def rfw_init_rules(rfwconf): """Clean and insert the rfw init rules. The rules block all INPUT/OUTPUT traffic on rfw ssl port except for whitelisted IPs. Here are the rules that should be created assuming that that the only whitelisted IP is 127.0.0.1: Rule(chain='INPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='127.0.0.1', destination='0.0.0.0/0', extra='tcp dpt:7393') Rule(chain='INPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp dpt:7393') Rule(chain='OUTPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='127.0.0.1', extra='tcp spt:7393') Rule(chain='OUTPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp spt:7393') """ rfw_port = rfwconf.outward_server_port() ipt = Iptables.load() ### log.info('Delete existing init rules') # find 'drop all packets to and from rfw port' drop_input = ipt.find({'target': ['DROP'], 'chain': ['INPUT'], 'prot': ['tcp'], 'extra': ['tcp dpt:' + rfw_port]}) log.info(drop_input) log.info('Existing drop input to rfw port {} rules:\n{}'.format(rfw_port, '\n'.join(map(str, drop_input)))) # breaking things to make it start #for r in drop_input: # Iptables.exe_rule('D', r) drop_output = ipt.find({'target': ['DROP'], 'chain': ['OUTPUT'], 'prot': ['tcp'], 'extra': ['tcp spt:' + rfw_port]}) log.info('Existing drop output to rfw port {} rules:\n{}'.format(rfw_port, '\n'.join(map(str, drop_output)))) # breaking things to make it start #for r in drop_output: # Iptables.exe_rule('D', r) ### log.info('Insert DROP rfw port init rules') # breaking things to make it start #Iptables.exe(['-I', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-j', 'DROP']) #Iptables.exe(['-I', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-j', 'DROP']) ### log.info('Insert ACCEPT whitelist IP rfw port init rules')
def rfw_init_rules(rfwconf): """Clean and insert the rfw init rules. The rules block all INPUT/OUTPUT traffic on rfw ssl port except for whitelisted IPs. Here are the rules that should be created assuming that that the only whitelisted IP is 127.0.0.1: Rule(chain='INPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='127.0.0.1', destination='0.0.0.0/0', extra='tcp dpt:7393') Rule(chain='INPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp dpt:7393') Rule(chain='OUTPUT', num='1', pkts='0', bytes='0', target='ACCEPT', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='127.0.0.1', extra='tcp spt:7393') Rule(chain='OUTPUT', num='4', pkts='0', bytes='0', target='DROP', prot='tcp', opt='--', inp='*', out='*', source='0.0.0.0/0', destination='0.0.0.0/0', extra='tcp spt:7393') """ rfw_port = rfwconf.outward_server_port() ipt = Iptables.load() ### log.info('Delete existing init rules') # find 'drop all packets to and from rfw port' drop_input = ipt.find({ 'target': ['DROP'], 'chain': ['INPUT'], 'prot': ['tcp'], 'extra': ['tcp dpt:' + rfw_port] }) log.info(drop_input) log.info('Existing drop input to rfw port {} rules:\n{}'.format( rfw_port, '\n'.join(map(str, drop_input)))) for r in drop_input: Iptables.exe_rule('D', r) drop_output = ipt.find({ 'target': ['DROP'], 'chain': ['OUTPUT'], 'prot': ['tcp'], 'extra': ['tcp spt:' + rfw_port] }) log.info('Existing drop output to rfw port {} rules:\n{}'.format( rfw_port, '\n'.join(map(str, drop_output)))) for r in drop_output: Iptables.exe_rule('D', r) ### log.info('Insert DROP rfw port init rules') Iptables.exe( ['-I', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-j', 'DROP']) Iptables.exe( ['-I', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-j', 'DROP']) ### log.info('Insert ACCEPT whitelist IP rfw port init rules') for ip in rfwconf.whitelist(): try: Iptables.exe([ '-D', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-s', ip, '-j', 'ACCEPT' ]) Iptables.exe([ '-D', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-d', ip, '-j', 'ACCEPT' ]) except subprocess.CalledProcessError, e: pass # ignore Iptables.exe([ '-I', 'INPUT', '-p', 'tcp', '--dport', rfw_port, '-s', ip, '-j', 'ACCEPT' ]) Iptables.exe([ '-I', 'OUTPUT', '-p', 'tcp', '--sport', rfw_port, '-d', ip, '-j', 'ACCEPT' ])
rfwconf = rfwconfig.RfwConfig(args.configfile) except IOError, e: perr(e.message) create_args_parser().print_usage() sys.exit(1) # Initialize Iptables with configured path to system iptables Iptables.ipt_path = rfwconf.iptables_path() startup_sanity_check() # Install signal handlers signal.signal(signal.SIGTERM, __sigTERMhandler) signal.signal(signal.SIGINT, __sigTERMhandler) # TODO we may also need to ignore signal.SIGHUP in daemon mode rules = Iptables.load().rules # TODO make logging more efficient by deferring arguments evaluation log.debug("===== rules =====\n{}".format("\n".join(map(str, rules)))) log.info("Starting rfw server") log.info("Whitelisted IP addresses that will be ignored:") for a in rfwconf.whitelist(): log.info(' {}'.format(a)) # recreate rfw init rules related to rfw port rfw_init_rules(rfwconf) expiry_queue = PriorityQueue() cmd_queue = Queue() rfwthreads.CommandProcessor(cmd_queue, rfwconf.whitelist(), expiry_queue,
perr(e.message) create_args_parser().print_usage() sys.exit(1) # Initialize Iptables with configured path to system iptables Iptables.ipt_path = rfwconf.iptables_path() startup_sanity_check() # Install signal handlers signal.signal(signal.SIGTERM, __sigTERMhandler) signal.signal(signal.SIGINT, __sigTERMhandler) # TODO we may also need to ignore signal.SIGHUP in daemon mode rules = Iptables.load().rules # TODO make logging more efficient by deferring arguments evaluation log.debug("===== rules =====\n{}".format("\n".join(map(str, rules)))) log.info("Starting rfw server") log.info("Whitelisted IP addresses that will be ignored:") for a in rfwconf.whitelist(): log.info(' {}'.format(a)) # recreate rfw init rules related to rfw port rfw_init_rules(rfwconf) expiry_queue = PriorityQueue() cmd_queue = Queue() rfwthreads.CommandProcessor(cmd_queue,