def main():
uidnum = sys.argv[1]
print("#Generating rules for user ID %s" % uidnum)
# declare a new iptables ruleset
ipt = libnfldap.IPTables()
# insert sane default at the top of the ruleset
ipt.insertSaneDefaults()
# declare a new ipset ruleset
ips = libnfldap.IPset()
# find a user in ldap
ldap = libnfldap.LDAP(LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PASSWD)
userdn, userid = ldap.getUserByNumber('o=com,dc=mozilla', uidnum)
# create a custom chain and sets for the user
ipt.newFilterChain(userid)
r = "-A FORWARD -m owner --uid-owner " + uidnum + " -m state --state NEW -j " + userid
ipt.appendFilterRule(r)
ips.newHashNet(userid)
# find groups of an ldap user
acls = ldap.getACLs('ou=groups,dc=mozilla',
"(&(member=" + userdn + ")(cn=vpn_*))")
# iterate through the ACLs
print("#====== ACL details ======")
for group, dests in acls.iteritems():
for dest, desc in dests.iteritems():
print("%s has access to %s aka '%s'" % (userid, dest, desc))
if libnfldap.is_cidr(dest):
ips.addCIDRToHashNet(userid, dest)
else:
ipt.appendFilterRule("-A " + userid + " -d " + dest +
" -j ACCEPT")
# set a default drop policy at the end of the ruleset
ipt.appendDefaultDrop()
# template and print the iptables rules
print("#====== IPTABLES RULES ======\n")
print("%s\n\n" % ipt.template())
# template and print the ipset rules
print("#====== IPSET RULES ======\n")
print("%s" % ips.template())
def main():
ipt = libnfldap.IPTables()
ldap = libnfldap.LDAP(LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PASSWD)
ipset = libnfldap.IPset()
# find all vpn groups and create chains
acls = ldap.getACLs('ou=groups,dc=mozilla', "(cn=vpn_*)")
for group, dests in acls.iteritems():
ipt.newFilterChain(group)
for dest, desc in dests.iteritems():
if libnfldap.is_cidr(dest):
ipt.acceptIP(group, dest, desc)
else:
ip = dest.split(":", 1)[0]
ports = dest.split(":", 1)[1]
if len(ports) > 0:
ipt.acceptIPPortProto(group, ip, ports, "tcp", desc)
ipt.acceptIPPortProto(group, ip, ports, "udp", desc)
else:
ipt.acceptIP(group, ip, desc)
# get a list of all LDAP users
query = '(&(objectClass=mozComPerson)(objectClass=posixAccount))'
res = ldap.query('dc=mozilla', query, ['uid', 'uidNumber'])
users = {}
# get users from the system, the find the corresponding ldap record
for p in pwd.getpwall():
if p.pw_uid > 500:
# iterate over the ldap records
for dn, attr in res:
uid = attr['uid'][0]
uidNumber = attr['uidNumber'][0]
if uidNumber == str(p.pw_uid) and uid == p.pw_name:
# store the user
users[uidNumber] = {'dn': dn, 'uid': uid}
## iterate over the users and create the rules
for uidNumber, attr in users.iteritems():
dn = attr['dn']
uid = attr['uid']
# create a custom chain for the user
ipt.newFilterChain(uid)
# add rules to forward this user's packets to the custom chain
r = "-A OUTPUT -m owner --uid-owner " + uidNumber + " -m state --state NEW -j " + uid
ipt.appendFilterRule(r)
# find groups memberships of the user
acls = ldap.getACLs('ou=groups,dc=mozilla',
"(&(member=" + dn + ")(cn=vpn_*))")
# iterate through the ACLs and send the user to the group chains
for group, dests in acls.iteritems():
ipt.appendFilterRule("-A " + uid + " -j " + group)
# add a DROP at the end of the user rules
ipt.appendFilterRule("-A " + uid + " -j DROP")
# set a default drop policy at the end of the ruleset
ipt.insertSaneDefaults()
#ipt.appendDefaultDrop()
# template and print the iptables rules
tmpfd, tmppath = mkstemp()
f = open(tmppath, 'w')
f.write(ipt.template())
f.close()
os.close(tmpfd)
print("IPTables rules written in %s" % tmppath)
def main():
ipt = libnfldap.IPTables()
ldap = libnfldap.LDAP(config.LDAP_URL, config.LDAP_BIND_DN,
config.LDAP_BIND_PASSWD)
ipset = libnfldap.IPset()
gen_start_time = time.time()
# find all vpn groups and create chains
acls = ldap.getACLs('ou=groups,dc=mozilla', "(cn=vpn_*)")
for group, dests in acls.iteritems():
ipt.newFilterChain(group)
for dest, desc in dests.iteritems():
if libnfldap.is_cidr(dest):
ipt.acceptIP(group, dest, desc)
else:
ip = dest.split(":", 1)[0]
ports = dest.split(":", 1)[1]
if len(ports) > 0:
ipt.acceptIPPortProto(group, ip, ports, "tcp", desc)
ipt.acceptIPPortProto(group, ip, ports, "udp", desc)
else:
ipt.acceptIP(group, ip, desc)
# get a list of all LDAP users
query = '(&(objectClass=mozComPerson)(objectClass=posixAccount))'
res = ldap.query('dc=mozilla', query, ['uid', 'uidNumber'])
users = {}
# get users from the system, the find the corresponding ldap record
for p in pwd.getpwall():
if p.pw_uid > 500:
# iterate over the ldap records
for dn, attr in res:
uid = attr['uid'][0]
uidNumber = attr['uidNumber'][0]
if uidNumber == str(p.pw_uid) and uid == p.pw_name:
# store the user
users[uidNumber] = {'dn': dn, 'uid': uid}
## iterate over the users and create the rules
for uidNumber, attr in users.iteritems():
dn = attr['dn']
uid = attr['uid']
# create a custom chain for the user
ipt.newFilterChain(uid)
# add rules to forward this user's packets to the custom chain
r = "-A OUTPUT -m owner --uid-owner " + uidNumber + " -m state --state NEW -j " + uid
ipt.appendFilterRule(r)
# find groups memberships of the user
acls = ldap.getACLs('ou=groups,dc=mozilla',
"(&(member=" + dn + ")(cn=vpn_*))")
# iterate through the ACLs and send the user to the group chains
for group, dests in acls.iteritems():
ipt.appendFilterRule("-A " + uid + " -j " + group)
# add a DROP at the end of the user rules
ipt.appendFilterRule("-A " + uid + " -j DROP")
# set a default drop policy at the end of the ruleset
ipt.insertSaneDefaults()
ipt.appendFilterRule(
"-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT")
ipt.appendFilterRule(
"-A INPUT -p tcp --dport 5666 -m state --state NEW -j ACCEPT")
ipt.appendFilterRule(
"-A OUTPUT -m owner --uid-owner 0 -m state --state NEW -j ACCEPT")
ipt.appendDefaultDrop()
# template and print the iptables rules
tmpfd, tmppath = mkstemp()
f = open(tmppath, 'w')
f.write(ipt.template())
f.close()
os.close(tmpfd)
gen_time = time.time() - gen_start_time
load_start_time = time.time()
# run iptables-restore
command = "/sbin/iptables-restore %s" % (tmppath)
status = os.system(command)
load_time = time.time() - load_start_time
if status == -1:
mozmsg.send(summary="failed to load iptables rules from" + tmppath,
severity='ERROR',
details={
'generation_time': gen_time,
'loading_time': load_time
})
else:
mozmsg.send(summary="iptables rules reloaded successfully.",
details={
'generation_time': gen_time,
'loading_time': load_time
})
os.remove(tmppath)
def main():
# declare a new iptables ruleset
ipt = libnfldap.IPTables()
# insert sane default at the top of the ruleset
ipt.insertSaneDefaults()
# declare a new ipset ruleset
ipset = libnfldap.IPset()
# find all LDAP users
ldap = libnfldap.LDAP(LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PASSWD)
users = {}
# the query lists all users by default. If you want to narrow down the search to
# a single user, call the script with a single argument, such as:
# $ python example_allusers.py '(uid=jvehent)'
customf = ''
if len(sys.argv) > 1:
customf = sys.argv[1]
query = '(&(objectClass=mozComPerson)(objectClass=posixAccount)' + customf + ')'
res = ldap.query('dc=mozilla', query, ['cn', 'uid', 'uidNumber'])
# iterate over the users and create the rules
for dn, attr in res:
cn = attr['cn'][0],
uid = attr['uid'][0]
uidNumber = attr['uidNumber'][0]
# create a custom chain and sets for the user
ipt.newFilterChain(uid)
ipset.newHashNet(uid)
# add rules to forward this user's packets to the custom chain and the ipset
r = "-A FORWARD -m owner --uid-owner " + uidNumber + " -m state --state NEW -j " + uid
ipt.appendFilterRule(r)
#r = "-A " + uid + " -m set --match-set '" + uid + "' dst -m state --state NEW -j ACCEPT"
#ipt.appendFilterRule(r)
# find ACLs of a given user
acls = ldap.getACLs('ou=groups,dc=mozilla',
"(&(member="+dn+")(cn=vpn_*))")
# iterate through the ACLs and create iptables or ipset rules
for group,dests in acls.iteritems():
for dest,desc in dests.iteritems():
# if the destination is a CIDR (IP or subnet), add it to ipset
if libnfldap.is_cidr(dest):
#ipset.addCIDRToHashNet(uid, dest)
ipt.acceptIP(uid, dest, desc)
else:
# if the destination has ports, add one rule per port
ip = dest.split(":", 1)[0]
ports = dest.split(":", 1)[1]
if len(ports) > 0:
ipt.acceptIPPortProto(uid, ip, ports, "tcp", desc)
ipt.acceptIPPortProto(uid, ip, ports, "udp", desc)
else:
ipt.acceptIP(uid, ip, desc)
# add a DROP at the end of the user rules
ipt.appendFilterRule("-A " + uid + " -j DROP")
# set a default drop policy at the end of the ruleset
#ipt.appendDefaultDrop()
# template and print the iptables rules
tmpfd, tmppath = mkstemp()
f = open(tmppath, 'w')
f.write(ipt.template())
f.close()
os.close(tmpfd)
print("IPTables rules written in %s" % tmppath)
# template and print the ipset rules
tmpfd, tmppath = mkstemp()
f = open(tmppath, 'w')
f.write(ipset.template())
f.close()
os.close(tmpfd)
print("IPSet rules written in %s" % tmppath)
def main():
cfg_path = [
'get_user_routes.conf', '/usr/local/etc/get_user_routes.conf',
'/etc/get_user_routes.conf'
]
config = None
for cfg in cfg_path:
if os.path.isfile(cfg):
try:
config = imp.load_source('config', cfg)
except:
pass
if config == None:
print("Failed to load config")
sys.exit(1)
try:
username = sys.argv[1]
except IndexError:
print("Need one argument, email-username")
sys.exit(1)
# if the user is connecting from an office, we need to know, so that we can filter out local destinations
try:
if sys.argv[2] == "--office":
from_office = 1
else:
from_office = 0
except IndexError:
from_office = 0
# currently using libnfldap, since it has a function to get all the ACLs for a group
ldap = libnfldap.LDAP(config.LDAP_URL, config.LDAP_BIND_DN,
config.LDAP_BIND_PASSWD)
filterk = '(mail=' + username + ')'
query = filterk
res = ldap.query('dc=mozilla', query, ['mail'])
dn = res[0][0]
# find all vpn groups user is in and return IP attributes
acls = ldap.getACLs('ou=groups,dc=mozilla',
"(&(member=" + dn + ")(cn=vpn_*))")
ips = []
for group, dests in acls.iteritems():
for dest, desc in dests.iteritems():
# strip off port information
ip = dest.split(":")[0]
# if address is already in cidr format, add it, else assume single host IP and add /32
# this is in order to keep a consistent format for all addresses before we process
if ip.find('/') != -1:
ips.append(ip)
else:
ips.append(ip + '/32')
#Now that we have a list of all possible addresses that a user may access, we need to check
# if any aren't already covered by the default list of routes from the config.
notfoundlist = []
for address in ips:
for route in config.ROUTES:
if IPNetwork(address) in IPNetwork(route):
break
else:
notfoundlist.append(address)
# merge user-specific routes with routes from the config, only unique. Sorted for human readability
all_routes = sorted(
set(config.ROUTES + notfoundlist + config.OFFICE_ROUTES))
# check that there are no overlapping routes, remove office routes if connecting from an office
if from_office == 1:
squashed_routes = remove_office_routes(squash_routes(all_routes),
config.OFFICE_ROUTES)
else:
squashed_routes = squash_routes(all_routes)
#Finally, we need to output all the routes in a nice list that bash will be able to iterate over
for address in squashed_routes:
ip, mask = cidr_to_netmask(address)
# For one entry per line, remove the trailing comma
print("{ip} {mask}").format(ip=ip, mask=mask)