def setup_routing2(client_host, server_host):
table = Table(Table.NAT)
table.flush()
chain_pre = [ch for ch in table.chains if 'PREROUTING' in ch.name][0]
chain_post = [ch for ch in table.chains if 'POSTROUTING' in ch.name][0]
snat_r1 = Rule()
snat_r1.src = server_host.ip_real
snat_r1.dst = client_host.ip_virtual
snat_r1.target = snat_r1.create_target("SNAT")
snat_r1.target.to_source = server_host.ip_virtual
chain_post.append_rule(snat_r1)
snat_r2 = Rule()
snat_r2.src = client_host.ip_real
snat_r2.dst = server_host.ip_virtual
snat_r2.target = snat_r2.create_target("SNAT")
snat_r2.target.to_source = client_host.ip_virtual
chain_post.append_rule(snat_r2)
dnat_r1 = Rule()
dnat_r1.dst = server_host.ip_virtual
dnat_r1.target = dnat_r1.create_target("DNAT")
dnat_r1.target.to_destination = server_host.ip_real
chain_pre.append_rule(dnat_r1)
dnat_r2 = Rule()
dnat_r2.dst = client_host.ip_virtual
dnat_r2.target = dnat_r2.create_target("DNAT")
dnat_r2.target.to_destination = client_host.ip_real
chain_pre.append_rule(dnat_r2)
ip_route_one_args = "ip route add " + client_host.ip_virtual + " dev " + server_host.name
ip_route_two_args = "ip route add " + server_host.ip_virtual + " dev " + client_host.name
arp_one_args = "arp -i " + server_host.name + " -s " + client_host.ip_virtual + " " + client_host.mac
arp_two_args = "arp -i " + client_host.name + " -s " + server_host.ip_virtual + " " + server_host.mac
show_route = "ip route show table main".split(" ")
iptables_list = "iptables -t nat -L".split(" ")
call(ip_route_one_args.split(" "))
call(arp_one_args.split(" "))
call(ip_route_two_args.split(" "))
call(arp_two_args.split(" "))
call(iptables_list)
call(show_route)
def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""):
"""create and return a rule (or two if no proto given).
name can be any string
target is a string saying what to do, like
"ACCEPT", "DENY", "DROP", "LOG"
proto (if not defined, is assumed both udp and tcp)
src is a realm in the form XXX.XXX.XXX.XXX/YY
sport is source port. Currently ignored
dst is a realm in the same form as src
dport is destination port
siface is the source interface
diface is the destination interface
"""
#print("adding rule %s" % name)
if (dport or sport) and not proto:
return [ self.create_rule(name,
target,
dst,
dport,
src,
sport,
proto,
siface,
diface) for proto in ("tcp", "udp") ]
rule = Rule()
rule.create_target(target)
if dst:
rule.dst = dst
if dport:
proto_match = rule.create_match(proto)
proto_match.dport = str(dport)
rule.protocol = proto
if diface:
rule.in_interface = diface
if src:
if src.count("-"):
iprange_match = rule.create_match("iprange")
iprange_match.src_range = src
rule.add_match(iprange_match)
else:
rule.src = src
if sport:
proto_match = rule.create_match(proto)
proto_match.sport = str(sport)
rule.protocol = proto
if siface:
rule.out_interface = siface
# Add a signature as a comment.
comment_match = rule.create_match("comment")
comment_match.comment = self.identifier + ":" + name
rule.final_check()
return rule
def _get_base_rule(self, match):
rule = Rule()
rule.protocol = match.ip_proto_num
rule.dst = "%s/%s" % (match.dst_ip, match.netmask)
if match.dst_port != 0:
ipt_match = IPT_Match(rule,
self._prot_port_supp[match.ip_proto_num])
ipt_match.dport = str(match.dst_port)
rule.add_match(ipt_match)
return rule