def _setup_gpg_rules():
'''
Allow GPG to talk to keyserver.ubuntu.com:11371
'''
app.print_verbose("Setup GPG output rule.")
iptables("-A syco_output -p tcp -d keyserver.ubuntu.com --dport 11371 -j allowed_tcp")
def setup_ssh_rules():
'''
Can SSH to this and any other computer internal and/or external.
'''
app.print_verbose("Setup ssh INPUT/OUTPUT rule.")
iptables("-A syco_input -p tcp -m multiport --dports 22,34,8022 -j allowed_tcp")
iptables("-A syco_output -p tcp -m multiport --dports 22,34,8022 -j allowed_tcp")
def _configure_iptables():
'''
Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443
'''
iptables.iptables("-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def _configure_iptables():
'''
Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443
'''
iptables.iptables(
"-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables(
"-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def setup_dns_resolver_rules():
'''
Allow this server to communicate with all syco approved dns resolvers.
'''
app.print_verbose("Setup DNS resolver INPUT/OUTPUT rule.")
for resolver_ip in config.general.get_dns_resolvers():
if resolver_ip.lower() != "none":
iptables("-A syco_output -p udp --sport 1024:65535 -d " + resolver_ip + " --dport 53 -m state --state NEW -j allowed_udp")
iptables("-A syco_output -p tcp --sport 1024:65535 -d " + resolver_ip + " --dport 53 -m state --state NEW -j allowed_tcp")
def setup_installation_server_rules():
'''
Open http access to the installation server.
TODO: Move all repos to the install server and harden the iptables.
'''
app.print_verbose("Setup http access to installation server.")
#ip=config.general.get_installation_server_ip()
#iptables("-A syco_output -p tcp -d " + ip + " -m multiport --dports 80,443 -j allowed_tcp")
# Need to have this, until all repos are on the installation server.
iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
def uninstall_squid(args=""):
'''
Remove Squid Caching Proxy from the server.
'''
app.print_verbose("Uninstall Squid Caching Proxy")
os.chdir("/")
_chkconfig("squid","off")
_service("squid","stop")
x("yum -y remove squid")
x("rm -rf %s*" % (SQUID_CONF_DIR))
iptables.iptables("-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def __init__(self):
log.logging.info("Applying new configuration.")
self.create_running_file()
self.config = config.config("config/config.ini")
self.iptables = iptables.iptables()
self.acceptance = acceptance.acceptance()
self.apply()
self.delete_running_file()
def uninstall_squid(args=""):
'''
Remove Squid Caching Proxy from the server.
'''
app.print_verbose("Uninstall Squid Caching Proxy")
os.chdir("/")
_chkconfig("squid", "off")
_service("squid", "stop")
x("yum -y remove squid")
x("rm -rf %s*" % (SQUID_CONF_DIR))
iptables.iptables(
"-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables(
"-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def add_freeradius_chain():
del_freeradius_chain()
if (not os.path.exists('/etc/init.d/radiusd')):
return
app.print_verbose("Add iptables chain for FreeRadius")
iptables("-N freeradius")
iptables("-A syco_input -p ALL -j freeradius")
iptables("-A syco_output -p ALL -j freeradius")
# Switches are allowed to talk to radius
for switch_name in get_switches():
ip = config.host(switch_name).get_back_ip()
iptables("-A freeradius -p UDP -m multiport -s {0} --dports 1812,1813 -j allowed_udp".format(ip))
def add_ntp_chain():
'''
TODO: Only allow traffic to dedicated NTP servers and clients (restrict on ip).
'''
del_ntp_chain()
if (not os.path.exists('/etc/init.d/ntpd')):
return
app.print_verbose("Add iptables chain for ntp")
iptables("-N ntp")
iptables("-A syco_input -p UDP -j ntp")
iptables("-A syco_output -p UDP -j ntp")
iptables("-A ntp -p UDP --dport 123 -j allowed_udp")
def uninstall_haproxy(args=""):
'''
Remove HA Proxy from the server.
'''
app.print_verbose("Uninstall HA Proxy")
os.chdir("/")
_chkconfig("haproxy","off")
_service("haproxy","stop")
x("yum -y remove haproxy")
x("rm -rf {0}*".format(HAPROXY_CONF_DIR))
x("rm -rf {0}/{1}.pem".format(CERT_COPY_TO_PATH, HAPROXY_ENV))
iptables.iptables("-D syco_input -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.iptables("-D syco_input -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
iptables.save()
def add_kvm_chain():
del_kvm_chain()
if (not os.path.exists('/etc/init.d/libvirtd')):
return
app.print_verbose("Add iptables chain for kvm")
iptables("-N kvm")
iptables("-A syco_forward -p ALL -j kvm")
iptables("-A kvm -m physdev --physdev-is-bridged -j ACCEPT")
# DHCP / TODO: Needed??
# iptables("-A kvm -m state --state NEW -m udp -p udp --dport 67 -j allowed_udp")
# iptables("-A kvm -m state --state NEW -m udp -p udp --dport 68 -j allowed_udp")
# Reload all settings.
x("service libvirtd reload")
def _configure_iptables():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
"""
iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
iptables.save()
def uninstall_redis(args):
"""
Remove Redis from the server
"""
app.print_verbose("Uninstall Redis")
os.chdir("/")
_chkconfig("redis", "off")
_service("redis", "stop")
_chkconfig("keepalived", "on")
_service("keepalived", "restart")
x("yum -y remove redis keepalived")
x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR))
x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR))
x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR))
iptables.iptables(
"-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables(
"-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.save()
version_obj = version.Version("InstallRedis", script_version)
version_obj.mark_uninstalled()
def _configure_iptables():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
* Redis uses port 6379 and need to be opened.
TODO: Use kribors new iptables setup.
"""
iptables.iptables(
"-A syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables(
"-A syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
iptables.save()
def del_openvpn_chain():
app.print_verbose("Delete iptables chain for openvpn")
iptables("-D syco_input -p ALL -j openvpn_input", general.X_OUTPUT_CMD)
iptables("-D syco_forward -p ALL -j openvpn_forward", general.X_OUTPUT_CMD)
iptables("-t nat -D syco_nat_postrouting -p ALL -j openvpn_postrouting", general.X_OUTPUT_CMD)
iptables("iptables -F openvpn_input", general.X_OUTPUT_CMD)
iptables("iptables -F openvpn_forward", general.X_OUTPUT_CMD)
iptables("iptables -t nat -F openvpn_postrouting", general.X_OUTPUT_CMD)
iptables("iptables -X openvpn_input", general.X_OUTPUT_CMD)
iptables("iptables -X openvpn_forward", general.X_OUTPUT_CMD)
iptables("iptables -t nat -X openvpn_postrouting", general.X_OUTPUT_CMD)
#If its time to unblock IP. unblock it
for blocked in config.blockList:
if (datetime.datetime.now() < (blocked[1]) +
datetime.timedelta(minutes=config.blockInterval)):
#Block time hasn't expired
#print("Still blocked..")
pass
else:
#Block time expired
unblockIP(blocked[0])
checkRecentFailList()
time.sleep(self.interval)
config = config() #Load script configuration
iptables = iptables(config.iptablesChain)
logread = logread()
logread.init(config.logreadFilename)
recentFailList = []
checker = BackgroundBlockCheck(
interval=config.checkInterval) #Start background thread
log("Launch")
def eventListOp(parsedIP, parsedAccount, parsedDate):
'''
Adds an IP to recentEventList upon failure to login. Checks if multiple (recentFailCount) IPs access same account.
'''
if len(recentFailList) == 0:
recentFailList.append([parsedAccount, (parsedIP, parsedDate)])
return
def add_mail_relay_chain():
del_mail_relay_chain()
app.print_verbose("Add iptables chain for mail relay")
iptables("-N incoming_mail")
iptables("-N outgoing_mail")
iptables("-A syco_input -p tcp -j incoming_mail")
iptables("-A syco_output -p tcp -j outgoing_mail")
# Allow mailrelay to receive email
if config.general.get_mail_relay_server() == get_hostname():
iptables("-A incoming_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
# Allow all hosts to send mail on DMZ
iptables("-A outgoing_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
def add_openvpn_chain():
del_openvpn_chain()
if (not os.path.exists('/etc/init.d/openvpn')):
return
app.print_verbose("Add iptables chain for openvpn")
network = config.general.get_openvpn_network()
iptables("-N openvpn_input")
iptables("-N openvpn_forward")
iptables("-t nat -N openvpn_postrouting")
iptables("-A syco_input -p ALL -j openvpn_input")
iptables("-A syco_forward -p ALL -j openvpn_forward")
iptables("-t nat -A syco_nat_postrouting -p ALL -j openvpn_postrouting")
#Accept connections on 1194 for vpn access from clients
iptables("-A openvpn_input -p udp --dport 1194 -j allowed_udp")
iptables("-A openvpn_input -p tcp --dport 1194 -j allowed_tcp")
#Apply forwarding for OpenVPN Tunneling
iptables("-A openvpn_forward -m state --state RELATED,ESTABLISHED -j ACCEPT")
iptables("-A openvpn_forward -s %s/24 -j ACCEPT" % network)
# iptables("-A openvpn_forward -p tcp -m state --state NEW -m multiport --dports 22,34,53,80,443,4848,8080,8181,6048,6080,6081,7048,7080,7081 -j allowed_tcp")
iptables("-A openvpn_forward -j REJECT")
iptables("-t nat -A openvpn_postrouting -s %s/24 -o eth0 -j MASQUERADE" % network)
iptables("-t nat -A openvpn_postrouting -s %s/24 -o eth1 -j MASQUERADE" % network)
def add_iptables_chain():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
"""
app.print_verbose("Add iptables chain for keepalived")
iptables("-N keepalived_output")
iptables("-A syco_output -p ALL -j keepalived_output")
iptables("-N keepalived_input")
iptables("-A syco_input -p ALL -j keepalived_input")
front_nic = get_front_nic_name()
iptables("-A keepalived_input -p 112 -i {0} -j ACCEPT".format(front_nic))
iptables("-A keepalived_output -p 112 -o {0} -j ACCEPT".format(front_nic))
iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP", general.X_OUTPUT_CMD)
iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP", general.X_OUTPUT_CMD)
iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
def firewall_clear(args):
'''
Remove all iptables rules.
'''
app.print_verbose("Clear all iptables rules.")
# reset the default policies in the filter table.
iptables("-t filter -P INPUT ACCEPT")
iptables("-t filter -P FORWARD ACCEPT")
iptables("-t filter -P OUTPUT ACCEPT")
# reset the default policies in the nat table.
iptables("-t nat -P PREROUTING ACCEPT")
iptables("-t nat -P POSTROUTING ACCEPT")
iptables("-t nat -P OUTPUT ACCEPT")
# reset the default policies in the mangle table.
iptables("-t mangle -P PREROUTING ACCEPT")
iptables("-t mangle -P POSTROUTING ACCEPT")
iptables("-t mangle -P INPUT ACCEPT")
iptables("-t mangle -P OUTPUT ACCEPT")
iptables("-t mangle -P FORWARD ACCEPT")
# Flush all chains
iptables("-F -t filter")
iptables("-F -t nat")
iptables("-F -t mangle")
# Delete all user-defined chains
iptables("-X -t filter")
iptables("-X -t nat")
iptables("-X -t mangle")
# Zero all counters
iptables("-Z -t filter")
iptables("-Z -t nat")
iptables("-Z -t mangle")
def uninstall_redis(args):
"""
Remove Redis from the server
"""
app.print_verbose("Uninstall Redis")
os.chdir("/")
_chkconfig("redis", "off")
_service("redis", "stop")
_chkconfig("keepalived", "on")
_service("keepalived", "restart")
x("yum -y remove redis keepalived")
x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR))
x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR))
x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR))
iptables.iptables("-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.save()
version_obj = version.Version("InstallRedis", script_version)
version_obj.mark_uninstalled()
def uninstall_keepalived(args=""):
"""
Remove Keepalived from the server.
"""
app.print_verbose("Uninstall Keepalived")
os.chdir("/")
_chkconfig("keepalived","off")
_service("keepalived","stop")
x("yum -y remove keepalived")
x("rm -rf {0}*".format(KA_CONF_DIR))
iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
iptables.save()
def del_iptables_chain():
app.print_verbose("Delete iptables chain for keepalived")
iptables("-D syco_output -p ALL -j keepalived_output",
general.X_OUTPUT_CMD)
iptables("-F keepalived_output", general.X_OUTPUT_CMD)
iptables("-X keepalived_output", general.X_OUTPUT_CMD)
iptables("-D syco_output -p ALL -j keepalived_output",
general.X_OUTPUT_CMD)
iptables("-F keepalived_input", general.X_OUTPUT_CMD)
iptables("-X keepalived_input", general.X_OUTPUT_CMD)
iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT",
general.X_OUTPUT_CMD)
iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT",
general.X_OUTPUT_CMD)
iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
def add_rsyslog_chain(context=None):
'''
Rsyslog IPtables rules
Rsyslog Server
Servers in network -> IN -> tcp -> 514 -> Rsyslog Server
Rsyslog Client
Rsyslog Server <- OUT <- tcp <- 514 <- Rsyslog Client
'''
del_rsyslog_chain()
import installRsyslog
import installRsyslogd
server_version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION)
client_version_obj = version.Version("InstallRsyslogdClient", installRsyslog.SCRIPT_VERSION)
if server_version_obj.is_executed() or client_version_obj.is_executed() or context in ["server","client"]:
app.print_verbose("Add iptables chain for rsyslog")
iptables("-N rsyslog_in")
iptables("-N rsyslog_out")
iptables("-A syco_input -p all -j rsyslog_in")
iptables("-A syco_output -p all -j rsyslog_out")
# On rsyslog server
if server_version_obj.is_executed() or context is "server":
back_subnet = config.general.get_back_subnet()
front_subnet = config.general.get_front_subnet()
iptables(
" -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
back_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
front_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
back_subnet
)
iptables(
" -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
front_subnet
)
def del_rsyslog_chain():
app.print_verbose("Delete iptables chain for rsyslog")
iptables("-D syco_input -p all -j rsyslog_in", general.X_OUTPUT_CMD)
iptables("-F rsyslog_in", general.X_OUTPUT_CMD)
iptables("-X rsyslog_in", general.X_OUTPUT_CMD)
iptables("-D syco_output -p all -j rsyslog_out", general.X_OUTPUT_CMD)
iptables("-F rsyslog_out", general.X_OUTPUT_CMD)
iptables("-X rsyslog_out", general.X_OUTPUT_CMD)
def add_bind_chain():
del_bind_chain()
if (os.path.exists('/etc/init.d/named')):
app.print_verbose("Add iptables chain for bind")
iptables("-N bind_input")
iptables("-N bind_output")
iptables("-A syco_input -j bind_input")
iptables("-A syco_output -j bind_output")
iptables("-A bind_input -m state --state NEW -p udp --dport 53 -j allowed_udp")
iptables("-A bind_input -m state --state NEW -p tcp --dport 53 -j allowed_tcp")
iptables("-A bind_output -m state --state NEW -p udp --dport 53 -j allowed_udp")
iptables("-A bind_output -m state --state NEW -p tcp --dport 53 -j allowed_tcp")
def del_bind_chain():
app.print_verbose("Delete iptables chain for bind")
iptables("-D syco_input -j bind_input", general.X_OUTPUT_CMD)
iptables("-D syco_output -j bind_output", general.X_OUTPUT_CMD)
iptables("-F bind_input", general.X_OUTPUT_CMD)
iptables("-F bind_output", general.X_OUTPUT_CMD)
iptables("-X bind_input", general.X_OUTPUT_CMD)
iptables("-X bind_output", general.X_OUTPUT_CMD)
def del_iptables_chain():
app.print_verbose("Delete iptables chain for keepalived")
iptables("-D syco_output -p ALL -j keepalived_output", general.X_OUTPUT_CMD)
iptables("-F keepalived_output", general.X_OUTPUT_CMD)
iptables("-X keepalived_output", general.X_OUTPUT_CMD)
iptables("-D syco_output -p ALL -j keepalived_output", general.X_OUTPUT_CMD)
iptables("-F keepalived_input", general.X_OUTPUT_CMD)
iptables("-X keepalived_input", general.X_OUTPUT_CMD)
iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT", general.X_OUTPUT_CMD)
iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT", general.X_OUTPUT_CMD)
iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
def add_openvas_chain():
del_openvas_chain()
if (not os.path.exists('/usr/sbin/openvassd')):
return
app.print_verbose("Add iptables chain for openvas")
iptables("-N openvas_input")
iptables("-N openvas_output")
iptables("-A syco_input -p ALL -j openvas_input")
iptables("-A syco_output -p ALL -j openvas_output")
iptables("-A openvas_input -p TCP --dport 9392 -j allowed_tcp")
iptables("-A openvas_output -p ALL -j ACCEPT")
def del_ossec_chain():
app.print_verbose("Delete iptables chain for Ossec")
iptables("-D syco_input -p udp -j ossec_in", general.X_OUTPUT_CMD)
iptables("-F ossec_in", general.X_OUTPUT_CMD)
iptables("-X ossec_in", general.X_OUTPUT_CMD)
iptables("-D syco_output -p udp -j ossec_out", general.X_OUTPUT_CMD)
iptables("-F ossec_out", general.X_OUTPUT_CMD)
iptables("-X ossec_out", general.X_OUTPUT_CMD)
def add_ossec_chain():
'''
OSSEC IPtables rules
OSSEC Server
Servers in network -> IN -> udp -> 1514 -> OSSEC Server
Servers in network <- OUT <- udp <- 1514 <- OSSEC Server
OSSEC Client
OSSEC Server -> IN -> udp -> 1514 -> OSSEC Client
OSSEC Server <- OUT <- udp <- 1514 <- OSSEC Client
'''
del_ossec_chain()
if not os.path.exists('/var/ossec'):
return
app.print_verbose("Add iptables chain for OSSEC")
# Create chains.
iptables("-N ossec_in")
iptables("-N ossec_out")
iptables("-A syco_input -p udp -j ossec_in")
iptables("-A syco_output -p udp -j ossec_out")
# Ossec Server
if (os.path.exists('/var/ossec/bin/ossec-remoted')):
for server in get_servers():
try:
iptables(
"-A ossec_in -p udp -s %s --dport 1514 -j allowed_udp" %
config.host(server).get_front_ip()
)
iptables(
"-A ossec_out -p udp -d %s --dport 1514 -j allowed_udp" %
config.host(server).get_front_ip()
)
except Exception, e:
pass
def del_freeradius_chain():
app.print_verbose("Delete iptables chain for FreeRadius")
iptables("-D syco_input -p ALL -j freeradius", general.X_OUTPUT_CMD)
iptables("-D syco_output -p ALL -j freeradius", general.X_OUTPUT_CMD)
iptables("-F freeradius", general.X_OUTPUT_CMD)
iptables("-X freeradius", general.X_OUTPUT_CMD)
def del_mail_relay_chain():
app.print_verbose("Delete iptables chain for mail_relay")
iptables("-D syco_input -p tcp -j incoming_mail", general.X_OUTPUT_CMD)
iptables("-D syco_output -p tcp -j outgoing_mail", general.X_OUTPUT_CMD)
iptables("-F incoming_mail", general.X_OUTPUT_CMD)
iptables("-F outgoing_mail", general.X_OUTPUT_CMD)
iptables("-X incoming_mail", general.X_OUTPUT_CMD)
iptables("-X outgoing_mail", general.X_OUTPUT_CMD)
def add_iptables_chain():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
"""
app.print_verbose("Add iptables chain for keepalived")
iptables("-N keepalived_output")
iptables("-A syco_output -p ALL -j keepalived_output")
iptables("-N keepalived_input")
iptables("-A syco_input -p ALL -j keepalived_input")
front_nic = get_front_nic_name()
iptables("-A keepalived_input -p 112 -i {0} -j ACCEPT".format(front_nic))
iptables("-A keepalived_output -p 112 -o {0} -j ACCEPT".format(front_nic))
iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP",
general.X_OUTPUT_CMD)
iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP",
general.X_OUTPUT_CMD)
iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
def del_openvas_chain():
app.print_verbose("Delete iptables chain for openvas")
iptables("-D syco_input -p ALL -j openvas_input", general.X_OUTPUT_CMD)
iptables("-F openvas_input", general.X_OUTPUT_CMD)
iptables("-X openvas_input", general.X_OUTPUT_CMD)
iptables("-D syco_output -p ALL -j openvas_output", general.X_OUTPUT_CMD)
iptables("-F openvas_output", general.X_OUTPUT_CMD)
iptables("-X openvas_output", general.X_OUTPUT_CMD)
def _configure_iptables():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
* Redis uses port 6379 and need to be opened.
TODO: Use kribors new iptables setup.
"""
iptables.iptables("-A syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-A syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
iptables.save()
def _configure_iptables():
iptables.iptables("-A syco_input -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.iptables("-A syco_input -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
iptables.iptables("-A syco_output -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
iptables.save()
