def insert(self,
chain: Chain,
rule: str,
onlyv6: bool = False,
onlyv4: bool = False,
table: str = "") -> None:
"""
TODO: Docu
"""
option = "-I"
if table != "":
if not table.startswith("-t"):
table = "-t " + table
if onlyv4 is True or (onlyv6 is False and onlyv4 is False):
execute_os_command("{} {} {} {} {}".format(self.iptables_bin,
table, option,
chain.value, rule))
info(
"insert for ipv4, table: {}, chain: {}, rule: {} added".format(
table, chain.value, rule))
if self.ipv6 is True and (onlyv6 is True or
(onlyv6 is False and onlyv4 is False)):
execute_os_command("{} {} {} {} {}".format(self.ip6tables_bin,
table, option,
chain.value, rule))
info(
"insert for ipv6, table: {}, chain: {}, rule: {} added".format(
table, chain.value, rule))
def add_append(self,
chain: Chain,
rule: str,
onlyv6: bool = False,
onlyv4: bool = False,
table: str = "") -> None:
"""
the function creates a new append in iptables
"""
option = "-A"
if table != "":
if not table.startswith("-t"):
table = "-t " + table
if onlyv4 is True or (onlyv6 is False and onlyv4 is False):
execute_os_command("{} {} {} {} {}".format(self.iptables_bin,
table, option,
chain.value, rule))
info(
"append for ipv4: table: {}, chain: {}, rule: {} added".format(
table, chain.value, rule))
if self.ipv6 is True and (onlyv6 is True or
(onlyv6 is False and onlyv4 is False)):
execute_os_command("{} {} {} {} {}".format(self.ip6tables_bin,
table, option,
chain.value, rule))
info(
"append for ipv6: table: {}, chain: {}, rule: {} added".format(
table, chain.value, rule))
def add_custom(self, rule: str) -> None:
"""TODO: Doku."""
execute_os_command("{} {}".format(self.iptables_bin, rule))
if self.ipv6 is True:
execute_os_command("{} {}".format(self.ip6tables_bin, rule))
info("iptables custom rule added: {}".format(rule))
def add_chain(self, chain: str) -> None:
"""
the function creates a new custom chain in iptables
"""
execute_os_command("{} -N {}".format(self.iptables_bin, chain))
if self.ipv6 is True:
execute_os_command("{} -N {}".format(self.ip6tables_bin, chain))
info("iptables chain {} added".format(chain))
def status(self) -> str:
"""
the function lists the iptables configuration as string
this is not machine readable!
"""
tmpfile = ".iptables_list"
execute_os_command("{} -L > {}".format(self.iptables_bin, tmpfile))
content = file_get_contents(tmpfile)
delete_file_if_exists(tmpfile)
return content
def add_chain(self, chain: str) -> None:
"""Create a new custom chain in iptables."""
option = "-N"
execute_os_command("{} {} {}".format(self.iptables_bin, option, chain))
if self.ipv6 is True:
execute_os_command("{} {} {}".format(self.ip6tables_bin, option,
chain))
info("iptables chain {} added".format(chain))
def delete_chain(self, chain: str = "") -> None:
"""Delete a chain or all chains in iptables firewall."""
execute_os_command("{} -X {}".format(self.iptables_bin, chain))
if self.ipv6 is True:
execute_os_command("{} -X {}".format(self.ip6tables_bin, chain))
if chain != "":
info("iptables chain {} deleted".format(chain))
else:
info("all iptables chains deleted")
def add_policy(self, chain, target):
"""the function creates a new policy in iptables"""
debug("adding policy for chain " + chain + " and target " + target)
if target == "ACCEPT" or target == "DROP":
execute_os_command(self.iptables_bin + " -P " + chain + " " +
target)
if self.ipv6 is True:
execute_os_command(self.ip6tables_bin + " -P " + chain + " " +
target)
else:
error("Invalid Target for addPolicy " + target)
def add_policy(self, chain: Chain, target: Target) -> None:
"""
the function creates a new policy in iptables firewall by using the os command
"""
execute_os_command("{} -P {} {}".format(self.iptables_bin, chain,
target))
if self.ipv6 is True:
execute_os_command("{} -P {} {}".format(self.ip6tables_bin, chain,
target))
info("iptables policy added for chain {} and target {}".format(
chain, target))
def add_append(self, chain, rule, onlyv6=False, onlyv4=False):
"""the function creates a new append in iptables"""
if onlyv4 is True or (onlyv6 is False and onlyv4 is False):
debug("adding append for ipv4, chain: " + chain + ", rule: " +
rule)
execute_os_command(self.iptables_bin + " -A " + chain + " " + rule)
if self.ipv6 is True and (onlyv6 is True or
(onlyv6 is False and onlyv4 is False)):
debug("adding append for ipv6, chain: " + chain + ", rule: " +
rule)
execute_os_command(self.ip6tables_bin + " -A " + chain + " " +
rule)
def add_policy(self, chain: Chain, target: Target) -> None:
"""Create a new policy in iptables firewall by using the os command."""
option = "-P"
execute_os_command("{} {} {} {}".format(self.iptables_bin, option,
chain.value, target.value))
if self.ipv6 is True:
execute_os_command("{} {} {} {}".format(self.ip6tables_bin, option,
chain.value, target.value))
info("iptables policy added for chain {} and target {}".format(
chain.value, target.value))
def flush(self, chain: str = "") -> None:
"""
the function flushes chain or all chains in iptables firewall
"""
execute_os_command("{} -F {}".format(self.iptables_bin, chain))
if self.ipv6 is True:
execute_os_command("{} -F {}".format(self.ip6tables_bin, chain))
if chain != "":
info("iptables chain {} flushed".format(chain))
else:
info("all iptables chains flushed")
def test_execute_os_command(self):
"""
TODO: Doku
"""
self.assertTrue(execute_os_command("touch testfile"))
self.assertTrue(file_exists("testfile"))
delete_file_if_exists("testfile")
def restore(self) -> None:
"""Restore a backup of a previously saved backup."""
create_folder_if_not_exists(self.backup_path)
execute_os_command("{} < {}/{}".format(self.iptables_bin_restore,
self.backup_path,
self.backup_file_ipv4))
debug("ipv4 rules restored")
if self.ipv6 is True:
execute_os_command("{} < {}/{}".format(self.ip6tables_bin_restore,
self.backup_path,
self.backup_file_ipv6))
debug("ipv6 rules restored")
info("restores iptables state from previous created backup")
def restore(self):
"""the function restores iptables rules from a file"""
debug("Starting Firewall Rule Restore...")
filepath = self.config.get_value("BACKUP", "filepath")
create_folder_if_not_exists(filepath)
debug("Restoring ipv4 rules...")
filename = self.config.get_value("BACKUP", "ipv4filename")
execute_os_command(self.iptables_bin_restore + " < " + filepath + "/" +
filename)
if self.ipv6 is True:
debug("Restoring ipv6 rules...")
filename = self.config.get_value("BACKUP", "ipv6filename")
execute_os_command(self.ip6tables_bin_restore + " < " + filepath +
"/" + filename)
def flush(self, chain: str = "", table: str = "") -> None:
"""Flush chain or all chains in iptables firewall."""
option = "-F"
if table != "":
if not table.startswith("-t"):
table = "-t " + table
execute_os_command("{} {} {} {}".format(self.iptables_bin, table,
option, chain))
if self.ipv6 is True:
execute_os_command("{} {} {} {}".format(self.ip6tables_bin, table,
option, chain))
if chain != "":
info("iptables chain {} flushed".format(chain))
else:
info("all iptables chains flushed")
def restore(self) -> None:
"""
the function restores a backup of a previously saved backup
"""
backup_path = self.cfg.get_value("BACKUP", "filepath")
create_folder_if_not_exists(backup_path)
backup_file = self.cfg.get_value("BACKUP", "ipv4filename")
execute_os_command("{} < {}/{}".format(self.iptables_bin_restore,
backup_path, backup_file))
debug("ipv4 rules restored")
if self.ipv6 is True:
backup_file = self.cfg.get_value("BACKUP", "ipv6filename")
execute_os_command("{} < {}/{}".format(self.ip6tables_bin_restore,
backup_path, backup_file))
debug("ipv6 rules restored")
info("restores iptables state from previous created backup")
def save(self) -> None:
"""Save the current iptables state into a file."""
create_folder_if_not_exists(self.backup_path)
create_file_if_not_exists("{}/{}".format(self.backup_path,
self.backup_file_ipv4))
execute_os_command("{} >> {}/{}".format(self.iptables_bin_save,
self.backup_path,
self.backup_file_ipv4))
debug("backup for ipv4 rules created")
if self.ipv6 is True:
create_file_if_not_exists("{}/{}".format(self.backup_path,
self.backup_file_ipv6))
execute_os_command("{} >> {}/{}".format(self.ip6tables_bin_save,
self.backup_path,
self.backup_file_ipv6))
debug("backup of ipv6 rules created")
info("backup of iptables configuration created")
def add_append(self,
chain: str,
rule: str,
onlyv6=False,
onlyv4=False) -> None:
"""
the function creates a new append in iptables
"""
if onlyv4 is True or (onlyv6 is False and onlyv4 is False):
execute_os_command("{} -A {} {}".format(self.iptables_bin, chain,
rule))
info("append for ipv4, chain: {}, rule: {} added".format(
chain, rule))
if self.ipv6 is True and (onlyv6 is True or
(onlyv6 is False and onlyv4 is False)):
execute_os_command("{} -A {} {}".format(self.ip6tables_bin, chain,
rule))
info("append for ipv6, chain: {}, rule: {} added".format(
chain, rule))
def save(self) -> None:
"""
the function saves the current iptables state into a file
"""
backup_path = self.cfg.get_value("BACKUP", "filepath")
create_folder_if_not_exists(backup_path)
backup_file = self.cfg.get_value("BACKUP", "ipv4filename")
create_file_if_not_exists("{}/{}".format(backup_path, backup_file))
execute_os_command("{} >> {}/{}".format(self.iptables_bin_save,
backup_path, backup_file))
debug("backup for ipv4 rules created")
if self.ipv6 is True:
backup_file = self.cfg.get_value("BACKUP", "ipv6filename")
create_file_if_not_exists("{}/{}".format(backup_path, backup_file))
execute_os_command("{} >> {}/{}".format(self.ip6tables_bin_save,
backup_path, backup_file))
debug("backup of ipv6 rules created")
info("backup of iptables configuration created")
def list(self):
"""the function lists all iptables rules"""
execute_os_command(self.iptables_bin + " -L")
def delete_chain(self, chain=""):
"""the function deletes a chain in iptables"""
debug("deleting chain " + chain)
execute_os_command(self.iptables_bin + " -X " + chain)
if self.ipv6 is True:
execute_os_command(self.ip6tables_bin + " -X " + chain)
def flush(self, chain=""):
"""the function flushes a iptables chain or all chains"""
debug("flushing iptables chain: " + chain)
execute_os_command(self.iptables_bin + " -F " + chain)
if self.ipv6 is True:
execute_os_command(self.ip6tables_bin + " -F " + chain)
def test_execute_os_command_error(self):
"""
TODO: Doku
"""
self.assertFalse(execute_os_command("/bin/false"))
def add_chain(self, chain):
"""the function creates a new chain in iptables"""
debug("adding chain " + chain)
execute_os_command(self.iptables_bin + " -N " + chain)
if self.ipv6 is True:
execute_os_command(self.ip6tables_bin + " -N " + chain)
def test_execute_os_command_error(self):
self.assertFalse(execute_os_command("/bin/false"))
def save_execute(self, binary, filepath, filename):
"""the function executes the save of iptables into a file"""
execute_os_command(binary + " | while read IN ; do echo $IN >> " +
filepath + "/" + filename + " ; done")
