def stop_service(service): """ (Service) -> None """ chain="fm_"+service.name jump_rule = services_conf.Rule() jump_rule.action=chain my_cond = {} my_cond["type"]=u"Portequals" my_cond["value"]=service.port jump_rule.condition=services_conf.Condition(my_cond) delete_rule(jump_rule,"iptables") iptables.delete_chain(chain)
def start_service(service): """ (Service) -> None """ chain=u"fm_"+service.name iptables.delete_chain(chain) iptables.add_chain(chain) jump_rule = services_conf.Rule() jump_rule.action=chain my_cond = {} my_cond["type"]=u"Portequals" my_cond["value"]=service.port jump_rule.condition=services_conf.Condition(my_cond) # TODO: if service is called init or final, add at start or end add_rule(jump_rule, "iptables", "INPUT", service.transport) # A service doesn't really need rules. if hasattr(service,'rules'): for rule in service.rules: add_rule(rule, "iptables", chain, service.transport)
def delete_iptables_rules(): iptables.delete_nfqueue_rules(2) iptables.delete_rules(RULES) iptables.delete_chain('fq_INPUT') iptables.delete_chain('fq_OUTPUT') iptables.delete_chain('fq_FORWARD')
def iptables_apply(self): """ This method executes the needed funtions to create the iptables rules that will make possible the redirection stated by the endpoint. The method is able to detect wether the names of the rules are already occupied or not. If the names needed for the rules are occuppied, depending on the configuration, the method will delete the existing rules or not. # solucion de nat loopback: en postrouting, si el source es la LAN y el destino es # iptables -t nat -A ipfl-rule-0-POSTROUTING -s 10.3.0.5/24 -d 10.3.0.5/32 -p tcp --dport 22 -j SNAT --to-source 10.0.0.69 """ result, msg = True, "" table = iptc.Table(iptc.Table.NAT) table.refresh() table.autocommit = False rule_return = iptc.Rule() rule_return.target = iptc.Target(rule_return, "RETURN") try: # OUTPUT Rules if iptables.chain_exists(table, "ipfl-rule-%s-OUTPUT" % self.id): if OVERWRITE_RULES: iptables.unlink_chains(table, "ipfloater-OUTPUT", "ipfl-rule-%s-OUTPUT" % self.id) iptables.delete_chain(table, "ipfl-rule-%s-OUTPUT" % self.id) else: msg = _LOGGER.log("chain ipfl-rule-%s-OUTPUT already exists" % self.id, logging.WARNING) raise Exception(msg) if iptables.chain_exists(table, "ipfl-rule-%s-PREROUTING" % self.id): if OVERWRITE_RULES: iptables.unlink_chains(table, "ipfloater-PREROUTING", "ipfl-rule-%s-PREROUTING" % self.id) iptables.delete_chain(table, "ipfl-rule-%s-PREROUTING" % self.id) else: msg = _LOGGER.log("chain ipfl-rule-%s-PREROUTING already exists" % self.id, logging.WARNING) raise Exception(msg) if iptables.chain_exists(table, "ipfl-rule-%s-POSTROUTING" % self.id): if OVERWRITE_RULES: iptables.unlink_chains(table, "ipfloater-POSTROUTING", "ipfl-rule-%s-POSTROUTING" % self.id) iptables.delete_chain(table, "ipfl-rule-%s-POSTROUTING" % self.id) else: msg = _LOGGER.log("chain ipfl-rule-%s-POSTROUTING already exists" % self.id, logging.WARNING) raise Exception(msg) chain_out = table.create_chain("ipfl-rule-%s-OUTPUT" % self.id) rule_out = iptc.Rule() if self.private_port != 0: rule_out.protocol = "tcp" match = iptc.Match(rule_out, "tcp") match.dport = str(self.public_port) rule_out.add_match(match) rule_out.dst = "%s/32" % self.public_ip rule_out.target = rule_out.create_target("DNAT") if self.public_port == 0: rule_out.target.to_destination = self.private_ip else: rule_out.target.to_destination = "%s:%d" % (self.private_ip, self.private_port) chain_out.append_rule(rule_out) # chain_out.append_rule(rule_return) iptables.link_chains(table, "ipfloater-OUTPUT", "ipfl-rule-%s-OUTPUT" % self.id) # PREROUTING RULES chain_pre = table.create_chain("ipfl-rule-%s-PREROUTING" % self.id) chain_pre.append_rule(rule_out) # chain_pre.append_rule(rule_return) iptables.link_chains(table, "ipfloater-PREROUTING", "ipfl-rule-%s-PREROUTING" % self.id) # POSTROUTING RULES chain_post = table.create_chain("ipfl-rule-%s-POSTROUTING" % self.id) rule_post = iptc.Rule() if self.public_port != 0: rule_post.protocol = "tcp" match = iptc.Match(rule_post, "tcp") match.dport = str(self.private_port) rule_post.add_match(match) rule_post.src = "%s/32" % self.private_ip rule_post.target = rule_post.create_target("SNAT") if self.public_port == 0: rule_post.target.to_source = self.public_ip else: rule_post.target.to_source = "%s:%d" % (self.public_ip, self.public_port) chain_post.append_rule(rule_post) # chain_post.append_rule(rule_return) iptables.link_chains(table, "ipfloater-POSTROUTING", "ipfl-rule-%s-POSTROUTING" % self.id) table.commit() table.autocommit = True except: result = False return result, msg
def delete_iptables_rules(): iptables.delete_rules(RULES) iptables.delete_nfqueue_rules(2) iptables.delete_chain('scramble_INPUT') iptables.delete_chain('scramble_OUTPUT') iptables.delete_chain('scramble_FORWARD')
def delete_iptables_rules(): iptables.delete_rules(RULES) iptables.delete_chain('fp_PREROUTING') iptables.delete_chain('fp_OUTPUT')