def block_ips(ips): """For each of the listed source IP addresses (excluding private networks), add a netfilter rule to DROP all its packets.""" # http://stackoverflow.com/questions/2814002/private-ip-address-identifier-in-regular-expression private_ips = "^(127|10|172\.1[6-9]|172\.2[0-9]|172\.3[0-1]|192\.168)\." for ip, in ips: if not re.match(private_ips, ip): print "Dropping all packets from %s" % ip rule = Rule(source=ip, jump='DROP') table = Table('filter') table.append_rule('INPUT', rule) print "Done processing (blocked %d suspicious IP addresses)" % len(ips)
def markhost(self, oid, ipaddress): target_out = Target('CONNMARK', '--set-mark '+str(oid)) rule_out = Rule( source = ipaddress + "/32", jump = target_out) target_in = Target('CONNMARK', '--set-mark '+str(oid)) rule_in = Rule( destination = ipaddress + "/32", jump = target_out) table = Table('mangle') try: table.append_rule('out_traffic', rule_out) table.append_rule('in_traffic', rule_in) except IptablesError, e: sys.stdout.write("Unknown error: %s" % e)
def block_outgoing_packets(proto, ipsrc=None, portsrc=None, ipdst=None, portdst=None): """ Blocks outgoing packets coming from the kernel using iptables command. """ matches = [] if portsrc: matches.append(Match("tcp", "--sport " + str(portsrc))) if portdst: matches.append(Match("tcp", "--dport " + str(portdst))) rule = Rule( # in_interface=interface, protocol=proto, source=ipsrc, destination=ipdst, matches=matches, jump="DROP", ) table = Table("filter") table.append_rule("OUTPUT", rule)
def filter_ports(device, ports): """Adds to iptables the ports to filter for the given device.""" input_filter = 'gluster-input' output_filter = 'gluster-output' table = Table('filter') if input_filter in table.list_chains(): print "Gluster ports are already filtered out. Ignoring request..." return # Create and prepare the chains that will hold gluster rules. table.create_chain(input_filter) in_rule = Rule( in_interface=device, jump=input_filter) table.append_rule('INPUT', in_rule) table.create_chain(output_filter) out_rule = Rule( out_interface=device, jump=output_filter) table.append_rule('OUTPUT', out_rule) # Now we actually do the filtering. for protocol in ports['input'].keys(): for port in ports['input'][protocol]: in_rule = Rule( in_interface=device, protocol=protocol, matches=[Match(protocol, '--dport %s' % port)], jump='DROP') print "Filtering port %s from INPUT on device %s..." % (port, device) table.append_rule(input_filter, in_rule) for protocol in ports['output'].keys(): for port in ports['output'][protocol]: out_rule = Rule( out_interface=device, protocol=protocol, matches=[Match(protocol, '--dport %s' % port)], jump='DROP') print "Filtering port %s from OUTPUT on device %s..." % (port, device) table.append_rule(output_filter, out_rule)
def block_outgoing_packets(proto, ipsrc=None, portsrc=None, ipdst=None, portdst=None): """ Blocks outgoing packets coming from the kernel using iptables command. """ matches = [] if portsrc: matches.append(Match('tcp', '--sport ' + str(portsrc))) if portdst: matches.append(Match('tcp', '--dport ' + str(portdst))) rule = Rule( #in_interface=interface, protocol=proto, source=ipsrc, destination=ipdst, matches=matches, jump='DROP') table = Table('filter') table.append_rule('OUTPUT', rule)
from netfilter.rule import Rule,Match,Target from netfilter.table import Table rule = Rule( in_interface='eth0', #protocol='tcp', #matches=[Match('tcp')], jump=Target('DNAT','--to-destination 192.168.137.1') ) #rule.jump.options="--to-source 123.123.123.123" table = Table('nat') table.append_rule('PREROUTING', rule) print rule #table.delete_rule('POSTROUTING', rule)
from netfilter.rule import Rule, Match from netfilter.table import Table x = 0 while x == 0: table_name = input('table_name : ') chain_name = input('chain_name : ') rule = Rule( in_interface=input('in_interface : '), protocol=input('protocol : '), matches=[Match(input('name : '), '--dport ' + input('dport : '))], jump=input('jump : ')) table = Table(table_name) table.append_rule(chain_name, rule) y = input('Do you want Exit ?') if y == 'yes': x = 1
from netfilter.rule import Rule, Match, Target from netfilter.table import Table rule = Rule( in_interface='eth0', #protocol='tcp', #matches=[Match('tcp')], jump=Target('DNAT', '--to-destination 192.168.137.1')) #rule.jump.options="--to-source 123.123.123.123" table = Table('nat') table.append_rule('PREROUTING', rule) print rule #table.delete_rule('POSTROUTING', rule)
def block_rules(): nattable = Table('nat') filtable = Table('filter') filtable.set_policy('INPUT', 'ACCEPT') nattable.flush_chain('POSTROUTING') filtable.flush_chain('FORWARD') filtable.flush_chain('OUTPUT') filtable.flush_chain('INPUT') #nattable.delete_chain() rulessh = Rule(protocol='tcp', matches=[Match('tcp', '--dport 22')], jump='ACCEPT') filtable.append_rule('INPUT', rulessh) rulecs = Rule(in_interface='wlan0', out_interface='eth0', protocol='udp', matches=[Match('udp', '--dport 32100')], jump='ACCEPT') filtable.append_rule('FORWARD', rulecs) rulefreturn = Rule(in_interface='eth0', out_interface='wlan0', jump='ACCEPT', matches=[Match('state', '--state RELATED,ESTABLISHED')]) filtable.append_rule('FORWARD', rulefreturn) rule0 = Rule(jump='ACCEPT', matches=[Match('state', '--state RELATED,ESTABLISHED')]) filtable.append_rule('INPUT', rule0) rule1 = Rule(out_interface='eth0', jump='MASQUERADE') nattable.append_rule('POSTROUTING', rule1) rule2 = Rule(out_interface='wlan0', jump='ACCEPT') filtable.append_rule('OUTPUT', rule2) rule3 = Rule(out_interface='eth0', jump='ACCEPT') filtable.append_rule('OUTPUT', rule3) rule4 = Rule(in_interface='wlan0', jump='ACCEPT') filtable.append_rule('INPUT', rule4) rule5 = Rule(in_interface='lo', jump='ACCEPT') filtable.append_rule('INPUT', rule5) rule6 = Rule(out_interface='lo', jump='ACCEPT') filtable.append_rule('OUTPUT', rule6) filtable.set_policy('FORWARD', 'DROP') filtable.set_policy('INPUT', 'DROP') filtable.set_policy('OUTPUT', 'DROP')
def bloqueaIP(ip): regla = Rule(source = ip, jump='DROP') tabla = Table('filter') tabla.append_rule('INPUT', regla)