def block_ips(ips):
"""For each of the listed source IP addresses (excluding private networks),
add a netfilter rule to DROP all its packets."""
# http://stackoverflow.com/questions/2814002/private-ip-address-identifier-in-regular-expression
private_ips = "^(127|10|172\.1[6-9]|172\.2[0-9]|172\.3[0-1]|192\.168)\."
for ip, in ips:
if not re.match(private_ips, ip):
print "Dropping all packets from %s" % ip
rule = Rule(source=ip, jump='DROP')
table = Table('filter')
table.append_rule('INPUT', rule)
print "Done processing (blocked %d suspicious IP addresses)" % len(ips)
def markhost(self, oid, ipaddress):
target_out = Target('CONNMARK', '--set-mark '+str(oid))
rule_out = Rule(
source = ipaddress + "/32",
jump = target_out)
target_in = Target('CONNMARK', '--set-mark '+str(oid))
rule_in = Rule(
destination = ipaddress + "/32",
jump = target_out)
table = Table('mangle')
try:
table.append_rule('out_traffic', rule_out)
table.append_rule('in_traffic', rule_in)
except IptablesError, e:
sys.stdout.write("Unknown error: %s" % e)
def block_outgoing_packets(proto, ipsrc=None, portsrc=None, ipdst=None, portdst=None):
"""
Blocks outgoing packets coming from the kernel using iptables command.
"""
matches = []
if portsrc:
matches.append(Match("tcp", "--sport " + str(portsrc)))
if portdst:
matches.append(Match("tcp", "--dport " + str(portdst)))
rule = Rule(
# in_interface=interface,
protocol=proto,
source=ipsrc,
destination=ipdst,
matches=matches,
jump="DROP",
)
table = Table("filter")
table.append_rule("OUTPUT", rule)
def filter_ports(device, ports):
"""Adds to iptables the ports to filter for the given device."""
input_filter = 'gluster-input'
output_filter = 'gluster-output'
table = Table('filter')
if input_filter in table.list_chains():
print "Gluster ports are already filtered out. Ignoring request..."
return
# Create and prepare the chains that will hold gluster rules.
table.create_chain(input_filter)
in_rule = Rule(
in_interface=device,
jump=input_filter)
table.append_rule('INPUT', in_rule)
table.create_chain(output_filter)
out_rule = Rule(
out_interface=device,
jump=output_filter)
table.append_rule('OUTPUT', out_rule)
# Now we actually do the filtering.
for protocol in ports['input'].keys():
for port in ports['input'][protocol]:
in_rule = Rule(
in_interface=device,
protocol=protocol,
matches=[Match(protocol, '--dport %s' % port)],
jump='DROP')
print "Filtering port %s from INPUT on device %s..." % (port, device)
table.append_rule(input_filter, in_rule)
for protocol in ports['output'].keys():
for port in ports['output'][protocol]:
out_rule = Rule(
out_interface=device,
protocol=protocol,
matches=[Match(protocol, '--dport %s' % port)],
jump='DROP')
print "Filtering port %s from OUTPUT on device %s..." % (port, device)
table.append_rule(output_filter, out_rule)
def block_outgoing_packets(proto,
ipsrc=None,
portsrc=None,
ipdst=None,
portdst=None):
"""
Blocks outgoing packets coming from the kernel using iptables command.
"""
matches = []
if portsrc:
matches.append(Match('tcp', '--sport ' + str(portsrc)))
if portdst:
matches.append(Match('tcp', '--dport ' + str(portdst)))
rule = Rule(
#in_interface=interface,
protocol=proto,
source=ipsrc,
destination=ipdst,
matches=matches,
jump='DROP')
table = Table('filter')
table.append_rule('OUTPUT', rule)
from netfilter.rule import Rule,Match,Target
from netfilter.table import Table
rule = Rule(
in_interface='eth0',
#protocol='tcp',
#matches=[Match('tcp')],
jump=Target('DNAT','--to-destination 192.168.137.1')
)
#rule.jump.options="--to-source 123.123.123.123"
table = Table('nat')
table.append_rule('PREROUTING', rule)
print rule
#table.delete_rule('POSTROUTING', rule)
from netfilter.rule import Rule, Match
from netfilter.table import Table
x = 0
while x == 0:
table_name = input('table_name : ')
chain_name = input('chain_name : ')
rule = Rule(
in_interface=input('in_interface : '),
protocol=input('protocol : '),
matches=[Match(input('name : '), '--dport ' + input('dport : '))],
jump=input('jump : '))
table = Table(table_name)
table.append_rule(chain_name, rule)
y = input('Do you want Exit ?')
if y == 'yes':
x = 1
from netfilter.rule import Rule, Match, Target
from netfilter.table import Table
rule = Rule(
in_interface='eth0',
#protocol='tcp',
#matches=[Match('tcp')],
jump=Target('DNAT', '--to-destination 192.168.137.1'))
#rule.jump.options="--to-source 123.123.123.123"
table = Table('nat')
table.append_rule('PREROUTING', rule)
print rule
#table.delete_rule('POSTROUTING', rule)
def block_rules():
nattable = Table('nat')
filtable = Table('filter')
filtable.set_policy('INPUT', 'ACCEPT')
nattable.flush_chain('POSTROUTING')
filtable.flush_chain('FORWARD')
filtable.flush_chain('OUTPUT')
filtable.flush_chain('INPUT')
#nattable.delete_chain()
rulessh = Rule(protocol='tcp',
matches=[Match('tcp', '--dport 22')],
jump='ACCEPT')
filtable.append_rule('INPUT', rulessh)
rulecs = Rule(in_interface='wlan0',
out_interface='eth0',
protocol='udp',
matches=[Match('udp', '--dport 32100')],
jump='ACCEPT')
filtable.append_rule('FORWARD', rulecs)
rulefreturn = Rule(in_interface='eth0',
out_interface='wlan0',
jump='ACCEPT',
matches=[Match('state', '--state RELATED,ESTABLISHED')])
filtable.append_rule('FORWARD', rulefreturn)
rule0 = Rule(jump='ACCEPT',
matches=[Match('state', '--state RELATED,ESTABLISHED')])
filtable.append_rule('INPUT', rule0)
rule1 = Rule(out_interface='eth0', jump='MASQUERADE')
nattable.append_rule('POSTROUTING', rule1)
rule2 = Rule(out_interface='wlan0', jump='ACCEPT')
filtable.append_rule('OUTPUT', rule2)
rule3 = Rule(out_interface='eth0', jump='ACCEPT')
filtable.append_rule('OUTPUT', rule3)
rule4 = Rule(in_interface='wlan0', jump='ACCEPT')
filtable.append_rule('INPUT', rule4)
rule5 = Rule(in_interface='lo', jump='ACCEPT')
filtable.append_rule('INPUT', rule5)
rule6 = Rule(out_interface='lo', jump='ACCEPT')
filtable.append_rule('OUTPUT', rule6)
filtable.set_policy('FORWARD', 'DROP')
filtable.set_policy('INPUT', 'DROP')
filtable.set_policy('OUTPUT', 'DROP')
def bloqueaIP(ip):
regla = Rule(source = ip, jump='DROP')
tabla = Table('filter')
tabla.append_rule('INPUT', regla)
