def set_public_firewall(port_list):
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
for port in port_list:
rule = iptc.Rule()
rule.target = iptc.Target(rule, "ACCEPT")
rule.protocol = "tcp"
match = iptc.Match(rule, "tcp")
match.dport = str(port)
rule.add_match(match)
chain.insert_rule(rule)
def dropAll(ip):
rule = iptc.Rule()
rule.src = str(ip)
rule.protocol = "tcp"
rule_match = iptc.Match(rule, "tcp")
target = iptc.Target(rule, "DROP")
rule.add_match(rule_match)
rule.target = target
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
def setUp(self):
self.rule = iptc.Rule()
self.rule.protocol = "tcp"
self.rule.target = iptc.Target(self.rule, "ACCEPT")
self.match = iptc.Match(self.rule, "iprange")
self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_iprange")
iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
def setUp(self):
self.rule = iptc.Rule()
self.rule.src = "127.0.0.1"
self.rule.protocol = "udp"
self.rule.target = iptc.Target(self.rule, "ACCEPT")
self.match = iptc.Match(self.rule, "comment")
self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_comment")
iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
def create_rules(server_ip, server_port, router_port, gateway):
destination = server_ip + ':' + server_port
prerouting_rule = iptc.Rule()
prerouting_rule.protocol = "tcp"
prerouting_rule.dst = gateway
match = iptc.Match(prerouting_rule, "tcp")
match.dport = router_port
target = prerouting_rule.create_target("DNAT")
target.to_destination = destination
prerouting_rule.add_match(match)
prerouting_rule.target = target
postrouting_rule = iptc.Rule()
postrouting_rule.protocol = "tcp"
postrouting_rule.dst = server_ip
match = iptc.Match(postrouting_rule, "tcp")
match.dport = server_port
postrouting_rule.add_match(match)
postrouting_rule.target = iptc.Target(postrouting_rule, "MASQUERADE")
return prerouting_rule, postrouting_rule
def addRegra(ipFonte, ipDestino, portaFonte, portaDestino, estado, username,
acao, protocolo, chain):
regra = iptc.Rule()
chains = ["INPUT", "OUTPUT"]
indiceChain = int(chain) - 1
chain = chains[indiceChain]
acoes = ["ACCEPT", "DROP"]
indiceAcao = int(acao) - 1
acao = acoes[indiceAcao]
protocolos = ["TCP", "UDP", ""]
indiceProtocolo = int(protocolo) - 1
protocolo = protocolos[indiceProtocolo]
if (protocolo):
regra.protocol = protocolo
if (ipFonte):
regra.src = ipFonte
if (ipDestino):
regra.dst = ipDestino
if (portaFonte):
regra.sport = portaFonte
if (portaDestino):
regra.dport = portaDestino
if (username):
match = iptc.Match(regra, "owner")
match.uid_owner = username
regra.add_match(match)
if (estado):
match = iptc.Match(regra, "conntrack")
match.ctstate = estado
regra.add_match(match)
target = iptc.Target(regra, acao)
regra.target = target
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), chain)
chain.append_rule(regra)
def unblock_port(ip_address):
rule = iptc.Rule()
rule.protocol = "tcp"
rule.src = ip_address
match = iptc.Match(rule, "tcp")
match.dport = secret_port
rule.add_match(match)
rule.target = iptc.Target(rule, "ACCEPT")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
print("Port", secret_port, "was unblocked for", ip_address)
return (chain, rule)
def revIP(self,ip):
print "remove rule", ip
((ip, port), val,time)=ip
rule = iptc.Rule()
rule.protocol = val
m = iptc.Match(rule, val)
rule.src = ip
m.sport = str(port)
rule.add_match(m)
rule.target = iptc.Target(rule, "DROP")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.delete_rule(rule)
rule = iptc.Rule()
rule.protocol = val
m = iptc.Match(rule, val)
rule.dst = ip
m.dport = str(port)
rule.add_match(m)
rule.target = iptc.Target(rule, "DROP")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT")
chain.delete_rule(rule)
def mkCFDDNSRule(hostnm: str = '', proto: str = '', portNum: str = ''):
rule = iptc.Rule()
rule.protocol = proto
rule.src = v4_lookup(hostnm)
portmatch = iptc.Match(rule, proto)
portmatch.dport = portNum
connt = iptc.Match(rule, 'conntrack')
connt.ctstate = 'NEW'
commentm = iptc.Match(rule, 'comment')
commentm.comment = '{}_{}_{}'.format(hostnm, proto, portNum)
rule.add_match(portmatch)
rule.add_match(connt)
rule.add_match(commentm)
tar = rule.create_target('ACCEPT')
rule.target = tar
return rule
def iptc_to_ip_tables(the_rule):
#print(the_rule)
chain = ''
rule = ''
match = ''
target = ''
# Regular Expression to validate IPs
regex = '''^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)$'''
# Get a dictionary of rules
# Retrieve input options
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
(the_rule['input_options']))
#print(chain.rules)
rule = iptc.Rule()
# rule.in_interface = "eth+"
# Retrieve IPs and error check entries
if (re.search(regex, str(the_rule['source_ip']))):
rule.src = the_rule['source_ip']
#else:
#print("FireTables: Rule Source IP set to anywhere")
if (re.search(regex, str(the_rule['destination_ip']))):
rule.dst = the_rule['destination_ip']
#else:
#print("FireTables: Rule Destination IP set to anywhere")
# Retrieve Accept or Drop options
target = iptc.Target(rule, the_rule['accept_or_drop_options'])
rule.target = target
# Retrieve Protocol
rule.protocol = the_rule['protocol_options']
match = iptc.Match(rule, the_rule['protocol_options'])
# Retrieve Ports and error check port entries
if the_rule['protocol_options'] != 'icmp':
if the_rule['source_port'] != "":
if int(the_rule['source_port']) in range(65535):
match.sport = the_rule['source_port']
#else:
#print("FireTables: Rule Source Port set to anywhere")
if the_rule['destination_port'] != "":
if int(the_rule['destination_port']) in range(65535):
match.dport = the_rule['destination_port']
#else:
#print("FireTables: Rule Destination Port set to anywhere")
rule.add_match(match)
# Insert rule into iptables
chain.append_rule(rule)
def set_rule(self, **kwargs):
# -ipv4
# -ipv6
# --protocol
# -source address[ / mask][, ...]
# --destination address[ / mask][, ...]
# -m, --match commetnt dic
# -j, --jump target
# -g, --goto chain
# -i, --in-interface
# -o, --out-interface name
# -f, --fragment
# -c, --set-counters packets bytes
# if 'ipv4' in kwargs:
# i = 0
# if 'ipv6' in kwargs:
# i =0
if 'protocol' in kwargs:
self.rule.protocol = kwargs['protocol']
if 'source' in kwargs:
self.rule.src = kwargs['source']
if 'in_interface' in kwargs:
self.rule.in_interface = kwargs['in_interface']
if 'out_interface' in kwargs:
self.rule.out_interface = kwargs['out_interface']
if 'jump' in kwargs:
# =======TODO:error handling (completely depends on target name
chain_name = kwargs['jump']['name']
self.target = iptc.Target(self.rule, chain_name)
if chain_name == 'MARK':
self.target.set_mark = kwargs['jump']['mark']
if chain_name == 'MASQUERADE':
self.target.to_ports = kwargs['jump']['to_ports']
self.rule.target = self.target
try:
if 'match' in kwargs:
for match_item in kwargs['match']:
match = iptc.Match(self.rule, match_item['name'])
for item in match_item['values']:
match.__setattr__(item['key'], item['val'])
self.rule.add_match(match)
except AVAFirewallException as e:
AVAFirewallException(e)
def tag_packets_with_port(port):
table_mangle = iptc.Table(iptc.Table.MANGLE)
chain = iptc.Chain(table_mangle, "OUTPUT")
rule = iptc.Rule()
rule.protocol = "tcp"
match = iptc.Match(rule, "tcp")
match.dport = str(port)
rule.add_match(match)
rule.out_interface = "eth1"
target = iptc.Target(rule, "MARK")
target.set_mark = "0x01"
rule.target = target
chain.insert_rule(rule)
def drop():
rule = iptc.Rule()
rule.protocol = protocol
match = iptc.Match(rule, protocol)
match.sport = source_port
match.dport = destination_port
rule.add_match(match)
rule.src = source
rule.dst = destination
rule.add_match(match)
rule.target = iptc.Target(rule, targets)
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), Chain)
chain.insert_rule(rule)
def addIP(self,ipc):
print ipc
((ip,port),val)=ipc
rule = iptc.Rule()
rule.protocol = val
m = iptc.Match(rule, val)
rule.src = ip
m.sport = str(port)
rule.add_match(m)
rule.target = iptc.Target(rule, "DROP")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
rule = iptc.Rule()
rule.protocol = val
m = iptc.Match(rule, val)
rule.dst = ip
m.dport = str(port)
rule.add_match(m)
rule.target = iptc.Target(rule, "DROP")
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT")
chain.insert_rule(rule)
def block_port():
rule = iptc.Rule()
rule.protocol = "tcp"
match = iptc.Match(rule, "tcp")
match.dport = secret_port
rule.add_match(match)
target = iptc.Target(rule, "REJECT")
target.set_parameter("reject-with", "tcp-reset")
rule.target = target
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
print("Port", secret_port, "was blocked")
return (chain, rule)
def setUp(self):
self.rule = iptc.Rule()
self.rule.dst = "127.0.0.2"
self.rule.protocol = "tcp"
self.rule.in_interface = "eth0"
self.match = iptc.Match(self.rule, "tcp")
self.rule.add_match(self.match)
self.target = iptc.Target(self.rule, "CLUSTERIP")
self.rule.target = self.target
self.chain = iptc.Chain(iptc.TABLE_FILTER, "iptc_test_clusterip")
iptc.TABLE_FILTER.create_chain(self.chain)
def setUp(self):
self.rule = iptc.Rule()
self.rule.dst = "127.0.0.2"
self.rule.protocol = "tcp"
self.rule.in_interface = "eth0"
self.match = iptc.Match(self.rule, "tcp")
self.rule.add_match(self.match)
self.target = iptc.Target(self.rule, "REDIRECT")
self.rule.target = self.target
self.chain = iptc.Chain(iptc.TABLE_NAT, "iptc_test_redirect")
iptc.TABLE_NAT.create_chain(self.chain)
def iptablesDNAT(action, user_var):
table = iptc.Table(iptc.Table.NAT)
chain = iptc.Chain(table, "PREROUTING")
rule = iptc.Rule()
match = iptc.Match(rule, "tcp")
match = iptc.Match(rule, "iprange")
# FIXME
for cidr in user_var.redirectaddresses:
redirectNetworks = ipaddress.ip_network(cidr)
match.dst_range = '{}-{}'.format(redirectNetworks.network_address,
redirectNetworks.broadcast_address)
rule.add_match(match)
t = rule.create_target("DNAT")
t.to_destination = get_ip_address_from_interface(user_var.interface)
if action == 'insert':
chain.insert_rule(rule)
else:
chain.delete_rule(rule)
def create_iptables_rule(port):
global rule
match = iptc.Match(rule, "tcp")
match.dport = port
match.tcp_flags = ['RST']
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "OUTPUT") # -A OUTPUT
rule.protocol = "tcp" # -p tcp
rule.target = iptc.Target(rule, "DROP") # -j DROP
rule.add_match(match)
try:
chain.delete_rule(rule)
except:
a = 0
chain.insert_rule(rule)
def test_iprange_tcpdport(self):
self.match.src_range = "192.168.1.100-192.168.1.200"
self.match.dst_range = "172.22.33.106"
self.rule.add_match(self.match)
match = iptc.Match(self.rule, "tcp")
match.dport = "22"
self.rule.add_match(match)
self.chain.insert_rule(self.rule)
for r in self.chain.rules:
if r != self.rule:
self.fail("inserted rule does not match original")
def setUp(self):
self.rule = iptc.Rule()
self.rule.dst = "127.0.0.2"
self.rule.protocol = "tcp"
self.rule.in_interface = "eth0"
self.match = iptc.Match(self.rule, "tcp")
self.rule.add_match(self.match)
self.target = iptc.Target(self.rule, "TOS")
self.rule.target = self.target
self.chain = iptc.Chain(iptc.Table(iptc.Table.MANGLE), "iptc_test_tos")
iptc.Table(iptc.Table.MANGLE).create_chain(self.chain)
def init_vnsf_forward_chain():
# sudo iptables -t nat -A POSTROUTING --out-interface eth2 -j MASQUERADE
table = iptc.Table(iptc.Table.NAT)
chain = iptc.Chain(table, "POSTROUTING")
chain.flush()
rule = iptc.Rule()
rule.out_interface = settings.wan_interface
target = iptc.Target(rule, "MASQUERADE")
rule.target = target
chain.insert_rule(rule)
# iptables -N vnsf-forward
table = iptc.Table(iptc.Table.FILTER)
vnsf_forward_chain = table.create_chain(settings.vnsf_forward_chain)
# iptables -A vnsf-forward -j RETURN
rule = iptc.Rule()
target = iptc.Target(rule, "RETURN")
rule.target = target
vnsf_forward_chain.append_rule(rule)
# iptables -A FORWARD --in-interface eth1 -j vnsf-forward
chain = iptc.Chain(table, "FORWARD")
chain.flush()
rule = iptc.Rule()
rule.in_interface = settings.lan_interface
target = iptc.Target(rule, settings.vnsf_forward_chain)
rule.target = target
chain.insert_rule(rule)
# iptables -A FORWARD --in-interface eth1 --out-interface eth2 -j ACCEPT
rule = iptc.Rule()
rule.in_interface = settings.lan_interface
rule.out_interface = settings.wan_interface
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.append_rule(rule)
# iptables -A FORWARD --in-interface eth2 --out-interface eth1 -m state \
# --state ESTABLISHED, RELATED -j ACCEPT
rule = iptc.Rule()
rule.in_interface = settings.wan_interface
rule.out_interface = settings.lan_interface
match = iptc.Match(rule, "state")
match.state = "RELATED,ESTABLISHED"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
rule.add_match(match)
chain.append_rule(rule)
def test_match_parameters(self):
m = iptc.Match(iptc.Rule(), "udp")
m.sport = "12345:55555"
m.dport = "!33333"
self.assertEqual(len(m.parameters), 2)
for p in m.parameters:
self.assertTrue(p == "sport" or p == "dport")
self.assertEqual(m.parameters["sport"], "12345:55555")
self.assertEqual(m.parameters["dport"], "!33333")
m.reset()
self.assertEqual(len(m.parameters), 0)
def _modify_rule(self, delete):
chain = iptc.Chain(self.table(self.table.FILTER), 'INPUT')
rule = self.rule()
rule.protocol = 'udp'
match = iptc.Match(rule, 'udp')
match.dport = '53'
target = iptc.Target(rule, 'NFQUEUE')
target.set_parameter('queue-num', str(self.queue_num))
target.set_parameter('queue-bypass')
rule.target = target
rule.add_match(match)
if delete:
chain.delete_rule(rule)
else:
chain.insert_rule(rule)
def test_match_parameters(self):
m = iptc.Match(iptc.Rule(), "udp")
m.sport = "12345:55555"
m.dport = "!33333"
self.failUnless(len(m.parameters) == 2)
for p in m.parameters:
self.failUnless(p == "sport" or p == "dport")
self.failUnless(m.parameters["sport"] == "12345:55555")
self.failUnless(m.parameters["dport"] == "!33333")
m.reset()
self.failUnless(len(m.parameters) == 0)
def test_match_create(self):
rule = iptc.Rule()
match = rule.create_match("udp")
for m in rule.matches:
self.assertEqual(m, match)
# check that we can change match parameters after creation
match.sport = "12345:55555"
match.dport = "!33333"
m = iptc.Match(iptc.Rule(), "udp")
m.sport = "12345:55555"
m.dport = "!33333"
self.assertEqual(m, match)
def createFirewallRule(port, lock):
lock.acquire()
print "Creating the iptables rule for port %d" % port
rule = iptc.Rule()
rule.protocol = "tcp"
rule.target = iptc.Target(rule, "REJECT")
match = iptc.Match(rule, "tcp")
match.sport = "%s" % port
rule.add_match(match)
chain = iptc.Chain(iptc.TABLE_FILTER, "OUTPUT")
chain.insert_rule(rule)
rule.target.reset()
blockedPorts[port] = rule
lock.release()
def test_refresh(self):
rule = iptc.Rule()
match = iptc.Match(rule, "tcp")
match.dport = "1234"
rule.add_match(match)
try:
self.chain.insert_rule(rule)
iptc.Table(iptc.Table.FILTER).delete_chain(self.chain)
self.fail("inserted invalid rule")
except:
pass
iptc.Table(iptc.Table.FILTER).refresh()
target = iptc.Target(rule, "ACCEPT")
rule.target = target
rule.protocol = "tcp"
self.chain.insert_rule(rule)
self.chain.delete_rule(rule)
def setUp(self):
self.rule = iptc.Rule()
self.rule.src = "127.0.0.1"
self.rule.protocol = "udp"
self.rule.target = iptc.Target(self.rule, "ACCEPT")
self.match = iptc.Match(self.rule, "hashlimit")
self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_hashlimit")
self.table = iptc.Table(iptc.Table.FILTER)
try:
self.chain.flush()
self.chain.delete()
except:
pass
self.table.create_chain(self.chain)
def delAuthorization(self, ip, mac):
rule = iptc.Rule()
table = iptc.Table(iptc.Table.MANGLE)
chain = iptc.Chain(table, 'authorized')
rule.src = ip
match = iptc.Match(rule, 'mac')
match.mac_source = mac
target = iptc.Target(rule, 'MARK')
target.set_mark = '1'
rule.target = target
rule.add_match(match)
if rule not in chain.rules:
print('rule does not exist')
return 'RULE_NOT_FOUND'
chain.delete_rule(rule)
print('deleted rule {}'.format(ip))
return 'SUCCESS'