def testInterfacesNegated(self): # iptables < 1.4.3 rule = netfilter.parser.parse_rule( '-i ! eth0 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(in_interface='! eth0', jump=Target('LOG', '--log-prefix "Martians "'))) rule = netfilter.parser.parse_rule( '-o ! eth0 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(out_interface='! eth0', jump=Target('LOG', '--log-prefix "Martians "'))) # iptables >= 1.4.3 rule = netfilter.parser.parse_rule( '! -i eth0 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(in_interface='! eth0', jump=Target('LOG', '--log-prefix "Martians "'))) rule = netfilter.parser.parse_rule( '! -o eth0 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(out_interface='! eth0', jump=Target('LOG', '--log-prefix "Martians "')))
def testMatchMultiportDports(self): print('Running Test Match Mulitport Dports...') rule = Rule(jump='ACCEPT') rule.matches.append(Match('multiport', '--dports 20,21,22,80,25,1720')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-m', 'multiport', '--dports', '20,21,22,80,25,1720', '-j', 'ACCEPT']) print('...Done')
def testMatchMultiportDports(self): rule = Rule(jump='ACCEPT') rule.matches.append(Match('multiport', '--dports 20,21,22,80,25,1720')) self.assertEqual(rule.specbits(), [ '-m', 'multiport', '--dports', '20,21,22,80,25,1720', '-j', 'ACCEPT' ])
def testMatchTcpSport(self): print('Running Test Match TCP SPort...') rule = Rule(protocol='tcp', jump='ACCEPT') rule.matches.append(Match('tcp', '--sport 1234')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--sport', '1234', '-j', 'ACCEPT']) print('...Done')
def testMatchTcpNotFlags(self): rule = Rule(protocol='tcp', jump='ACCEPT') rule.matches.append(Match('tcp', '--tcp-flags ! ACK,SYN ACK')) self.assertEqual(rule.specbits(), [ '-p', 'tcp', '-m', 'tcp', '--tcp-flags', '!', 'ACK,SYN', 'ACK', '-j', 'ACCEPT' ])
def rule_manager(): filtable = Table('filter') firewalliot.block_rules() db.create_all() db.session.query(AuthConns).delete() db.session.commit() open('/var/log/firewall', 'w').close() while True: for row in db.session.query(AuthConns): if int(row.sessiontime) <= int(time.time()): try: rule0 = Rule( jump='ACCEPT', protocol='udp', matches=[Match('udp', '--dst ' + str(row.ip_addr))]) filtable.delete_rule('FORWARD', rule0) except IptablesError as e: pass db.session.delete( AuthConns.query.filter(AuthConns.id == row.id).first()) elif not row.fw_status: rule0 = Rule( jump='ACCEPT', protocol='udp', matches=[Match('udp', '--dst ' + str(row.ip_addr))]) filtable.prepend_rule('FORWARD', rule0) cwfwrule = AuthConns.query.filter_by(id=row.id).first() cwferule.fw_status = True elif not row.ip_port: log_lookup() manage_logging() else: pass db.session.commit() time.sleep(15)
def testMatchState(self): print('Running Test Match State...') rule = Rule(jump='ACCEPT') rule.matches.append(Match('state', '--state ESTABLISHED,RELATED')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT']) print('...Done')
def testMatchTos(self): print('Running Test Match TOS...') rule = Rule(jump='ACCEPT') rule.matches.append(Match('tos', '--tos 0x10')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-m', 'tos', '--tos', '0x10', '-j', 'ACCEPT']) print('...Done')
def testMatchMark(self): print('Running Test Match Mark...') rule = Rule(jump='ACCEPT') rule.matches.append(Match('mark', '--mark 0x64')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-m', 'mark', '--mark', '0x64', '-j', 'ACCEPT']) print('...Done')
def testMatchTcpFlags(self): print('Running Test Match TCP Flags...') rule = Rule(protocol='tcp', jump='ACCEPT') rule.matches.append(Match('tcp', '--tcp-flags ACK,SYN ACK')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--tcp-flags', 'ACK,SYN', 'ACK', '-j', 'ACCEPT']) print('...Done')
def testInterfaces(self): rule = Rule(in_interface="eth1", out_interface="eth2", jump="REJECT") self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, "eth1") self.assertEqual(rule.out_interface, "eth2") self.assertEqual(rule.source, None) self.assertEqual(rule.destination, None) self.assertEqual(rule.specbits(), ["-i", "eth1", "-o", "eth2", "-j", "REJECT"])
def testInterfaces(self): rule = Rule(in_interface='eth1', out_interface='eth2', jump='REJECT') self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, 'eth1') self.assertEqual(rule.out_interface, 'eth2') self.assertEqual(rule.source, None) self.assertEqual(rule.destination, None) self.assertEqual(rule.specbits(), ['-i', 'eth1', '-o', 'eth2', '-j', 'REJECT'])
def testInterfacesNegated(self): rule = Rule(in_interface='!eth1', out_interface='!eth2', jump='REJECT') self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, '!eth1') self.assertEqual(rule.out_interface, '!eth2') self.assertEqual(rule.source, None) self.assertEqual(rule.destination, None) self.assertEqual(rule.specbits(), ['!', '-i', 'eth1', '!', '-o', 'eth2', '-j', 'REJECT'])
def testDestination(self): rule = Rule(destination="192.168.1.3", jump="REJECT") self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, None) self.assertEqual(rule.destination, "192.168.1.3") self.assertEqual(rule.jump.name(), "REJECT") self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ["-d", "192.168.1.3", "-j", "REJECT"])
def testInit(self): rule = Rule(jump=Target('ACCEPT')) self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, None) self.assertEqual(rule.destination, None) self.assertEqual(rule.jump.name(), 'ACCEPT') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['-j', 'ACCEPT'])
def testSource(self): rule = Rule(source="192.168.1.2", jump="ACCEPT") self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, "192.168.1.2") self.assertEqual(rule.destination, None) self.assertEqual(rule.jump.name(), "ACCEPT") self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ["-s", "192.168.1.2", "-j", "ACCEPT"])
def testDestinationNegated(self): rule = Rule(destination='! 192.168.1.3', jump='REJECT') self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, None) self.assertEqual(rule.destination, '! 192.168.1.3') self.assertEqual(rule.jump.name(), 'REJECT') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['!', '-d', '192.168.1.3', '-j', 'REJECT'])
def testSourceNegated(self): rule = Rule(source='! 192.168.1.2', jump='ACCEPT') self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, '! 192.168.1.2') self.assertEqual(rule.destination, None) self.assertEqual(rule.jump.name(), 'ACCEPT') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['!', '-s', '192.168.1.2', '-j', 'ACCEPT'])
def testSourceDestinationProtocol(self): rule = Rule(source="192.168.1.2", destination="192.168.1.3", protocol="tcp", jump="DROP") self.assertEqual(rule.protocol, "tcp") self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, "192.168.1.2") self.assertEqual(rule.destination, "192.168.1.3") self.assertEqual(rule.jump.name(), "DROP") self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ["-p", "tcp", "-s", "192.168.1.2", "-d", "192.168.1.3", "-j", "DROP"])
def block_rules(): nattable = Table('nat') filtable = Table('filter') filtable.set_policy('INPUT', 'ACCEPT') nattable.flush_chain('POSTROUTING') filtable.flush_chain('FORWARD') filtable.flush_chain('OUTPUT') filtable.flush_chain('INPUT') #nattable.delete_chain() rulessh = Rule(protocol='tcp', matches=[Match('tcp', '--dport 22')], jump='ACCEPT') filtable.append_rule('INPUT', rulessh) rulecs = Rule(in_interface='wlan0', out_interface='eth0', protocol='udp', matches=[Match('udp', '--dport 32100')], jump='ACCEPT') filtable.append_rule('FORWARD', rulecs) rulefreturn = Rule(in_interface='eth0', out_interface='wlan0', jump='ACCEPT', matches=[Match('state', '--state RELATED,ESTABLISHED')]) filtable.append_rule('FORWARD', rulefreturn) rule0 = Rule(jump='ACCEPT', matches=[Match('state', '--state RELATED,ESTABLISHED')]) filtable.append_rule('INPUT', rule0) rule1 = Rule(out_interface='eth0', jump='MASQUERADE') nattable.append_rule('POSTROUTING', rule1) rule2 = Rule(out_interface='wlan0', jump='ACCEPT') filtable.append_rule('OUTPUT', rule2) rule3 = Rule(out_interface='eth0', jump='ACCEPT') filtable.append_rule('OUTPUT', rule3) rule4 = Rule(in_interface='wlan0', jump='ACCEPT') filtable.append_rule('INPUT', rule4) rule5 = Rule(in_interface='lo', jump='ACCEPT') filtable.append_rule('INPUT', rule5) rule6 = Rule(out_interface='lo', jump='ACCEPT') filtable.append_rule('OUTPUT', rule6) filtable.set_policy('FORWARD', 'DROP') filtable.set_policy('INPUT', 'DROP') filtable.set_policy('OUTPUT', 'DROP')
def testSourceDestinationProtocol(self): rule = Rule(source='192.168.1.2', destination='192.168.1.3', protocol='tcp', jump='DROP') self.assertEqual(rule.protocol, 'tcp') self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, '192.168.1.2') self.assertEqual(rule.destination, '192.168.1.3') self.assertEqual(rule.jump.name(), 'DROP') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['-p', 'tcp', '-s', '192.168.1.2', '-d', '192.168.1.3', '-j', 'DROP'])
def testInterfacesNegated(self): print('Running Test Interfaces Negated...') rule = Rule(in_interface='!eth0', out_interface='!eth2', jump='REJECT') print('\tRule: ' + str(rule)) self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, '!eth0') self.assertEqual(rule.out_interface, '!eth2') self.assertEqual(rule.source, None) self.assertEqual(rule.destination, None) self.assertEqual(rule.specbits(), ['!', '-i', 'eth0', '!', '-o', 'eth2', '-j', 'REJECT']) print('...Done')
def testInit(self): print('Rule Test Case Set:\nRunning Test Inital...') rule = Rule(jump=Target('ACCEPT')) print('\tRule: ' + str(rule)) self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, None) self.assertEqual(rule.destination, None) self.assertEqual(rule.jump.name(), 'ACCEPT') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['-j', 'ACCEPT']) print('...Done')
def testSourceNegated(self): print('Running Test Source Negated...') rule = Rule(source='! 104.236.221.27', jump='ACCEPT') print('\tRule: ' + str(rule)) self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, '! 104.236.221.27') self.assertEqual(rule.destination, None) self.assertEqual(rule.jump.name(), 'ACCEPT') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['!', '-s', '104.236.221.27', '-j', 'ACCEPT']) print('...Done')
def testDestinationNegated(self): print('Running Test Destination Negated...') rule = Rule(destination='! 192.168.1.3', jump='REJECT') print('\tRule: ' + str(rule)) self.assertEqual(rule.protocol, None) self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, None) self.assertEqual(rule.destination, '! 192.168.1.3') self.assertEqual(rule.jump.name(), 'REJECT') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['!', '-d', '192.168.1.3', '-j', 'REJECT']) print('...Done')
def setDefaultPolicy(self): self.printMessage("set default policy", None) self.filter.set_policy('INPUT', 'DROP') self.filter.append_rule( 'INPUT', Rule(matches=[Match('state', '--state ESTABLISHED,RELATED')], jump='ACCEPT')) self.filter.set_policy('OUTPUT', 'ACCEPT') self.filter.set_policy('FORWARD', 'DROP') self.filter.append_rule( 'FORWARD', Rule(matches=[Match('state', '--state ESTABLISHED,RELATED')], jump='ACCEPT'))
def force_add(ip_addr): filtable = Table('filter') rule0 = Rule(jump='ACCEPT', protocol='udp', matches=[Match('udp', '--dst ' + ip_addr)]) filtable.prepend_rule('FORWARD', rule0) rule1 = Rule(jump='LOG', protocol='udp', matches=[ Match('udp', '--dst ' + ip_addr), Match('limit', '--limit 1/hour --limit-burst 1') ]) filtable.prepend_rule('FORWARD', rule1)
def testSourceDestinationProtocol(self): print('Running Test Source Destination Protocol...') rule = Rule(source='104.236.221.27', destination='192.168.1.3', protocol='tcp', jump='DROP') print('\tRule: ' + str(rule)) self.assertEqual(rule.protocol, 'tcp') self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, '104.236.221.27') self.assertEqual(rule.destination, '192.168.1.3') self.assertEqual(rule.jump.name(), 'DROP') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), ['-p', 'tcp', '-s', '104.236.221.27', '-d', '192.168.1.3', '-j', 'DROP']) print('...Done')
def testSourceDestinationProtocol(self): rule = Rule(source='192.168.1.2', destination='192.168.1.3', protocol='tcp', jump='DROP') self.assertEqual(rule.protocol, 'tcp') self.assertEqual(rule.in_interface, None) self.assertEqual(rule.out_interface, None) self.assertEqual(rule.source, '192.168.1.2') self.assertEqual(rule.destination, '192.168.1.3') self.assertEqual(rule.jump.name(), 'DROP') self.assertEqual(rule.jump.options(), {}) self.assertEqual(rule.specbits(), [ '-p', 'tcp', '-s', '192.168.1.2', '-d', '192.168.1.3', '-j', 'DROP' ])
def testProtocolNegated(self): # iptables < 1.4.3 rule = netfilter.parser.parse_rule( '-p ! tcp -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(protocol='! tcp', jump=Target('LOG', '--log-prefix "Martians "'))) # iptables >= 1.4.3 rule = netfilter.parser.parse_rule( '! -p tcp -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(protocol='! tcp', jump=Target('LOG', '--log-prefix "Martians "')))
def testSourceNegated(self): # iptables < 1.4.3 rule = netfilter.parser.parse_rule( '-s ! 10.1.0.0/20 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(source='! 10.1.0.0/20', jump=Target('LOG', '--log-prefix "Martians "'))) # iptables >= 1.4.3 rule = netfilter.parser.parse_rule( '! -s 10.1.0.0/20 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(source='! 10.1.0.0/20', jump=Target('LOG', '--log-prefix "Martians "')))
def block_icmp_port_unreachable(): """ Blocks ICMP port unreachable packets sent by the kernel when a UDP port is hit without any service listening. """ match = Match('icmp', '--icmp-type port-unreachable') rule = Rule(protocol="icmp", matches=[match], jump='DROP') Table('filter').append_rule('OUTPUT', rule)
def testDestinationNegated(self): # iptables < 1.4.3 rule = netfilter.parser.parse_rule( '-d ! 10.1.0.0/20 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(destination='! 10.1.0.0/20', jump=Target('LOG', '--log-prefix "Martians "'))) # iptables >= 1.4.3 rule = netfilter.parser.parse_rule( '! -d 10.1.0.0/20 -j LOG --log-prefix "Martians "') self.assertEqual( rule, Rule(destination='! 10.1.0.0/20', jump=Target('LOG', '--log-prefix "Martians "')))
def testJump(self): table = netfilter.table.Table('test_table', False) table.append_rule('test_chain', Rule(jump='ACCEPT')) buffer = table.get_buffer() self.assertEqual(buffer, [[ 'iptables', '-t', 'test_table', '-A', 'test_chain', '-j', 'ACCEPT' ]])
def addFilter(self, start, end, destination, duration, message): if debug_cleanup: duration = 10 with self.lock: ip = toips(start) l = end - start + 1 slash = tobits(l) for s, e in self.rules: if start >= s and start <= e: print 'overlapping rule ignored (start) %s/%d' % (ip, slash) return if end >= s and end <= e: print 'overlapping rule ignored (end) %s/%d' % (ip, slash) return rule = Rule(protocol='tcp', source='%s/%d' % (ip, slash), matches=[Match('tcp', '--destination-port 587')], jump=Target(option['jump'], '--to-destination %s' % destination)) if not self.debug: self.table.append_rule(option['chain'], rule) self.database.insert(start, end, duration, message) self.rules[(start, end)] = rule print "added %s/%d" % (ip, slash)
def unblock_outgoing_packets(proto, ipsrc=None, portsrc=None, ipdst=None, portdst=None): """ Unblocks outgoing packets coming from the kernel using iptables command. """ matches = [] if portsrc: matches.append(Match('tcp', '--sport ' + str(portsrc))) if portdst: matches.append(Match('tcp', '--dport ' + str(portdst))) rule = Rule( #in_interface=interface, protocol=proto, source=ipsrc, destination=ipdst, matches=matches, jump='DROP') table = Table('filter') try: table.delete_rule('OUTPUT', rule) except IptablesError: print("Unknown rule !", proto, ipsrc, portsrc, ipdst, portdst)
def acceptForward(self, in_interface=None, out_interface=None): self.printMessage("allow FORWARD", in_interface) self.filter.append_rule( 'FORWARD', Rule(in_interface=in_interface, out_interface=out_interface, jump='ACCEPT'))
def testMatch(self): rule = netfilter.parser.parse_rule( '-m state --state ESTABLISHED,RELATED') self.assertEqual( rule, Rule(matches=[Match('state', '--state ESTABLISHED,RELATED')])) self.assertEqual(rule.specbits(), ['-m', 'state', '--state', 'ESTABLISHED,RELATED'])
def redirectHttp(self, interface, proxy_port): if self.__ipv6: return self.printMessage("redirect HTTP to port %s" % proxy_port, interface) self.nat.append_rule( 'PREROUTING', Rule(in_interface=interface, protocol='tcp', matches=[Match('tcp', '--dport 80')], jump=Target('REDIRECT', '--to-port %s' % proxy_port)))
def acceptIcmp(self, interface=None): self.printMessage("allow selected icmp INPUT", interface) if self.__ipv6: self.filter.append_rule( 'INPUT', Rule(in_interface=interface, protocol='icmpv6', jump='ACCEPT')) else: types = [ 'echo-request', 'network-unreachable', 'host-unreachable', 'port-unreachable', 'fragmentation-needed', 'time-exceeded' ] for type in types: self.filter.append_rule( 'INPUT', Rule(in_interface=interface, protocol='icmp', matches=[Match('icmp', "--icmp-type %s" % (type))], jump='ACCEPT'))
def set_rule(self, in_int, port, src_ip): ''' Make netfilter rule. -I INPUT -i $int_in -p tcp --dport $port -j ACCEPT ''' rule = Rule(in_interface=f"{in_int}", source=f"{src_ip}", protocol="tcp", matches=[Match("tcp", f"--dport {port}")], jump="ACCEPT") return rule
def unblock_icmp_port_unreachable(): """ Remove the rule that blocks ICMP port unreachable. """ match = Match('icmp', '--icmp-type port-unreachable') rule = Rule(protocol="icmp", matches=[match], jump='DROP') try: Table('filter').delete_rule('OUTPUT', rule) except IptablesError: print("Try to remove unexisting icmp port-unreachable")
def force_remove(ip_addr): filtable = Table('filter') try: rule0 = Rule(jump='ACCEPT', protocol='udp', matches=[Match('udp', '--dst ' + str(ip_addr))]) filtable.delete_rule('FORWARD', rule0) except IptablesError as e: pass try: rule1 = Rule(jump='LOG', protocol='udp', matches=[ Match('udp', '--dst ' + ip_addr), Match('limit', '--limit 1/hour --limit-burst 1') ]) filtable.delete_rule('FORWARD', rule1) except IptablesError as e: pass
def manage_logging(): filtable = Table('filter') for row in db.session.query(AuthConns): if row.ip_port and not row.port_status: rule0 = Rule(jump='ACCEPT', protocol='udp', matches=[ Match( 'udp', '--dst ' + str(row.ip_addr) + ' --dport ' + str(row.ip_port)) ]) filtable.prepend_rule('FORWARD', rule0) try: rule1 = Rule(jump='LOG', protocol='udp', matches=[ Match('udp', '--dst ' + str(row.ip_addr)), Match('limit', '--limit 1/hour --limit-burst 1') ]) filtable.delete_rule('FORWARD', rule1) except IptablesError as e: pass try: rule2 = Rule( jump='ACCEPT', protocol='udp', matches=[Match('udp', '--dst ' + str(row.ip_addr))]) filtable.delete_rule('FORWARD', rule2) except IptablesError as e: pass row.port_status = True else: pass
def add_rule(chain, source, to): """Adds a rule to the given table.""" rule = Rule(protocol='tcp') if chain == 'PREROUTING': interface = outbound_network_interface() rule.in_interface = interface else: rule.out_interface = 'lo' interface = 'lo' rule.matches = [Match('tcp', '--dport {0}'.format(source))] rule.jump = Target('REDIRECT', '--to-port {0}'.format(to)) table.prepend_rule(chain, rule) log.debug('Added a redirect for %s to %s on %s.', source, to, interface)
def acceptProtocol(self, interface, protocol, ports, destination=None, source=None): port_str = ','.join(ports) self.printMessage( "allow selected %s INPUT (ports: %s)" % (protocol, port_str), interface) self.filter.append_rule( 'INPUT', Rule(in_interface=interface, destination=destination, source=source, protocol=protocol, matches=[ Match('state', '--state NEW'), Match('multiport', "--destination-port %s" % port_str) ], jump='ACCEPT'))
def testMatchTcpNotFlags(self): rule = Rule(protocol='tcp', jump='ACCEPT') rule.matches.append(Match('tcp', '--tcp-flags ! ACK,SYN ACK')) self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--tcp-flags', '!', 'ACK,SYN', 'ACK', '-j', 'ACCEPT'])
def testMatchState(self): rule = Rule(jump='ACCEPT') rule.matches.append(Match('state', '--state ESTABLISHED,RELATED')) self.assertEqual(rule.specbits(), ['-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT'])
def testMatchMultiportDports(self): rule = Rule(jump='ACCEPT') rule.matches.append(Match('multiport', '--dports 20,21,22,80,25,1720')) self.assertEqual(rule.specbits(), ['-m', 'multiport', '--dports', '20,21,22,80,25,1720', '-j', 'ACCEPT'])
def testMatchMark(self): rule = Rule(jump='ACCEPT') rule.matches.append(Match('mark', '--mark 0x64')) self.assertEqual(rule.specbits(), ['-m', 'mark', '--mark', '0x64', '-j', 'ACCEPT'])
def testTargetLog(self): rule = Rule(jump=Target('LOG', '--log-prefix "ICMP accepted : " --log-level 4')) self.assertEqual(rule.specbits(), ['-j', 'LOG', '--log-level', '4', '--log-prefix', 'ICMP accepted : '])
def testMatchTos(self): rule = Rule(jump="ACCEPT") rule.matches.append(Match("tos", "--tos 0x10")) self.assertEqual(rule.specbits(), ["-m", "tos", "--tos", "0x10", "-j", "ACCEPT"])
def testMatchTcpSport(self): rule = Rule(protocol="tcp", jump="ACCEPT") rule.matches.append(Match("tcp", "--sport 1234")) self.assertEqual(rule.specbits(), ["-p", "tcp", "-m", "tcp", "--sport", "1234", "-j", "ACCEPT"])
def testMatchTcpSport(self): rule = Rule(protocol='tcp', jump='ACCEPT') rule.matches.append(Match('tcp', '--sport 1234')) self.assertEqual(rule.specbits(), ['-p', 'tcp', '-m', 'tcp', '--sport', '1234', '-j', 'ACCEPT'])
def sourceNAT(self, interface): if self.__ipv6: return self.printMessage("enable SNAT", interface) self.nat.append_rule('POSTROUTING', Rule(out_interface=interface, jump='MASQUERADE'))
def testMatchTos(self): rule = Rule(jump='ACCEPT') rule.matches.append(Match('tos', '--tos 0x10')) self.assertEqual(rule.specbits(), ['-m', 'tos', '--tos', '0x10', '-j', 'ACCEPT'])
def testTargetLog(self): print('Running Test Target Log...') rule = Rule(jump=Target('LOG', '--log-prefix "ICMP accepted : " --log-level 4')) print('\tRule: ' + str(rule)) self.assertEqual(rule.specbits(), ['-j', 'LOG', '--log-level', '4', '--log-prefix', 'ICMP accepted : ']) print('...Done')