def create_logging_rules(self):

        rules = list()

        rules.append(
            ipt.get_machine_subset(u'ipv4 logging rule', 9800, [
                ipt.get_chain(u'filter', [
                    ipt.get_ring(u'output', ipt.TRANSPORT_IPV4, [
                        ipt.get_rule(matches=[
                            ipt.get_match('limit',
                                          options=[
                                              ipt.get_match_option(
                                                  '--limit', self._limit_rate),
                                          ]),
                        ],
                                     jump=ipt.get_jump(target=u'LOG',
                                                       params=[
                                                           ipt.get_jump_option(
                                                               u'--log-level',
                                                               value="alert"),
                                                           ipt.get_jump_option(
                                                               u'--log-prefix',
                                                               value=u'SDC: '),
                                                       ]))
                    ]),
                ])
            ]))

        rules.append(
            ipt.get_machine_subset(u'ipv4 logging rule', 9800, [
                ipt.get_chain(u'filter', [
                    ipt.get_ring(u'output', ipt.TRANSPORT_IPV6, [
                        ipt.get_rule(matches=[
                            ipt.get_match('limit',
                                          options=[
                                              ipt.get_match_option(
                                                  '--limit', self._limit_rate),
                                          ]),
                        ],
                                     jump=ipt.get_jump(target=u'LOG',
                                                       params=[
                                                           ipt.get_jump_option(
                                                               u'--log-level',
                                                               value="alert"),
                                                           ipt.get_jump_option(
                                                               u'--log-prefix',
                                                               value=u'SDC: '),
                                                       ]))
                    ]),
                ])
            ]))

        return rules
예제 #2
0
def create_iptables_remote_config(ipaddr, mask, port, protocol, slot, uid=None, gid=None, transport=ipt.TRANSPORT_AUTO,
                                  desc=''):
    """
    Create firewall rules for remote config.
    :param ipaddr: Destination IP address, not host name.
    :param mask: Netmask
    :param port: Destination port to use for connection
    :param protocol: protocol to use, IE: tcp, udp, icmp, ...
    :param slot: Firewall slot number
    :param transport: ipt.TRANSPORT_AUTO, ipt.TRANSPORT_IPV4 or ipt.TRANSPORT_IPV6
    :param desc: Extra description of the rule.
    :return:
    """

    rules = list()

    if ipaddr:
        # Check transport version.
        transport = check_transport_value(ipaddr, transport)
    else:
        if transport == ipt.TRANSPORT_AUTO:
            raise ValueError('Unable to determine transport from ipaddr')

    if mask:
        if transport == ipt.TRANSPORT_IPV4:
            if mask < 1 or mask > 32:
                raise ValueError('Invalid IPV4 mask value ({0}).'.format(mask))
        elif transport == ipt.TRANSPORT_IPV6:
            if mask < 1 or mask > 128:
                raise ValueError('Invalid IPV6 mask value ({0}).'.format(mask))

    if port:
        if port < 1 or port > 65536:
            raise ValueError('Invalid port value ({0}).'.format(port))

    if protocol not in [u'tcp', u'udp', u'icmp', u'udplite', u'esp', u'ah', u'sctp']:
        raise ValueError('Invalid protocol ({0}).'.format(protocol))

    dest_matches = list()
    dest_matches.append(ipt.get_match(u'state', [ipt.get_jump_option(u'--state', u'NEW,ESTABLISHED'), ], ))
    if port:
        dest_matches.append(ipt.get_match(protocol, [ipt.get_match_option(u'--dport', port), ], ))

    jump_options = list()
    if uid:
        jump_options.append(ipt.get_jump_option(u'--uid-owner', uid))

    if gid:
        jump_options.append(ipt.get_jump_option(u'--gid-owner', uid))

    if jump_options:
        dest_matches.append(ipt.get_match(u'owner', jump_options))

    if jump_options:
        rule = ipt.get_rule(ip_protocol_name=protocol, dest_address=ipaddr, dest_mask=mask, matches=dest_matches)
    else:
        rule = ipt.get_rule(ip_protocol_name=protocol, dest_address=ipaddr, dest_mask=mask, matches=dest_matches,
                            jump=ipt.get_jump(target=u'ACCEPT'))

    rules.append(
        ipt.get_machine_subset(
            desc,
            slot,
            [
                ipt.get_chain(
                    u'filter',
                    [
                        ipt.get_ring(
                            u'output',
                            transport,
                            [
                                rule
                            ]
                        ),
                    ]
                )
            ]
        )
    )

    source_matches = list()
    source_matches.append(ipt.get_match(u'state', [ipt.get_jump_option(u'--state', u'ESTABLISHED'), ], ))
    if port:
        source_matches.append(ipt.get_match(protocol, [ipt.get_match_option(u'--sport', port), ], ))

    rule = ipt.get_rule(ip_protocol_name=protocol, source_address=ipaddr, source_mask=mask, matches=source_matches,
                        jump=ipt.get_jump(target=u'ACCEPT'))

    rules.append(
        ipt.get_machine_subset(
            desc,
            slot,
            [
                ipt.get_chain(
                    u'filter',
                    [
                        ipt.get_ring(
                            u'input',
                            transport,
                            [
                                rule
                            ]
                        ),
                    ]
                )
            ]
        )
    )

    return rules
예제 #3
0
def create_iptables_egress_rule_source(ipaddr, port, protocol, slot, state, transport=ipt.TRANSPORT_AUTO, desc=''):
    """
    Create an egress firewall rule for source.
    :param ipaddr: Source IP address, not host name.
    :param port: Source port to use for connection
    :param protocol: protocol to use, IE: tcp, udp, icmp, ...
    :param slot: Firewall slot number
    :param state: state of iptables: NEW,ESTABLISHED,RELATED
    :param transport: ipt.TRANSPORT_AUTO, ipt.TRANSPORT_IPV4 or ipt.TRANSPORT_IPV6
    :param desc: Extra description of the rule.
    :return:
    """

    if ipaddr:
        # Check transport version.
        transport = check_transport_value(ipaddr, transport)
    else:
        if transport == ipt.TRANSPORT_AUTO:
            raise ValueError('Unable to determine transport from ipaddr')

    if port:
        if port < 1 or port > 65536:
            raise ValueError('Invalid port value ({0}).'.format(port))

    if protocol not in [u'tcp', u'udp', u'icmp', u'udplite', u'esp', u'ah', u'sctp']:
        raise ValueError('Invalid protocol ({0}).'.format(protocol))

    if state:
        if state.strip().replace(u'NEW', '').replace(u'ESTABLISHED', '').replace(u'RELATED', '').replace(u',', ''):
            raise ValueError('Invalid Output State ({0}).'.state)
    else:
        raise ValueError('Output State is none.')

    if port:
        matches = [ipt.get_match(u'state', [ipt.get_jump_option(u'--state', state), ], ),
                   ipt.get_match(protocol, [ipt.get_match_option(u'--sport', port), ], ), ]
    else:
        matches = [ipt.get_match(u'state', [ipt.get_jump_option(u'--state', state), ], ), ]

    if ipaddr:
        rule = ipt.get_rule(ip_protocol_name=protocol, source_address=ipaddr, matches=matches,
                            jump=ipt.get_jump(target=u'ACCEPT'))
    else:
        rule = ipt.get_rule(ip_protocol_name=protocol, matches=matches, jump=ipt.get_jump(target=u'ACCEPT'))

    return ipt.get_machine_subset(
        desc,
        slot,
        [
            ipt.get_chain(
                u'filter',
                [
                    ipt.get_ring(
                        u'output',
                        transport,
                        [
                            rule
                        ]
                    ),
                ]
            )
        ]
    )
예제 #4
0
def create_iptables_remote_config(ipaddr, mask, port, protocol, slot, uid=None, gid=None, transport=ipt.TRANSPORT_AUTO,
                                  desc=''):
    """
    Create firewall rules for remote config.
    :param ipaddr: Destination IP address, not host name.
    :param mask: Netmask
    :param port: Destination port to use for connection
    :param protocol: protocol to use, IE: tcp, udp, icmp, ...
    :param slot: Firewall slot number
    :param transport: ipt.TRANSPORT_AUTO, ipt.TRANSPORT_IPV4 or ipt.TRANSPORT_IPV6
    :param desc: Extra description of the rule.
    :return:
    """

    rules = list()

    if ipaddr:
        # Check transport version.
        transport = check_transport_value(ipaddr, transport)
    else:
        if transport == ipt.TRANSPORT_AUTO:
            raise ValueError('Unable to determine transport from ipaddr')

    if mask:
        if transport == ipt.TRANSPORT_IPV4:
            if mask < 1 or mask > 32:
                raise ValueError('Invalid IPV4 mask value ({0}).'.format(mask))
        elif transport == ipt.TRANSPORT_IPV6:
            if mask < 1 or mask > 128:
                raise ValueError('Invalid IPV6 mask value ({0}).'.format(mask))

    if port:
        if port < 1 or port > 65536:
            raise ValueError('Invalid port value ({0}).'.format(port))

    if protocol not in [u'tcp', u'udp', u'icmp', u'udplite', u'esp', u'ah', u'sctp']:
        raise ValueError('Invalid protocol ({0}).'.format(protocol))

    dest_matches = list()
    dest_matches.append(ipt.get_match(u'state', [ipt.get_jump_option(u'--state', u'NEW,ESTABLISHED'), ], ))
    if port:
        dest_matches.append(ipt.get_match(protocol, [ipt.get_match_option(u'--dport', port), ], ))

    jump_options = list()
    if uid:
        jump_options.append(ipt.get_jump_option(u'--uid-owner', uid))

    if gid:
        jump_options.append(ipt.get_jump_option(u'--gid-owner', uid))

    if jump_options:
        dest_matches.append(ipt.get_match(u'owner', jump_options))

    if jump_options:
        rule = ipt.get_rule(ip_protocol_name=protocol, dest_address=ipaddr, dest_mask=mask, matches=dest_matches)
    else:
        rule = ipt.get_rule(ip_protocol_name=protocol, dest_address=ipaddr, dest_mask=mask, matches=dest_matches,
                            jump=ipt.get_jump(target=u'ACCEPT'))

    rules.append(
        ipt.get_machine_subset(
            desc,
            slot,
            [
                ipt.get_chain(
                    u'filter',
                    [
                        ipt.get_ring(
                            u'output',
                            transport,
                            [
                                rule
                            ]
                        ),
                    ]
                )
            ]
        )
    )

    source_matches = list()
    source_matches.append(ipt.get_match(u'state', [ipt.get_jump_option(u'--state', u'ESTABLISHED'), ], ))
    if port:
        source_matches.append(ipt.get_match(protocol, [ipt.get_match_option(u'--sport', port), ], ))

    rule = ipt.get_rule(ip_protocol_name=protocol, source_address=ipaddr, source_mask=mask, matches=source_matches,
                        jump=ipt.get_jump(target=u'ACCEPT'))

    rules.append(
        ipt.get_machine_subset(
            desc,
            slot,
            [
                ipt.get_chain(
                    u'filter',
                    [
                        ipt.get_ring(
                            u'input',
                            transport,
                            [
                                rule
                            ]
                        ),
                    ]
                )
            ]
        )
    )

    return rules
예제 #5
0
def create_iptables_egress_rule_source(ipaddr, port, protocol, slot, state, transport=ipt.TRANSPORT_AUTO, desc=''):
    """
    Create an egress firewall rule for source.
    :param ipaddr: Source IP address, not host name.
    :param port: Source port to use for connection
    :param protocol: protocol to use, IE: tcp, udp, icmp, ...
    :param slot: Firewall slot number
    :param state: state of iptables: NEW,ESTABLISHED,RELATED
    :param transport: ipt.TRANSPORT_AUTO, ipt.TRANSPORT_IPV4 or ipt.TRANSPORT_IPV6
    :param desc: Extra description of the rule.
    :return:
    """

    if ipaddr:
        # Check transport version.
        transport = check_transport_value(ipaddr, transport)
    else:
        if transport == ipt.TRANSPORT_AUTO:
            raise ValueError('Unable to determine transport from ipaddr')

    if port:
        if port < 1 or port > 65536:
            raise ValueError('Invalid port value ({0}).'.format(port))

    if protocol not in [u'tcp', u'udp', u'icmp', u'udplite', u'esp', u'ah', u'sctp']:
        raise ValueError('Invalid protocol ({0}).'.format(protocol))

    if state:
        if state.strip().replace(u'NEW', '').replace(u'ESTABLISHED', '').replace(u'RELATED', '').replace(u',', ''):
            raise ValueError('Invalid Output State ({0}).'.state)
    else:
        raise ValueError('Output State is none.')

    if port:
        matches = [ipt.get_match(u'state', [ipt.get_jump_option(u'--state', state), ], ),
                   ipt.get_match(protocol, [ipt.get_match_option(u'--sport', port), ], ), ]
    else:
        matches = [ipt.get_match(u'state', [ipt.get_jump_option(u'--state', state), ], ), ]

    if ipaddr:
        rule = ipt.get_rule(ip_protocol_name=protocol, source_address=ipaddr, matches=matches,
                            jump=ipt.get_jump(target=u'ACCEPT'))
    else:
        rule = ipt.get_rule(ip_protocol_name=protocol, matches=matches, jump=ipt.get_jump(target=u'ACCEPT'))

    return ipt.get_machine_subset(
        desc,
        slot,
        [
            ipt.get_chain(
                u'filter',
                [
                    ipt.get_ring(
                        u'output',
                        transport,
                        [
                            rule
                        ]
                    ),
                ]
            )
        ]
    )
예제 #6
0
    def create_logging_rules(self):

        rules = list()

        rules.append(ipt.get_machine_subset(
            u'ipv4 logging rule',
            9800,
            [
                ipt.get_chain(
                    u'filter',
                    [
                        ipt.get_ring(
                            u'output',
                            ipt.TRANSPORT_IPV4,
                            [
                                ipt.get_rule(
                                    matches=[
                                        ipt.get_match('limit', options=[
                                            ipt.get_match_option('--limit', self._limit_rate),
                                        ]),
                                    ],
                                    jump=ipt.get_jump(target=u'LOG', params=[
                                        ipt.get_jump_option(u'--log-level', value="alert"),
                                        ipt.get_jump_option(u'--log-prefix', value=u'SDC: '),
                                    ])
                                )
                            ]
                        ),
                    ]
                )
            ]
        )
        )

        rules.append(ipt.get_machine_subset(
            u'ipv4 logging rule',
            9800,
            [
                ipt.get_chain(
                    u'filter',
                    [
                        ipt.get_ring(
                            u'output',
                            ipt.TRANSPORT_IPV6,
                            [
                                ipt.get_rule(
                                    matches=[
                                        ipt.get_match('limit', options=[
                                            ipt.get_match_option('--limit', self._limit_rate),
                                        ]),
                                    ],
                                    jump=ipt.get_jump(target=u'LOG', params=[
                                        ipt.get_jump_option(u'--log-level', value="alert"),
                                        ipt.get_jump_option(u'--log-prefix', value=u'SDC: '),
                                    ])
                                )
                            ]
                        ),
                    ]
                )
            ]
        )
        )

        return rules
예제 #7
0
def create_tcp_server_conn_rule(addr, port, transport=ipt.TRANSPORT_AUTO, slot=120, desc=''):
    """
    Create a rule that allows access to the given addr and port.
    :param addr: IP address, not host name.
    :param port:
    :return:
    """

    # Example: a = ipt.get_match(name='state', options=[ipt.get_match_option('--state', 'ESTABLISHED')])

    if transport == ipt.TRANSPORT_AUTO:
        if is_valid_ipv6_address(addr):
            transport = ipt.TRANSPORT_IPV6
        elif is_valid_ipv4_address(addr):
            transport = ipt.TRANSPORT_IPV4
        else:
            raise ValueError
    elif transport == ipt.TRANSPORT_IPV4:
        if not is_valid_ipv4_address(addr):
            raise ValueError
    elif transport == ipt.TRANSPORT_IPV6:
        if not is_valid_ipv6_address(addr):
            raise ValueError
    else:
        raise ValueError

    return ipt.get_machine_subset(
        desc,
        slot,
        [
            ipt.get_chain(
                'filter',
                [
                    ipt.get_ring(
                        'input',
                        transport,
                        [
                            ipt.get_rule(
                                ip_protocol_name='tcp', source_address=addr, matches=[
                                    ipt.get_match('state', [ipt.get_jump_option('--state', 'ESTABLISHED'), ], ),
                                    ipt.get_match('tcp', [ipt.get_match_option('--sport', port), ], ),
                                ],
                                jump=ipt.get_jump(target='ACCEPT')
                            )]),
                    ipt.get_ring(
                        'output',
                        transport,
                        [
                            ipt.get_rule(
                                ip_protocol_name='tcp', dest_address=addr, matches=[
                                    ipt.get_match('state',
                                                  [ipt.get_jump_option('--state', 'NEW,ESTABLISHED'), ], ),
                                    ipt.get_match('tcp', [ipt.get_match_option('--dport', port), ], ),
                                ],
                                jump=ipt.get_jump(target='ACCEPT')
                            )
                        ]
                    ),
                ]
            )
        ]
    )