def generate_iptables_rules(self):
rules = []
rules6 = []
try:
routes_output = utils.check_output_logged(['route', '-n'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IP routes', 'server',
server_id=self.server.id,
)
raise
routes = []
default_interface = None
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]):
continue
if line_split[0] not in routes:
if line_split[0] == '0.0.0.0':
default_interface = line_split[7]
routes.append((
ipaddress.IPNetwork('%s/%s' % (line_split[0],
utils.subnet_to_cidr(line_split[2]))),
line_split[7]
))
routes.reverse()
if not default_interface:
raise IptablesError('Failed to find default network interface')
routes6 = []
default_interface6 = None
if self.server.ipv6:
try:
routes_output = utils.check_output_logged(
['route', '-n', '-A', 'inet6'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IPv6 routes', 'server',
server_id=self.server.id,
)
raise
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 7:
continue
try:
route_network = ipaddress.IPv6Network(line_split[0])
except (ipaddress.AddressValueError, ValueError):
continue
if not default_interface6 and line_split[0] == '::/0':
default_interface6 = line_split[6]
routes6.append((
route_network,
line_split[6]
))
if not default_interface6:
raise IptablesError(
'Failed to find default IPv6 network interface')
if default_interface6 == 'lo':
logger.error('Failed to find default IPv6 interface',
'server',
server_id=self.server.id,
)
routes6.reverse()
route_all = self.server.is_route_all()
if route_all:
rules.append([
'INPUT',
'-i', self.interface,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT',
'-o', self.interface,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD',
'-i', self.interface,
'-j', 'ACCEPT',
])
if self.server.ipv6:
if self.server.ipv6_firewall and \
settings.local.host.routed_subnet6:
rules6.append([
'INPUT',
'-d', self.server.network6,
'-m', 'conntrack',
'--ctstate','RELATED,ESTABLISHED',
'-j', 'ACCEPT',
])
rules6.append([
'INPUT',
'-d', self.server.network6,
'-p', 'icmpv6',
'-m', 'conntrack',
'--ctstate', 'NEW',
'-j', 'ACCEPT',
])
rules6.append([
'INPUT',
'-d', self.server.network6,
'-j', 'DROP',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-m', 'conntrack',
'--ctstate', 'RELATED,ESTABLISHED',
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-p', 'icmpv6',
'-m', 'conntrack',
'--ctstate', 'NEW',
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-j', 'DROP',
])
else:
rules6.append([
'INPUT',
'-d', self.server.network6,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-d', self.server.network6,
'-j', 'ACCEPT',
])
elif self.server.restrict_routes:
if self.server.inter_client:
rules.append([
'INPUT', '-i', self.interface,
'-d', self.server.network,
'-j', 'ACCEPT',
])
rules6.append([
'INPUT', '-i', self.interface,
'-d', self.server.network6,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT', '-o', self.interface,
'-s', self.server.network,
'-j', 'ACCEPT',
])
rules6.append([
'OUTPUT', '-o', self.interface,
'-s', self.server.network6,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD', '-i', self.interface,
'-d', self.server.network,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD', '-o', self.interface,
'-s', self.server.network,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD', '-i', self.interface,
'-d', self.server.network6,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD', '-o', self.interface,
'-s', self.server.network6,
'-j', 'ACCEPT',
])
else:
server_addr = utils.get_network_gateway(self.server.network)
server_addr6 = utils.get_network_gateway(self.server.network6)
rules.append([
'INPUT', '-i', self.interface,
'-d', server_addr,
'-j', 'ACCEPT',
])
rules6.append([
'INPUT', '-i', self.interface,
'-d', server_addr6,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT', '-o', self.interface,
'-s', server_addr,
'-j', 'ACCEPT',
])
rules6.append([
'OUTPUT', '-o', self.interface,
'-s', server_addr6,
'-j', 'ACCEPT',
])
for route in self.server.get_routes(
include_hidden=True,
include_server_links=True,
include_default=False,
):
network_address = route['network']
is6 = ':' in network_address
is_nat = route['nat']
if route['virtual_network']:
continue
if self.server.restrict_routes:
if is6:
rules6.append([
'INPUT',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
rules6.append([
'OUTPUT',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
if is_nat:
rules6.append([
'FORWARD',
'-o', self.interface,
'-m', 'conntrack',
'--ctstate', 'RELATED,ESTABLISHED',
'-s', network_address,
'-j', 'ACCEPT',
])
else:
rules6.append([
'FORWARD',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
else:
rules.append([
'INPUT',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
rules.append([
'OUTPUT',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
rules.append([
'FORWARD',
'-i', self.interface,
'-d', network_address,
'-j', 'ACCEPT',
])
if is_nat:
rules.append([
'FORWARD',
'-o', self.interface,
'-m', 'conntrack',
'--ctstate', 'RELATED,ESTABLISHED',
'-s', network_address,
'-j', 'ACCEPT',
])
else:
rules.append([
'FORWARD',
'-o', self.interface,
'-s', network_address,
'-j', 'ACCEPT',
])
interfaces = set()
interfaces6 = set()
link_svr_networks = []
for link_svr in self.server.iter_links(fields=('_id', 'network',
'network_start', 'network_end', 'organizations', 'routes',
'links')):
link_svr_networks.append(link_svr.network)
for route in self.server.get_routes(include_hidden=True):
if route['virtual_network'] or not route['nat']:
continue
network_address = route['network']
args_base = ['POSTROUTING', '-t', 'nat']
is6 = ':' in network_address
if is6:
network = network_address
else:
network = utils.parse_network(network_address)[0]
network_obj = ipaddress.IPNetwork(network_address)
if is6:
interface = None
for route_net, route_intf in routes6:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'IPv6 network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface6
interfaces6.add(interface)
else:
interface = None
for route_net, route_intf in routes:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface
interfaces.add(interface)
if network != '0.0.0.0' and network != '::/0':
args_base += ['-d', network_address]
args_base += [
'-o', interface,
'-j', 'MASQUERADE',
]
if is6:
rules6.append(args_base + ['-s', self.server.network6])
else:
rules.append(args_base + ['-s', self.server.network])
for link_svr_net in link_svr_networks:
if ':' in link_svr_net:
rules6.append(args_base + ['-s', link_svr_net])
else:
rules.append(args_base + ['-s', link_svr_net])
if route_all:
for interface in interfaces:
rules.append([
'FORWARD',
'-i', interface,
'-o', self.interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
rules.append([
'FORWARD',
'-i', self.interface,
'-o', interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
for interface in interfaces6:
if self.server.ipv6 and self.server.ipv6_firewall and \
settings.local.host.routed_subnet6 and \
interface == default_interface6:
continue
rules6.append([
'FORWARD',
'-i', interface,
'-o', self.interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
rules6.append([
'FORWARD',
'-i', self.interface,
'-o', interface,
'-m', 'state',
'--state', 'ESTABLISHED,RELATED',
'-j', 'ACCEPT',
])
extra_args = [
'-m', 'comment',
'--comment', 'pritunl_%s' % self.server.id,
]
if settings.local.iptables_wait:
extra_args.append('--wait')
rules = [x + extra_args for x in rules]
rules6 = [x + extra_args for x in rules6]
return rules, rules6
def generate_iptables_rules(self):
server_addr = utils.get_network_gateway(self.server.network)
server_addr6 = utils.get_network_gateway(self.server.network6)
ipv6_firewall = self.server.ipv6_firewall and \
settings.local.host.routed_subnet6
self.iptables.id = self.server.id
self.iptables.ipv6 = self.server.ipv6
self.iptables.server_addr = server_addr
self.iptables.server_addr6 = server_addr6
self.iptables.virt_interface = self.interface
self.iptables.virt_network = self.server.network
self.iptables.virt_network6 = self.server.network6
self.iptables.ipv6_firewall = ipv6_firewall
self.iptables.inter_client = self.server.inter_client
self.iptables.restrict_routes = self.server.restrict_routes
try:
routes_output = utils.check_output_logged(['route', '-n'])
except subprocess.CalledProcessError:
logger.exception(
'Failed to get IP routes',
'server',
server_id=self.server.id,
)
raise
routes = []
default_interface = None
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]):
continue
if line_split[0] not in routes:
if line_split[0] == '0.0.0.0':
if default_interface:
continue
default_interface = line_split[7]
routes.append((ipaddress.IPNetwork(
'%s/%s' %
(line_split[0], utils.subnet_to_cidr(line_split[2]))),
line_split[7]))
routes.reverse()
if not default_interface:
raise IptablesError('Failed to find default network interface')
routes6 = []
default_interface6 = None
if self.server.ipv6:
try:
routes_output = utils.check_output_logged(
['route', '-n', '-A', 'inet6'])
except subprocess.CalledProcessError:
logger.exception(
'Failed to get IPv6 routes',
'server',
server_id=self.server.id,
)
raise
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 7:
continue
try:
route_network = ipaddress.IPv6Network(line_split[0])
except (ipaddress.AddressValueError, ValueError):
continue
if line_split[0] == '::/0':
if default_interface6:
continue
default_interface6 = line_split[6]
routes6.append((
route_network,
line_split[6],
))
if not default_interface6:
raise IptablesError(
'Failed to find default IPv6 network interface')
if default_interface6 == 'lo':
logger.error(
'Failed to find default IPv6 interface',
'server',
server_id=self.server.id,
)
routes6.reverse()
interfaces = set()
interfaces6 = set()
for route in self.server.get_routes(
include_hidden=True,
include_server_links=True,
include_default=True,
):
if route['virtual_network'] or route['link_virtual_network']:
self.iptables.add_nat_network(route['network'])
if route['virtual_network'] or route['net_gateway']:
continue
network = route['network']
is6 = ':' in network
network_obj = ipaddress.IPNetwork(network)
interface = route['nat_interface']
if is6:
if not interface:
for route_net, route_intf in routes6:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'IPv6 network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface6
interfaces6.add(interface)
else:
if not interface:
for route_net, route_intf in routes:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface
interfaces.add(interface)
self.iptables.add_route(
network,
nat=route['nat'],
nat_interface=interface,
)
if self.vxlan:
self.iptables.add_route(self.vxlan.vxlan_net)
self.iptables.generate()
def generate_iptables_rules(self):
server_addr = utils.get_network_gateway(self.server.network)
server_addr6 = utils.get_network_gateway(self.server.network6)
ipv6_firewall = self.server.ipv6_firewall and \
settings.local.host.routed_subnet6
self.iptables.id = self.server.id
self.iptables.ipv6 = self.server.ipv6
self.iptables.server_addr = server_addr
self.iptables.server_addr6 = server_addr6
self.iptables.virt_interface = self.interface
self.iptables.virt_network = self.server.network
self.iptables.virt_network6 = self.server.network6
self.iptables.ipv6_firewall = ipv6_firewall
self.iptables.inter_client = self.server.inter_client
try:
routes_output = utils.check_output_logged(['route', '-n'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IP routes', 'server',
server_id=self.server.id,
)
raise
routes = []
default_interface = None
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]):
continue
if line_split[0] not in routes:
if line_split[0] == '0.0.0.0':
if default_interface:
continue
default_interface = line_split[7]
routes.append((
ipaddress.IPNetwork('%s/%s' % (line_split[0],
utils.subnet_to_cidr(line_split[2]))),
line_split[7]
))
routes.reverse()
if not default_interface:
raise IptablesError('Failed to find default network interface')
routes6 = []
default_interface6 = None
if self.server.ipv6:
try:
routes_output = utils.check_output_logged(
['route', '-n', '-A', 'inet6'])
except subprocess.CalledProcessError:
logger.exception('Failed to get IPv6 routes', 'server',
server_id=self.server.id,
)
raise
for line in routes_output.splitlines():
line_split = line.split()
if len(line_split) < 7:
continue
try:
route_network = ipaddress.IPv6Network(line_split[0])
except (ipaddress.AddressValueError, ValueError):
continue
if line_split[0] == '::/0':
if default_interface6:
continue
default_interface6 = line_split[6]
routes6.append((
route_network,
line_split[6],
))
if not default_interface6:
raise IptablesError(
'Failed to find default IPv6 network interface')
if default_interface6 == 'lo':
logger.error('Failed to find default IPv6 interface',
'server',
server_id=self.server.id,
)
routes6.reverse()
interfaces = set()
interfaces6 = set()
for route in self.server.get_routes(
include_hidden=True,
include_server_links=True,
include_default=True,
):
if route['virtual_network'] or route['link_virtual_network']:
self.iptables.add_nat_network(route['network'])
if route['virtual_network']:
continue
network = route['network']
is6 = ':' in network
network_obj = ipaddress.IPNetwork(network)
interface = route['nat_interface']
if is6:
if not interface:
for route_net, route_intf in routes6:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'IPv6 network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface6
interfaces6.add(interface)
else:
if not interface:
for route_net, route_intf in routes:
if network_obj in route_net:
interface = route_intf
break
if not interface:
logger.info(
'Failed to find interface for local ' + \
'network route, using default route',
'server',
server_id=self.server.id,
network=network,
)
interface = default_interface
interfaces.add(interface)
self.iptables.add_route(
network,
nat=route['nat'],
nat_interface=interface,
)
self.iptables.generate()
