def block_xmas_attack(): chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") rule = iptc.Rule() rule.protocol = "tcp" match = rule.create_match("tcp") match.tcp_flags = ['ALL', 'ALL'] target = iptc.Target(rule, "DROP") rule.target = target chain.insert_rule(rule) print("Successfully Created")
def test_rule_from_iptc_mac_match(): rule = iptc.Rule() rule.create_target('DROP') rule.create_match('mac') rule.matches[0].mac_source = '20:C9:D0:2B:6F:F3' assert iptables.Rule.from_iptc(rule) == EMPTY_RULE._replace( target='DROP', matches=(('mac', (('mac_source', '20:C9:D0:2B:6F:F3'), )), ), )
def setUp(self): self.rule = iptc.Rule() self.rule.src = "127.0.0.1" self.rule.protocol = "udp" self.rule.target = iptc.Target(self.rule, "ACCEPT") self.match = iptc.Match(self.rule, "comment") self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "iptc_test_comment") iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
def set_public_firewall(port_list): chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") for port in port_list: rule = iptc.Rule() rule.target = iptc.Target(rule, "ACCEPT") rule.protocol = "tcp" match = iptc.Match(rule, "tcp") match.dport = str(port) rule.add_match(match) chain.insert_rule(rule)
def _accept_loop(): LOGGER.info("Accept loop packet.") rule = iptc.Rule() rule.in_interface = 'lo' rule.create_target(iptc.Policy.ACCEPT) with L: FILTER_INPUT_CHAIN.insert_rule(rule, position=0) if not FILTER_TABLE.autocommit: FILTER_TABLE.commit()
def remove_rule_packet_filter(): src = request.json['src'] dst = request.json['dst'] chain = iptc.Chain(iptc.Table(iptc.Table.FILTER),"FORWARD") rule = iptc.Rule() rule.set_src(src) rule.set_dst(dst) target = iptc.Target(rule,"DROP") rule.target = target chain.delete_rule(rule)
def blockIP(ip): chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") rule = iptc.Rule() rule.in_interface = "eth0" target = iptc.Target(rule, "DROP") rule.target = target rule.src = ip chain.insert_rule(rule) os.system(f"iptables -A OUTPUT -d {ip} -j DROP")
def allowSpecificWebsite(anIP): # IPTABLES -A FORWARD -d allowedSite -j ACCEPT # IPTABELS -A FORWARD -s allowedSite -j ACCEPT ''' # to do: need to allow DNS iptables -A OUTPUT -p udp --dport 53 -j ACCEPT ''' # iptables -A FORWARD -s $IP_CLIENT -j ACCEPT chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD") rule = iptc.Rule() rule.src = anIP target = iptc.Target(rule, "ACCEPT") rule.target = target chain.append_rule(rule) # iptables -A FORWARD -d $IP_CLIENT -j ACCEPT rule2 = iptc.Rule() rule2.dst = anIP rule2.target = target chain.append_rule(rule2)
def block_incoming_ping(): chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") rule = iptc.Rule() rule.protocol = "icmp" match = rule.create_match("icmp") match.icmp_type = "echo-reply" target = iptc.Target(rule, "DROP") rule.target = target chain.insert_rule(rule) print("Successfully Created")
def dropAll(ip): rule = iptc.Rule() rule.src = str(ip) rule.protocol = "tcp" rule_match = iptc.Match(rule, "tcp") target = iptc.Target(rule, "DROP") rule.add_match(rule_match) rule.target = target chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") chain.insert_rule(rule)
def add_ip(ipcliente): rule = iptc.Rule() rule.in_interface = interface rule.src = ipcliente rule.protocol = "tcp" rule.target = rule.create_target("ACCEPT") match = rule.create_match("comment") match.comment = "Regra temporaria de INPUT" chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") chain.insert_rule(rule)
def setUp(self): self.rule = iptc.Rule() self.rule.dst = "127.0.0.2" self.rule.protocol = "tcp" self.rule.out_interface = "eth0" self.target = iptc.Target(self.rule, "MASQUERADE") self.rule.target = self.target self.chain = iptc.Chain(iptc.TABLE_NAT, "POSTROUTING")
def setUp(self): self.rule = iptc.Rule() self.rule.protocol = "tcp" self.rule.target = iptc.Target(self.rule, "ACCEPT") self.match = iptc.Match(self.rule, "iprange") self.chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "iptc_test_iprange") iptc.Table(iptc.Table.FILTER).create_chain(self.chain)
def setNatRuleForMaliousIP(maliciousIP): chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "PREROUTING") rule = iptc.Rule() rule.src = maliciousIP target = iptc.Target(rule, "DNAT") target.to_destination = honeyd_webMailServer_IP rule.target = target chain.insert_rule(rule) print("Nat Rule has been set for malicious IP %s" %maliciousIP)
def fire_rule(rul): print(rul, 'recieved') chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT') rule = iptc.Rule() rule.protocol = rul['protocol'] rule.src = rul['ip'] + "/255.255.255.0" match = rule.create_match('tcp') match.dport = str(rul['port']) rule.target = iptc.Target(rule, rul['action']) chain.insert_rule(rule)
def service_to_rule(service: Service) -> iptc.Rule: rule = iptc.Rule() rule.protocol = service.protocol tgt = rule.create_target("DNAT") tgt.to_destination = f"{service.host}:{service.port_range}" m = rule.create_match(service.protocol) m.dport = service.port_range return rule
def iptablesSNAT(action, user_var): table = iptc.Table(iptc.Table.NAT) chain = iptc.Chain(table, "POSTROUTING") rule = iptc.Rule() rule.out_interface = user_var.interface rule.create_target("MASQUERADE") if action == 'insert': chain.insert_rule(rule) else: chain.delete_rule(rule)
def to_iptc(self): rule = iptc.Rule() rule.protocol = self.protocol rule.src = self.src rule.dst = self.dst rule.create_target(self.target) for name, params in self.matches: match = rule.create_match(name) for key, value in params: setattr(match, key, value) return rule
def blockIP(ip): #add rule to iptables-legacy chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT") rule = iptc.Rule() rule.in_interface = "eth0" target = iptc.Target(rule, "DROP") rule.target = target rule.src = ip # ip in string format chain.insert_rule(rule) os.system(f"iptables -A OUTPUT -d {ip} -j DROP") #add a rule to iptables as well
def create_rules(server_ip, server_port, router_port, gateway): destination = server_ip + ':' + server_port prerouting_rule = iptc.Rule() prerouting_rule.protocol = "tcp" prerouting_rule.dst = gateway match = iptc.Match(prerouting_rule, "tcp") match.dport = router_port target = prerouting_rule.create_target("DNAT") target.to_destination = destination prerouting_rule.add_match(match) prerouting_rule.target = target postrouting_rule = iptc.Rule() postrouting_rule.protocol = "tcp" postrouting_rule.dst = server_ip match = iptc.Match(postrouting_rule, "tcp") match.dport = server_port postrouting_rule.add_match(match) postrouting_rule.target = iptc.Target(postrouting_rule, "MASQUERADE") return prerouting_rule, postrouting_rule
def create_nat(host, container_ip): with table(iptc.Table.NAT) as nat: free_ips = list(secondary_ips() - ips_in_use()) free = free_ips[randint(1, len(free_ips)) - 1] # Send packets that come in on the outer IP to the inner IP. dnat = iptc.Rule() dnat.dst = free target = dnat.create_target('DNAT') target.to_destination = container_ip comment = dnat.create_match('comment') comment.comment = 'ahab//' + host iptc.Chain(nat, 'DOCKER').insert_rule(dnat) # Rewrite packets from the inner IP so they go out on the outer IP. snat = iptc.Rule() snat.src = container_ip target = snat.create_target('SNAT') target.to_source = free comment = snat.create_match('comment') comment.comment = 'ahab//' + host iptc.Chain(nat, 'POSTROUTING').insert_rule(snat)
def __init__(self, type, target_name=None): self.type = type if type == IPV4: self._rule = iptc.Rule() else: assert (type == IPV6) self._rule = iptc.Rule6() if target_name is not None: self._rule.create_target(target_name)
def setNatRulesForUnusedPorts(): os.system(addNatRulesForUnunsedTCPPorts_cmd) os.system(addNatRulesForUnunsedUDPPorts_cmd) chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING") rule = iptc.Rule() target = iptc.Target(rule, "MASQUERADE") rule.target = target chain.insert_rule(rule) print("Nat rules have been set for unused ports for both TCP and UDP")
def blockIpTable(ip): table = iptc.Table(iptc.Table.FILTER) chain = iptc.Chain(table, "INPUT") rule = iptc.Rule() rule.src = ip rule.target = rule.create_target("DROP") rule.match = rule.create_match("comment").comment = str( datetime.datetime.strftime( datetime.datetime.now() + datetime.timedelta(minutes=1), "%y-%m-%d %H:%M:%S")) chain.insert_rule(rule)
def open_interface(self, data): print(f"data: {data}") # create keypair import pysodium from base64 import b64encode keys = pysodium.crypto_box_keypair() # TODO: open interface router = Router() #self.gateway.router.interface.create(ifname=data['device_id'], ip='10.0.42.15/16', privatekey=b64encode(keys[1]), # listenport=42001) # new interface/wg control router.interface.create(ifname=data['device_id'], ip='10.0.42.15/16', privatekey=b64encode(keys[1]), listenport=42001) # router.interface.addpeer(ifname=data['device_id'], publickey=data['wgpubkey'], endpointaddr=data['ip'], endpointport=42001, keepalive=10) router.interface.addpeer(ifname=data['device_id'], publickey=data['wgpubkey'], keepalive=10, allowedips={'0.0.0.0/0'}) # iptables for wg-interface chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD") rule = iptc.Rule() rule.out_interface = "tf-0815" target = iptc.Target(rule, "ACCEPT") rule.target = target chain.insert_rule(rule) chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "POSTROUTING") rule = iptc.Rule() rule.out_interface = "eth0" target = iptc.Target(rule, "MASQUERADE") rule.target = target chain.insert_rule(rule) return b64encode(keys[0])
def test_rule_compare(self): r1 = iptc.Rule() r1.src = "127.0.0.2/255.255.255.0" r1.dst = "224.1.2.3/255.255.0.0" r1.protocol = "tcp" r1.fragment = False r1.in_interface = "wlan+" r1.out_interface = "eth1" r2 = iptc.Rule() r2.src = "127.0.0.2/255.255.255.0" r2.dst = "224.1.2.3/255.255.0.0" r2.protocol = "tcp" r2.fragment = False r2.in_interface = "wlan+" r2.out_interface = "eth1" self.failUnless(r1 == r2) r1.src = "127.0.0.1" self.failIf(r1 == r2)
def allowLoopback(self): chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT') rule = iptc.Rule() rule.in_interface = 'lo' rule.target = iptc.Target(rule, 'ACCEPT') chain.insert_rule(rule) ip = request.environ.get( 'HTTP_X_FORWARDED_FOR') or request.environ.get('REMOTE_ADDR') iprecord = Ipfilters(ip, "ACCEPT", "allowLoopback", "lo") db.session.add(iprecord) db.session.commit()
def setUp(self): self.rule = iptc.Rule() self.rule.dst = "127.0.0.2" self.rule.protocol = "tcp" self.rule.out_interface = "eth0" self.target = iptc.Target(self.rule, "MASQUERADE") self.rule.target = self.target self.chain = iptc.Chain(iptc.Table(iptc.Table.NAT), "iptc_test_masquerade") iptc.Table(iptc.Table.NAT).create_chain(self.chain)
def _allow_established(chains): """ Adds rule to allow established and related connections. (connections that I created and connections that are created by those) """ rule = iptc.Rule() match = rule.create_match('state') match.state = "RELATED,ESTABLISHED" rule.target = iptc.Target(rule, 'ACCEPT') chains[INPUT].insert_rule(rule)
def test_rule_from_dict(self): rule = iptc.Rule() rule.protocol = "tcp" rule.src = "127.0.0.1/32" target = iptc.Target(rule, "ACCEPT") rule.target = target rule2 = iptc.easy.encode_iptc_rule({ "protocol": "tcp", "src": "127.0.0.1/32", "target": "ACCEPT" }) self.assertEqual(rule, rule2)