def _setup_gpg_rules(): ''' Allow GPG to talk to keyserver.ubuntu.com:11371 ''' app.print_verbose("Setup GPG output rule.") iptables("-A syco_output -p tcp -d keyserver.ubuntu.com --dport 11371 -j allowed_tcp")
def setup_ssh_rules(): ''' Can SSH to this and any other computer internal and/or external. ''' app.print_verbose("Setup ssh INPUT/OUTPUT rule.") iptables("-A syco_input -p tcp -m multiport --dports 22,34,8022 -j allowed_tcp") iptables("-A syco_output -p tcp -m multiport --dports 22,34,8022 -j allowed_tcp")
def _configure_iptables(): ''' Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443 ''' iptables.iptables("-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp") iptables.iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.save()
def _configure_iptables(): ''' Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443 ''' iptables.iptables( "-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp") iptables.iptables( "-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.save()
def setup_dns_resolver_rules(): ''' Allow this server to communicate with all syco approved dns resolvers. ''' app.print_verbose("Setup DNS resolver INPUT/OUTPUT rule.") for resolver_ip in config.general.get_dns_resolvers(): if resolver_ip.lower() != "none": iptables("-A syco_output -p udp --sport 1024:65535 -d " + resolver_ip + " --dport 53 -m state --state NEW -j allowed_udp") iptables("-A syco_output -p tcp --sport 1024:65535 -d " + resolver_ip + " --dport 53 -m state --state NEW -j allowed_tcp")
def setup_installation_server_rules(): ''' Open http access to the installation server. TODO: Move all repos to the install server and harden the iptables. ''' app.print_verbose("Setup http access to installation server.") #ip=config.general.get_installation_server_ip() #iptables("-A syco_output -p tcp -d " + ip + " -m multiport --dports 80,443 -j allowed_tcp") # Need to have this, until all repos are on the installation server. iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
def uninstall_squid(args=""): ''' Remove Squid Caching Proxy from the server. ''' app.print_verbose("Uninstall Squid Caching Proxy") os.chdir("/") _chkconfig("squid","off") _service("squid","stop") x("yum -y remove squid") x("rm -rf %s*" % (SQUID_CONF_DIR)) iptables.iptables("-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp") iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.save()
def __init__(self): log.logging.info("Applying new configuration.") self.create_running_file() self.config = config.config("config/config.ini") self.iptables = iptables.iptables() self.acceptance = acceptance.acceptance() self.apply() self.delete_running_file()
def uninstall_squid(args=""): ''' Remove Squid Caching Proxy from the server. ''' app.print_verbose("Uninstall Squid Caching Proxy") os.chdir("/") _chkconfig("squid", "off") _service("squid", "stop") x("yum -y remove squid") x("rm -rf %s*" % (SQUID_CONF_DIR)) iptables.iptables( "-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp") iptables.iptables( "-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.save()
def add_freeradius_chain(): del_freeradius_chain() if (not os.path.exists('/etc/init.d/radiusd')): return app.print_verbose("Add iptables chain for FreeRadius") iptables("-N freeradius") iptables("-A syco_input -p ALL -j freeradius") iptables("-A syco_output -p ALL -j freeradius") # Switches are allowed to talk to radius for switch_name in get_switches(): ip = config.host(switch_name).get_back_ip() iptables("-A freeradius -p UDP -m multiport -s {0} --dports 1812,1813 -j allowed_udp".format(ip))
def add_ntp_chain(): ''' TODO: Only allow traffic to dedicated NTP servers and clients (restrict on ip). ''' del_ntp_chain() if (not os.path.exists('/etc/init.d/ntpd')): return app.print_verbose("Add iptables chain for ntp") iptables("-N ntp") iptables("-A syco_input -p UDP -j ntp") iptables("-A syco_output -p UDP -j ntp") iptables("-A ntp -p UDP --dport 123 -j allowed_udp")
def uninstall_haproxy(args=""): ''' Remove HA Proxy from the server. ''' app.print_verbose("Uninstall HA Proxy") os.chdir("/") _chkconfig("haproxy","off") _service("haproxy","stop") x("yum -y remove haproxy") x("rm -rf {0}*".format(HAPROXY_CONF_DIR)) x("rm -rf {0}/{1}.pem".format(CERT_COPY_TO_PATH, HAPROXY_ENV)) iptables.iptables("-D syco_input -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.iptables("-D syco_input -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp") iptables.iptables("-D syco_output -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp") iptables.save()
def add_kvm_chain(): del_kvm_chain() if (not os.path.exists('/etc/init.d/libvirtd')): return app.print_verbose("Add iptables chain for kvm") iptables("-N kvm") iptables("-A syco_forward -p ALL -j kvm") iptables("-A kvm -m physdev --physdev-is-bridged -j ACCEPT") # DHCP / TODO: Needed?? # iptables("-A kvm -m state --state NEW -m udp -p udp --dport 67 -j allowed_udp") # iptables("-A kvm -m state --state NEW -m udp -p udp --dport 68 -j allowed_udp") # Reload all settings. x("service libvirtd reload")
def _configure_iptables(): """ * Keepalived uses multicast and VRRP protocol to talk to the nodes and need to be opened. So first we remove the multicast blocks and then open them up. * VRRP is known as Protocol 112 in iptables. """ iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP") iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP") iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT") iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT") iptables.save()
def uninstall_redis(args): """ Remove Redis from the server """ app.print_verbose("Uninstall Redis") os.chdir("/") _chkconfig("redis", "off") _service("redis", "stop") _chkconfig("keepalived", "on") _service("keepalived", "restart") x("yum -y remove redis keepalived") x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR)) x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR)) x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR)) iptables.iptables( "-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables( "-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT") iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT") iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT") iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP") iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP") iptables.save() version_obj = version.Version("InstallRedis", script_version) version_obj.mark_uninstalled()
def _configure_iptables(): """ * Keepalived uses multicast and VRRP protocol to talk to the nodes and need to be opened. So first we remove the multicast blocks and then open them up. * VRRP is known as Protocol 112 in iptables. * Redis uses port 6379 and need to be opened. TODO: Use kribors new iptables setup. """ iptables.iptables( "-A syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables( "-A syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP") iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP") iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT") iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT") iptables.save()
def del_openvpn_chain(): app.print_verbose("Delete iptables chain for openvpn") iptables("-D syco_input -p ALL -j openvpn_input", general.X_OUTPUT_CMD) iptables("-D syco_forward -p ALL -j openvpn_forward", general.X_OUTPUT_CMD) iptables("-t nat -D syco_nat_postrouting -p ALL -j openvpn_postrouting", general.X_OUTPUT_CMD) iptables("iptables -F openvpn_input", general.X_OUTPUT_CMD) iptables("iptables -F openvpn_forward", general.X_OUTPUT_CMD) iptables("iptables -t nat -F openvpn_postrouting", general.X_OUTPUT_CMD) iptables("iptables -X openvpn_input", general.X_OUTPUT_CMD) iptables("iptables -X openvpn_forward", general.X_OUTPUT_CMD) iptables("iptables -t nat -X openvpn_postrouting", general.X_OUTPUT_CMD)
#If its time to unblock IP. unblock it for blocked in config.blockList: if (datetime.datetime.now() < (blocked[1]) + datetime.timedelta(minutes=config.blockInterval)): #Block time hasn't expired #print("Still blocked..") pass else: #Block time expired unblockIP(blocked[0]) checkRecentFailList() time.sleep(self.interval) config = config() #Load script configuration iptables = iptables(config.iptablesChain) logread = logread() logread.init(config.logreadFilename) recentFailList = [] checker = BackgroundBlockCheck( interval=config.checkInterval) #Start background thread log("Launch") def eventListOp(parsedIP, parsedAccount, parsedDate): ''' Adds an IP to recentEventList upon failure to login. Checks if multiple (recentFailCount) IPs access same account. ''' if len(recentFailList) == 0: recentFailList.append([parsedAccount, (parsedIP, parsedDate)]) return
def add_mail_relay_chain(): del_mail_relay_chain() app.print_verbose("Add iptables chain for mail relay") iptables("-N incoming_mail") iptables("-N outgoing_mail") iptables("-A syco_input -p tcp -j incoming_mail") iptables("-A syco_output -p tcp -j outgoing_mail") # Allow mailrelay to receive email if config.general.get_mail_relay_server() == get_hostname(): iptables("-A incoming_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp") # Allow all hosts to send mail on DMZ iptables("-A outgoing_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
def add_openvpn_chain(): del_openvpn_chain() if (not os.path.exists('/etc/init.d/openvpn')): return app.print_verbose("Add iptables chain for openvpn") network = config.general.get_openvpn_network() iptables("-N openvpn_input") iptables("-N openvpn_forward") iptables("-t nat -N openvpn_postrouting") iptables("-A syco_input -p ALL -j openvpn_input") iptables("-A syco_forward -p ALL -j openvpn_forward") iptables("-t nat -A syco_nat_postrouting -p ALL -j openvpn_postrouting") #Accept connections on 1194 for vpn access from clients iptables("-A openvpn_input -p udp --dport 1194 -j allowed_udp") iptables("-A openvpn_input -p tcp --dport 1194 -j allowed_tcp") #Apply forwarding for OpenVPN Tunneling iptables("-A openvpn_forward -m state --state RELATED,ESTABLISHED -j ACCEPT") iptables("-A openvpn_forward -s %s/24 -j ACCEPT" % network) # iptables("-A openvpn_forward -p tcp -m state --state NEW -m multiport --dports 22,34,53,80,443,4848,8080,8181,6048,6080,6081,7048,7080,7081 -j allowed_tcp") iptables("-A openvpn_forward -j REJECT") iptables("-t nat -A openvpn_postrouting -s %s/24 -o eth0 -j MASQUERADE" % network) iptables("-t nat -A openvpn_postrouting -s %s/24 -o eth1 -j MASQUERADE" % network)
def add_iptables_chain(): """ * Keepalived uses multicast and VRRP protocol to talk to the nodes and need to be opened. So first we remove the multicast blocks and then open them up. * VRRP is known as Protocol 112 in iptables. """ app.print_verbose("Add iptables chain for keepalived") iptables("-N keepalived_output") iptables("-A syco_output -p ALL -j keepalived_output") iptables("-N keepalived_input") iptables("-A syco_input -p ALL -j keepalived_input") front_nic = get_front_nic_name() iptables("-A keepalived_input -p 112 -i {0} -j ACCEPT".format(front_nic)) iptables("-A keepalived_output -p 112 -o {0} -j ACCEPT".format(front_nic)) iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP", general.X_OUTPUT_CMD) iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP", general.X_OUTPUT_CMD) iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
def firewall_clear(args): ''' Remove all iptables rules. ''' app.print_verbose("Clear all iptables rules.") # reset the default policies in the filter table. iptables("-t filter -P INPUT ACCEPT") iptables("-t filter -P FORWARD ACCEPT") iptables("-t filter -P OUTPUT ACCEPT") # reset the default policies in the nat table. iptables("-t nat -P PREROUTING ACCEPT") iptables("-t nat -P POSTROUTING ACCEPT") iptables("-t nat -P OUTPUT ACCEPT") # reset the default policies in the mangle table. iptables("-t mangle -P PREROUTING ACCEPT") iptables("-t mangle -P POSTROUTING ACCEPT") iptables("-t mangle -P INPUT ACCEPT") iptables("-t mangle -P OUTPUT ACCEPT") iptables("-t mangle -P FORWARD ACCEPT") # Flush all chains iptables("-F -t filter") iptables("-F -t nat") iptables("-F -t mangle") # Delete all user-defined chains iptables("-X -t filter") iptables("-X -t nat") iptables("-X -t mangle") # Zero all counters iptables("-Z -t filter") iptables("-Z -t nat") iptables("-Z -t mangle")
def uninstall_redis(args): """ Remove Redis from the server """ app.print_verbose("Uninstall Redis") os.chdir("/") _chkconfig("redis", "off") _service("redis", "stop") _chkconfig("keepalived", "on") _service("keepalived", "restart") x("yum -y remove redis keepalived") x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR)) x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR)) x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR)) iptables.iptables("-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables("-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT") iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT") iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT") iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP") iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP") iptables.save() version_obj = version.Version("InstallRedis", script_version) version_obj.mark_uninstalled()
def uninstall_keepalived(args=""): """ Remove Keepalived from the server. """ app.print_verbose("Uninstall Keepalived") os.chdir("/") _chkconfig("keepalived","off") _service("keepalived","stop") x("yum -y remove keepalived") x("rm -rf {0}*".format(KA_CONF_DIR)) iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP") iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP") iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT") iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT") iptables.save()
def del_iptables_chain(): app.print_verbose("Delete iptables chain for keepalived") iptables("-D syco_output -p ALL -j keepalived_output", general.X_OUTPUT_CMD) iptables("-F keepalived_output", general.X_OUTPUT_CMD) iptables("-X keepalived_output", general.X_OUTPUT_CMD) iptables("-D syco_output -p ALL -j keepalived_output", general.X_OUTPUT_CMD) iptables("-F keepalived_input", general.X_OUTPUT_CMD) iptables("-X keepalived_input", general.X_OUTPUT_CMD) iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT", general.X_OUTPUT_CMD) iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT", general.X_OUTPUT_CMD) iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP") iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
def add_rsyslog_chain(context=None): ''' Rsyslog IPtables rules Rsyslog Server Servers in network -> IN -> tcp -> 514 -> Rsyslog Server Rsyslog Client Rsyslog Server <- OUT <- tcp <- 514 <- Rsyslog Client ''' del_rsyslog_chain() import installRsyslog import installRsyslogd server_version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION) client_version_obj = version.Version("InstallRsyslogdClient", installRsyslog.SCRIPT_VERSION) if server_version_obj.is_executed() or client_version_obj.is_executed() or context in ["server","client"]: app.print_verbose("Add iptables chain for rsyslog") iptables("-N rsyslog_in") iptables("-N rsyslog_out") iptables("-A syco_input -p all -j rsyslog_in") iptables("-A syco_output -p all -j rsyslog_out") # On rsyslog server if server_version_obj.is_executed() or context is "server": back_subnet = config.general.get_back_subnet() front_subnet = config.general.get_front_subnet() iptables( " -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" % back_subnet ) iptables( " -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" % front_subnet ) iptables( " -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" % back_subnet ) iptables( " -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" % front_subnet )
def del_rsyslog_chain(): app.print_verbose("Delete iptables chain for rsyslog") iptables("-D syco_input -p all -j rsyslog_in", general.X_OUTPUT_CMD) iptables("-F rsyslog_in", general.X_OUTPUT_CMD) iptables("-X rsyslog_in", general.X_OUTPUT_CMD) iptables("-D syco_output -p all -j rsyslog_out", general.X_OUTPUT_CMD) iptables("-F rsyslog_out", general.X_OUTPUT_CMD) iptables("-X rsyslog_out", general.X_OUTPUT_CMD)
def add_bind_chain(): del_bind_chain() if (os.path.exists('/etc/init.d/named')): app.print_verbose("Add iptables chain for bind") iptables("-N bind_input") iptables("-N bind_output") iptables("-A syco_input -j bind_input") iptables("-A syco_output -j bind_output") iptables("-A bind_input -m state --state NEW -p udp --dport 53 -j allowed_udp") iptables("-A bind_input -m state --state NEW -p tcp --dport 53 -j allowed_tcp") iptables("-A bind_output -m state --state NEW -p udp --dport 53 -j allowed_udp") iptables("-A bind_output -m state --state NEW -p tcp --dport 53 -j allowed_tcp")
def del_bind_chain(): app.print_verbose("Delete iptables chain for bind") iptables("-D syco_input -j bind_input", general.X_OUTPUT_CMD) iptables("-D syco_output -j bind_output", general.X_OUTPUT_CMD) iptables("-F bind_input", general.X_OUTPUT_CMD) iptables("-F bind_output", general.X_OUTPUT_CMD) iptables("-X bind_input", general.X_OUTPUT_CMD) iptables("-X bind_output", general.X_OUTPUT_CMD)
def add_openvas_chain(): del_openvas_chain() if (not os.path.exists('/usr/sbin/openvassd')): return app.print_verbose("Add iptables chain for openvas") iptables("-N openvas_input") iptables("-N openvas_output") iptables("-A syco_input -p ALL -j openvas_input") iptables("-A syco_output -p ALL -j openvas_output") iptables("-A openvas_input -p TCP --dport 9392 -j allowed_tcp") iptables("-A openvas_output -p ALL -j ACCEPT")
def del_ossec_chain(): app.print_verbose("Delete iptables chain for Ossec") iptables("-D syco_input -p udp -j ossec_in", general.X_OUTPUT_CMD) iptables("-F ossec_in", general.X_OUTPUT_CMD) iptables("-X ossec_in", general.X_OUTPUT_CMD) iptables("-D syco_output -p udp -j ossec_out", general.X_OUTPUT_CMD) iptables("-F ossec_out", general.X_OUTPUT_CMD) iptables("-X ossec_out", general.X_OUTPUT_CMD)
def add_ossec_chain(): ''' OSSEC IPtables rules OSSEC Server Servers in network -> IN -> udp -> 1514 -> OSSEC Server Servers in network <- OUT <- udp <- 1514 <- OSSEC Server OSSEC Client OSSEC Server -> IN -> udp -> 1514 -> OSSEC Client OSSEC Server <- OUT <- udp <- 1514 <- OSSEC Client ''' del_ossec_chain() if not os.path.exists('/var/ossec'): return app.print_verbose("Add iptables chain for OSSEC") # Create chains. iptables("-N ossec_in") iptables("-N ossec_out") iptables("-A syco_input -p udp -j ossec_in") iptables("-A syco_output -p udp -j ossec_out") # Ossec Server if (os.path.exists('/var/ossec/bin/ossec-remoted')): for server in get_servers(): try: iptables( "-A ossec_in -p udp -s %s --dport 1514 -j allowed_udp" % config.host(server).get_front_ip() ) iptables( "-A ossec_out -p udp -d %s --dport 1514 -j allowed_udp" % config.host(server).get_front_ip() ) except Exception, e: pass
def del_freeradius_chain(): app.print_verbose("Delete iptables chain for FreeRadius") iptables("-D syco_input -p ALL -j freeradius", general.X_OUTPUT_CMD) iptables("-D syco_output -p ALL -j freeradius", general.X_OUTPUT_CMD) iptables("-F freeradius", general.X_OUTPUT_CMD) iptables("-X freeradius", general.X_OUTPUT_CMD)
def del_mail_relay_chain(): app.print_verbose("Delete iptables chain for mail_relay") iptables("-D syco_input -p tcp -j incoming_mail", general.X_OUTPUT_CMD) iptables("-D syco_output -p tcp -j outgoing_mail", general.X_OUTPUT_CMD) iptables("-F incoming_mail", general.X_OUTPUT_CMD) iptables("-F outgoing_mail", general.X_OUTPUT_CMD) iptables("-X incoming_mail", general.X_OUTPUT_CMD) iptables("-X outgoing_mail", general.X_OUTPUT_CMD)
def del_openvas_chain(): app.print_verbose("Delete iptables chain for openvas") iptables("-D syco_input -p ALL -j openvas_input", general.X_OUTPUT_CMD) iptables("-F openvas_input", general.X_OUTPUT_CMD) iptables("-X openvas_input", general.X_OUTPUT_CMD) iptables("-D syco_output -p ALL -j openvas_output", general.X_OUTPUT_CMD) iptables("-F openvas_output", general.X_OUTPUT_CMD) iptables("-X openvas_output", general.X_OUTPUT_CMD)
def _configure_iptables(): """ * Keepalived uses multicast and VRRP protocol to talk to the nodes and need to be opened. So first we remove the multicast blocks and then open them up. * VRRP is known as Protocol 112 in iptables. * Redis uses port 6379 and need to be opened. TODO: Use kribors new iptables setup. """ iptables.iptables("-A syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables("-A syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp") iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP") iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP") iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT") iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT") iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT") iptables.save()
def _configure_iptables(): iptables.iptables("-A syco_input -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp") iptables.iptables("-A syco_input -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp") iptables.iptables("-A syco_output -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp") iptables.save()