        self.rule.protocol = "udp"
        self.rule.target = iptc.Target(self.rule, "ACCEPT")

        self.match = iptc.Match(self.rule, "comment")
        self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
                                "iptc_test_comment")
        iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
Esempio n. 5
0
    def create_rules(server_ip, server_port, router_port, gateway):
        destination = server_ip + ':' + server_port
        prerouting_rule = iptc.Rule()
        prerouting_rule.protocol = "tcp"
        prerouting_rule.dst = gateway
        match = iptc.Match(prerouting_rule, "tcp")
        match.dport = router_port
        target = prerouting_rule.create_target("DNAT")
        target.to_destination = destination
        prerouting_rule.add_match(match)
        prerouting_rule.target = target

        postrouting_rule = iptc.Rule()
        postrouting_rule.protocol = "tcp"
        postrouting_rule.dst = server_ip
        match = iptc.Match(postrouting_rule, "tcp")
        match.dport = server_port
        postrouting_rule.add_match(match)
        postrouting_rule.target = iptc.Target(postrouting_rule, "MASQUERADE")
        return prerouting_rule, postrouting_rule
Esempio n. 6
0
def addRegra(ipFonte, ipDestino, portaFonte, portaDestino, estado, username,
             acao, protocolo, chain):
    regra = iptc.Rule()

    chains = ["INPUT", "OUTPUT"]
    indiceChain = int(chain) - 1
    chain = chains[indiceChain]

    acoes = ["ACCEPT", "DROP"]
    indiceAcao = int(acao) - 1
    acao = acoes[indiceAcao]

    protocolos = ["TCP", "UDP", ""]
    indiceProtocolo = int(protocolo) - 1
    protocolo = protocolos[indiceProtocolo]

    if (protocolo):
        regra.protocol = protocolo
    if (ipFonte):
        regra.src = ipFonte
    if (ipDestino):
        regra.dst = ipDestino
    if (portaFonte):
        regra.sport = portaFonte
    if (portaDestino):
        regra.dport = portaDestino

    if (username):
        match = iptc.Match(regra, "owner")
        match.uid_owner = username
        regra.add_match(match)
    if (estado):
        match = iptc.Match(regra, "conntrack")
        match.ctstate = estado
        regra.add_match(match)

    target = iptc.Target(regra, acao)
    regra.target = target

    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), chain)
    chain.append_rule(regra)
Esempio n. 7
0
def unblock_port(ip_address):
    rule = iptc.Rule()
    rule.protocol = "tcp"
    rule.src = ip_address
    match = iptc.Match(rule, "tcp")
    match.dport = secret_port
    rule.add_match(match)
    rule.target = iptc.Target(rule, "ACCEPT")
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
    chain.insert_rule(rule)
    print("Port", secret_port, "was unblocked for", ip_address)
    return (chain, rule)
Esempio n. 8
0
 def revIP(self,ip):
     print "remove rule", ip
     ((ip, port), val,time)=ip
     rule = iptc.Rule()
     rule.protocol = val
     m = iptc.Match(rule, val)
     rule.src = ip
     m.sport = str(port)
     rule.add_match(m)
     rule.target = iptc.Target(rule, "DROP")
     chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
     chain.delete_rule(rule)
     rule = iptc.Rule()
     rule.protocol = val
     m = iptc.Match(rule, val)
     rule.dst = ip
     m.dport = str(port)
     rule.add_match(m)
     rule.target = iptc.Target(rule, "DROP")
     chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT")
     chain.delete_rule(rule)
Esempio n. 9
0
def mkCFDDNSRule(hostnm: str = '', proto: str = '', portNum: str = ''):
    rule = iptc.Rule()
    rule.protocol = proto
    rule.src = v4_lookup(hostnm)

    portmatch = iptc.Match(rule, proto)
    portmatch.dport = portNum

    connt = iptc.Match(rule, 'conntrack')
    connt.ctstate = 'NEW'

    commentm = iptc.Match(rule, 'comment')
    commentm.comment = '{}_{}_{}'.format(hostnm, proto, portNum)

    rule.add_match(portmatch)
    rule.add_match(connt)
    rule.add_match(commentm)

    tar = rule.create_target('ACCEPT')
    rule.target = tar
    return rule
Esempio n. 10
0
def iptc_to_ip_tables(the_rule):
    #print(the_rule)
    chain = ''
    rule = ''
    match = ''
    target = ''

    # Regular Expression to validate IPs
    regex = '''^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.( 
            25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.( 
            25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.( 
            25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)$'''

    # Get a dictionary of rules
    # Retrieve input options
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
                       (the_rule['input_options']))
    #print(chain.rules)

    rule = iptc.Rule()
    # rule.in_interface = "eth+"
    # Retrieve IPs and error check entries
    if (re.search(regex, str(the_rule['source_ip']))):
        rule.src = the_rule['source_ip']
    #else:
    #print("FireTables: Rule Source IP set to anywhere")
    if (re.search(regex, str(the_rule['destination_ip']))):
        rule.dst = the_rule['destination_ip']
    #else:
    #print("FireTables: Rule Destination IP set to anywhere")
    # Retrieve Accept or Drop options
    target = iptc.Target(rule, the_rule['accept_or_drop_options'])
    rule.target = target
    # Retrieve Protocol
    rule.protocol = the_rule['protocol_options']
    match = iptc.Match(rule, the_rule['protocol_options'])
    # Retrieve Ports and error check port entries
    if the_rule['protocol_options'] != 'icmp':
        if the_rule['source_port'] != "":
            if int(the_rule['source_port']) in range(65535):
                match.sport = the_rule['source_port']
        #else:
        #print("FireTables: Rule Source Port set to anywhere")

        if the_rule['destination_port'] != "":
            if int(the_rule['destination_port']) in range(65535):
                match.dport = the_rule['destination_port']
        #else:
        #print("FireTables: Rule Destination Port set to anywhere")
    rule.add_match(match)
    # Insert rule into iptables
    chain.append_rule(rule)
Esempio n. 11
0
    def set_rule(self, **kwargs):
        # -ipv4
        # -ipv6
        # --protocol
        # -source address[ / mask][, ...]
        # --destination address[ / mask][, ...]
        # -m, --match commetnt dic
        # -j, --jump target
        # -g, --goto chain
        # -i, --in-interface
        # -o, --out-interface name
        # -f, --fragment
        # -c, --set-counters packets bytes
        # if 'ipv4' in kwargs:
        #     i = 0
        # if 'ipv6' in kwargs:
        #     i =0
        if 'protocol' in kwargs:
            self.rule.protocol = kwargs['protocol']

        if 'source' in kwargs:
            self.rule.src = kwargs['source']

        if 'in_interface' in kwargs:
            self.rule.in_interface = kwargs['in_interface']

        if 'out_interface' in kwargs:
            self.rule.out_interface = kwargs['out_interface']

        if 'jump' in kwargs:
            # =======TODO:error handling (completely depends on target name

            chain_name = kwargs['jump']['name']
            self.target = iptc.Target(self.rule, chain_name)

            if chain_name == 'MARK':
                self.target.set_mark = kwargs['jump']['mark']

            if chain_name == 'MASQUERADE':
                self.target.to_ports = kwargs['jump']['to_ports']

            self.rule.target = self.target

        try:
            if 'match' in kwargs:
                for match_item in kwargs['match']:
                    match = iptc.Match(self.rule, match_item['name'])
                    for item in match_item['values']:
                        match.__setattr__(item['key'], item['val'])
                    self.rule.add_match(match)
        except AVAFirewallException as e:
            AVAFirewallException(e)
def tag_packets_with_port(port):
    table_mangle = iptc.Table(iptc.Table.MANGLE)
    chain = iptc.Chain(table_mangle, "OUTPUT")
    rule = iptc.Rule()
    rule.protocol = "tcp"
    match = iptc.Match(rule, "tcp")
    match.dport = str(port)
    rule.add_match(match)
    rule.out_interface = "eth1"
    target = iptc.Target(rule, "MARK")
    target.set_mark = "0x01"
    rule.target = target
    chain.insert_rule(rule)
Esempio n. 13
0
def drop():
    rule = iptc.Rule()
    rule.protocol = protocol
    match = iptc.Match(rule, protocol)
    match.sport = source_port
    match.dport = destination_port
    rule.add_match(match)
    rule.src = source
    rule.dst = destination
    rule.add_match(match)
    rule.target = iptc.Target(rule, targets)
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), Chain)
    chain.insert_rule(rule)
Esempio n. 14
0
    def addIP(self,ipc):
        print ipc
        ((ip,port),val)=ipc

        rule = iptc.Rule()
        rule.protocol = val
        m = iptc.Match(rule, val)
        rule.src = ip
        m.sport = str(port)
        rule.add_match(m)
        rule.target = iptc.Target(rule, "DROP")
        chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
        chain.insert_rule(rule)
        rule = iptc.Rule()
        rule.protocol = val
        m = iptc.Match(rule, val)
        rule.dst = ip
        m.dport = str(port)
        rule.add_match(m)
        rule.target = iptc.Target(rule, "DROP")
        chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT")
        chain.insert_rule(rule)
Esempio n. 15
0
def block_port():
    rule = iptc.Rule()
    rule.protocol = "tcp"
    match = iptc.Match(rule, "tcp")
    match.dport = secret_port
    rule.add_match(match)
    target = iptc.Target(rule, "REJECT")
    target.set_parameter("reject-with", "tcp-reset")
    rule.target = target
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
    chain.insert_rule(rule)
    print("Port", secret_port, "was blocked")
    return (chain, rule)
Esempio n. 16
0
    def setUp(self):
        self.rule = iptc.Rule()
        self.rule.dst = "127.0.0.2"
        self.rule.protocol = "tcp"
        self.rule.in_interface = "eth0"

        self.match = iptc.Match(self.rule, "tcp")
        self.rule.add_match(self.match)

        self.target = iptc.Target(self.rule, "CLUSTERIP")
        self.rule.target = self.target

        self.chain = iptc.Chain(iptc.TABLE_FILTER, "iptc_test_clusterip")
        iptc.TABLE_FILTER.create_chain(self.chain)
Esempio n. 17
0
    def setUp(self):
        self.rule = iptc.Rule()
        self.rule.dst = "127.0.0.2"
        self.rule.protocol = "tcp"
        self.rule.in_interface = "eth0"

        self.match = iptc.Match(self.rule, "tcp")
        self.rule.add_match(self.match)

        self.target = iptc.Target(self.rule, "REDIRECT")
        self.rule.target = self.target

        self.chain = iptc.Chain(iptc.TABLE_NAT, "iptc_test_redirect")
        iptc.TABLE_NAT.create_chain(self.chain)
Esempio n. 18
0
def iptablesDNAT(action, user_var):
    table = iptc.Table(iptc.Table.NAT)
    chain = iptc.Chain(table, "PREROUTING")
    rule = iptc.Rule()
    match = iptc.Match(rule, "tcp")
    match = iptc.Match(rule, "iprange")

    # FIXME

    for cidr in user_var.redirectaddresses:

        redirectNetworks = ipaddress.ip_network(cidr)
        match.dst_range = '{}-{}'.format(redirectNetworks.network_address,
                                         redirectNetworks.broadcast_address)

        rule.add_match(match)
        t = rule.create_target("DNAT")
        t.to_destination = get_ip_address_from_interface(user_var.interface)

        if action == 'insert':
            chain.insert_rule(rule)
        else:
            chain.delete_rule(rule)
Esempio n. 19
0
def create_iptables_rule(port):
    global rule
    match = iptc.Match(rule, "tcp")
    match.dport = port
    match.tcp_flags = ['RST']
    chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT")  # -A OUTPUT
    rule.protocol = "tcp"  # -p tcp
    rule.target = iptc.Target(rule, "DROP")  # -j DROP
    rule.add_match(match)
    try:
        chain.delete_rule(rule)
    except:
        a = 0
    chain.insert_rule(rule)
Esempio n. 20
0
    def test_iprange_tcpdport(self):
        self.match.src_range = "192.168.1.100-192.168.1.200"
        self.match.dst_range = "172.22.33.106"
        self.rule.add_match(self.match)

        match = iptc.Match(self.rule, "tcp")
        match.dport = "22"
        self.rule.add_match(match)

        self.chain.insert_rule(self.rule)

        for r in self.chain.rules:
            if r != self.rule:
                self.fail("inserted rule does not match original")
Esempio n. 21
0
    def setUp(self):
        self.rule = iptc.Rule()
        self.rule.dst = "127.0.0.2"
        self.rule.protocol = "tcp"
        self.rule.in_interface = "eth0"

        self.match = iptc.Match(self.rule, "tcp")
        self.rule.add_match(self.match)

        self.target = iptc.Target(self.rule, "TOS")
        self.rule.target = self.target

        self.chain = iptc.Chain(iptc.Table(iptc.Table.MANGLE), "iptc_test_tos")
        iptc.Table(iptc.Table.MANGLE).create_chain(self.chain)
Esempio n. 22
0
def init_vnsf_forward_chain():
    # sudo iptables -t nat -A POSTROUTING --out-interface eth2 -j MASQUERADE
    table = iptc.Table(iptc.Table.NAT)
    chain = iptc.Chain(table, "POSTROUTING")
    chain.flush()
    rule = iptc.Rule()
    rule.out_interface = settings.wan_interface
    target = iptc.Target(rule, "MASQUERADE")
    rule.target = target
    chain.insert_rule(rule)

    # iptables -N vnsf-forward
    table = iptc.Table(iptc.Table.FILTER)
    vnsf_forward_chain = table.create_chain(settings.vnsf_forward_chain)

    # iptables -A vnsf-forward -j RETURN
    rule = iptc.Rule()
    target = iptc.Target(rule, "RETURN")
    rule.target = target
    vnsf_forward_chain.append_rule(rule)

    # iptables -A FORWARD --in-interface eth1 -j vnsf-forward
    chain = iptc.Chain(table, "FORWARD")
    chain.flush()
    rule = iptc.Rule()
    rule.in_interface = settings.lan_interface
    target = iptc.Target(rule, settings.vnsf_forward_chain)
    rule.target = target
    chain.insert_rule(rule)

    # iptables -A FORWARD --in-interface eth1 --out-interface eth2 -j ACCEPT
    rule = iptc.Rule()
    rule.in_interface = settings.lan_interface
    rule.out_interface = settings.wan_interface
    target = iptc.Target(rule, "ACCEPT")
    rule.target = target
    chain.append_rule(rule)

    # iptables -A FORWARD --in-interface eth2 --out-interface eth1 -m state \
    #   --state ESTABLISHED, RELATED -j ACCEPT
    rule = iptc.Rule()
    rule.in_interface = settings.wan_interface
    rule.out_interface = settings.lan_interface
    match = iptc.Match(rule, "state")
    match.state = "RELATED,ESTABLISHED"
    target = iptc.Target(rule, "ACCEPT")
    rule.target = target
    rule.add_match(match)
    chain.append_rule(rule)
Esempio n. 23
0
    def test_match_parameters(self):
        m = iptc.Match(iptc.Rule(), "udp")
        m.sport = "12345:55555"
        m.dport = "!33333"

        self.assertEqual(len(m.parameters), 2)

        for p in m.parameters:
            self.assertTrue(p == "sport" or p == "dport")

        self.assertEqual(m.parameters["sport"], "12345:55555")
        self.assertEqual(m.parameters["dport"], "!33333")

        m.reset()
        self.assertEqual(len(m.parameters), 0)
Esempio n. 24
0
 def _modify_rule(self, delete):
     chain = iptc.Chain(self.table(self.table.FILTER), 'INPUT')
     rule = self.rule()
     rule.protocol = 'udp'
     match = iptc.Match(rule, 'udp')
     match.dport = '53'
     target = iptc.Target(rule, 'NFQUEUE')
     target.set_parameter('queue-num', str(self.queue_num))
     target.set_parameter('queue-bypass')
     rule.target = target
     rule.add_match(match)
     if delete:
         chain.delete_rule(rule)
     else:
         chain.insert_rule(rule)
Esempio n. 25
0
    def test_match_parameters(self):
        m = iptc.Match(iptc.Rule(), "udp")
        m.sport = "12345:55555"
        m.dport = "!33333"

        self.failUnless(len(m.parameters) == 2)

        for p in m.parameters:
            self.failUnless(p == "sport" or p == "dport")

        self.failUnless(m.parameters["sport"] == "12345:55555")
        self.failUnless(m.parameters["dport"] == "!33333")

        m.reset()
        self.failUnless(len(m.parameters) == 0)
Esempio n. 26
0
    def test_match_create(self):
        rule = iptc.Rule()
        match = rule.create_match("udp")

        for m in rule.matches:
            self.assertEqual(m, match)

        # check that we can change match parameters after creation
        match.sport = "12345:55555"
        match.dport = "!33333"

        m = iptc.Match(iptc.Rule(), "udp")
        m.sport = "12345:55555"
        m.dport = "!33333"

        self.assertEqual(m, match)
Esempio n. 27
0
    def createFirewallRule(port, lock):
        lock.acquire()
        print "Creating the iptables rule for port %d" % port
        rule = iptc.Rule()
        rule.protocol = "tcp"
        rule.target = iptc.Target(rule, "REJECT")

        match = iptc.Match(rule, "tcp")
        match.sport = "%s" % port
        rule.add_match(match)

        chain = iptc.Chain(iptc.TABLE_FILTER, "OUTPUT")
        chain.insert_rule(rule)
        rule.target.reset()
        blockedPorts[port] = rule
        lock.release()
Esempio n. 28
0
 def test_refresh(self):
     rule = iptc.Rule()
     match = iptc.Match(rule, "tcp")
     match.dport = "1234"
     rule.add_match(match)
     try:
         self.chain.insert_rule(rule)
         iptc.Table(iptc.Table.FILTER).delete_chain(self.chain)
         self.fail("inserted invalid rule")
     except:
         pass
     iptc.Table(iptc.Table.FILTER).refresh()
     target = iptc.Target(rule, "ACCEPT")
     rule.target = target
     rule.protocol = "tcp"
     self.chain.insert_rule(rule)
     self.chain.delete_rule(rule)
Esempio n. 29
0
    def setUp(self):
        self.rule = iptc.Rule()
        self.rule.src = "127.0.0.1"
        self.rule.protocol = "udp"
        self.rule.target = iptc.Target(self.rule, "ACCEPT")

        self.match = iptc.Match(self.rule, "hashlimit")

        self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
                                "iptc_test_hashlimit")
        self.table = iptc.Table(iptc.Table.FILTER)
        try:
            self.chain.flush()
            self.chain.delete()
        except:
            pass
        self.table.create_chain(self.chain)
Esempio n. 30
0
 def delAuthorization(self, ip, mac):
     rule = iptc.Rule()
     table = iptc.Table(iptc.Table.MANGLE)
     chain = iptc.Chain(table, 'authorized')
     rule.src = ip
     match = iptc.Match(rule, 'mac')
     match.mac_source = mac
     target = iptc.Target(rule, 'MARK')
     target.set_mark = '1'
     rule.target = target
     rule.add_match(match)
     if rule not in chain.rules:
         print('rule does not exist')
         return 'RULE_NOT_FOUND'
     chain.delete_rule(rule)
     print('deleted rule {}'.format(ip))
     return 'SUCCESS'