def set_chain_policy(self, policy_state): """ set input/output chain policy """ accept_policy = iptc.Policy('ACCEPT') drop_policy = iptc.Policy('DROP') #v4 policy input_chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT') output_chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'OUTPUT') if policy_state.lower() == JSON_RULE_NETWORK_ACCEPT \ or policy_state.lower() == JSON_RULE_ALLOW: input_chain.set_policy(accept_policy) output_chain.set_policy(accept_policy) else: input_chain.set_policy(drop_policy) output_chain.set_policy(drop_policy) #v6 policy input_chain6 = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'INPUT') output_chain6 = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'OUTPUT') if policy_state.lower() == JSON_RULE_NETWORK_ACCEPT \ or policy_state.lower() == JSON_RULE_ALLOW: input_chain6.set_policy(accept_policy) output_chain6.set_policy(accept_policy) else: input_chain6.set_policy(drop_policy) output_chain6.set_policy(drop_policy)
def test_chain_policy(self): table = iptc.TABLE_FILTER input_chain = iptc.Chain(table, "INPUT") pol = iptc.Policy("DROP") input_chain.set_policy(pol) rpol = input_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("ACCEPT") input_chain.set_policy(pol) rpol = input_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("RETURN") try: input_chain.set_policy(pol) except iptc.IPTCError: pass else: fail("managed to set INPUT policy to RETURN") table = iptc.TABLE_NAT prerouting_chain = iptc.Chain(table, "PREROUTING") pol = iptc.Policy("DROP") prerouting_chain.set_policy(pol) rpol = prerouting_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("ACCEPT") prerouting_chain.set_policy(pol) rpol = prerouting_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("RETURN") try: prerouting_chain.set_policy(pol) except iptc.IPTCError: pass else: fail("managed to set PREROUTING policy to RETURN") table = iptc.TABLE_MANGLE forward_chain = iptc.Chain(table, "FORWARD") pol = iptc.Policy("DROP") forward_chain.set_policy(pol) rpol = forward_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("ACCEPT") forward_chain.set_policy(pol) rpol = forward_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("RETURN") try: forward_chain.set_policy(pol) except iptc.IPTCError: pass else: fail("managed to set FORWARD policy to RETURN")
def _apply_config(table, config_d, ipv6): for chain_s in config_d: if not iptc.easy.has_chain(table, chain_s, ipv6=ipv6): iptc.easy.add_chain(table, chain_s, ipv6=ipv6) try: if config_d[chain_s]["policy"] != "None": policy = iptc.Policy(config_d[chain_s]["policy"]) iptc.easy.set_policy(table, chain_s, policy=policy, ipv6=ipv6) except KeyError: pass try: for rule_d in config_d[chain_s]["rules"]: if iptc.easy.test_rule(rule_d, ipv6=ipv6): try: iptc.easy.add_rule(table, chain_s, rule_d, ipv6=ipv6) except ValueError: raise IptablesError( "Malformed rule: {}\n in {}.{}".format( rule_d, table, chain_s)) else: raise IptablesError( "Malformed rule: {}\n in {}.{}".format( rule_d, table, chain_s)) except KeyError: pass
def test_filter_policy(self): if is_table_available(iptc.Table.FILTER): table = iptc.Table(iptc.Table.FILTER) input_chain = iptc.Chain(table, "INPUT") pol = iptc.Policy("DROP") input_chain.set_policy(pol) rpol = input_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("ACCEPT") input_chain.set_policy(pol) rpol = input_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("RETURN") try: input_chain.set_policy(pol) except iptc.IPTCError: pass else: self.fail("managed to set INPUT policy to RETURN")
def init_chain(): filter_rule.flush_chain(chain_name) table = iptc.Table(iptc.Table.FILTER) chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), chain_name) try: chain.set_policy(iptc.Policy("ACCEPT")) return 0 except Exception as e: print(e) print("Table Error : table.strerror()") return 1
def flush_tables(ipv6=False): """Flush all tables and apply the default policy ACCEPT to standard tables""" printer = Printer() with printer.Do("Flushing all tables: ipv6={!r}".format(ipv6)): iptc.easy.flush_all(ipv6=ipv6) with printer.Do("Setting ACCEPT policy in all chains"): policy = iptc.Policy("ACCEPT") for table_s in iptc.easy.get_tables(ipv6): for chain_s in iptc.easy.get_chains(table_s, ipv6): iptc.easy.set_policy(table_s, chain_s, policy=policy, ipv6=ipv6)
def apply_config(config_file, server=None, protocol=None): """Apply a configuration to ip[6]tables (depends on the file name) :raises: IptablesError if an invalid rule is present. This leaves the table intact with rules applied so far. """ table = init_table_from_file_name(config_file) table_s = table.name is_ipv6 = is_table_v6(table) printer = Printer() with printer.Do("Flushing table '{}', ipv6={!r}".format(table_s, is_ipv6)): iptc.easy.flush_table(table_s, ipv6=is_ipv6) policy = iptc.Policy("ACCEPT") for chain_s in iptc.easy.get_chains(table_s, ipv6=is_ipv6): iptc.easy.set_policy(table_s, chain_s, policy=policy, ipv6=is_ipv6) config_base = os.path.basename(config_file) with printer.Do("Applying '{}'".format(config_base)): config_d = read_config(config_file, server, protocol) _apply_config(table_s, config_d, ipv6=is_ipv6) return True
def test_nat_policy(self): if is_table_available(iptc.Table.NAT): table = iptc.Table(iptc.Table.NAT) prerouting_chain = iptc.Chain(table, "PREROUTING") pol = iptc.Policy("DROP") prerouting_chain.set_policy(pol) rpol = prerouting_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("ACCEPT") prerouting_chain.set_policy(pol) rpol = prerouting_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("RETURN") try: prerouting_chain.set_policy(pol) except iptc.IPTCError: pass else: self.fail("managed to set PREROUTING policy to RETURN") if is_table_available(iptc.Table.MANGLE): table = iptc.Table(iptc.Table.MANGLE) forward_chain = iptc.Chain(table, "FORWARD") pol = iptc.Policy("DROP") forward_chain.set_policy(pol) rpol = forward_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("ACCEPT") forward_chain.set_policy(pol) rpol = forward_chain.get_policy() self.assertEquals(id(pol), id(rpol)) pol = iptc.Policy("RETURN") try: forward_chain.set_policy(pol) except iptc.IPTCError: pass else: self.fail("managed to set FORWARD policy to RETURN")
def setChainPolicy(aChain, aPolicy): # set the policy of aChain table = iptc.Table(iptc.Table.FILTER) chain = iptc.Chain(table, aChain) pol = iptc.Policy(aPolicy) chain.set_policy(pol, 0)