def _dnat_rules(zone, action, form):
    error = None
    fields = SimpleNamespace(**form)
    if (action == 'remove'):
        try:
            # NOTE: validation needs to know the zone so it can ensure the position is valid
            validate.del_nat_rule(fields)
        except ValidationError as ve:
            error = ve

        else:
            with IPTableManager() as iptables:
                iptables.delete_nat(fields)

    elif (action == 'add'):
        try:
            validate.add_dnat_rule(fields)
            if (fields.protocol in ['tcp', 'udp']):
                validate.network_port(fields.dst_port)
                validate.network_port(fields.host_port)

            validate.ip_address(fields.host_ip)

        except ValidationError as ve:
            error = ve
        else:
            with IPTableManager() as iptables:
                iptables.add_nat(fields)

            configure.add_open_wan_protocol(fields)
    else:
        return INVALID_FORM, zone

    return error, zone
def _snat_rules(zone, action, form):
    error = None
    print(333333, form)
    fields = SimpleNamespace(**form)

    # TODO: make this code for snat (currently using dnat code as template)
    if (action == 'remove'):
        try:
            # NOTE: validation needs to know the zone so it can ensure the position is valid
            validate.del_nat_rule(fields)
        except ValidationError as ve:
            error = ve

        else:
            with IPTableManager() as iptables:
                iptables.delete_nat(fields)

    elif (action == 'add'):
        try:
            validate.add_snat_rule(fields)

            validate.ip_address(
                ip_iter=[fields.orig_src_ip, fields.new_src_ip])

        except ValidationError as ve:
            error = ve
        else:
            with IPTableManager() as iptables:
                iptables.add_nat(fields)

    else:
        return INVALID_FORM, zone

    return error, zone
Пример #3
0
    def _ddos_inspect(self, packet):
        ddos = self.ddos_tracker[packet.protocol]
        with ddos.lock:
            if not self._ddos_detected(ddos.tracker, packet): return

        if (self._IPS.ids_mode):
            Log.log(packet, IPS.LOGGED, engine=IPS.DDOS)

        elif (self._IPS.ddos_prevention):
            IPTableManager.proxy_add_rule(packet.conn.tracked_ip,
                                          table='mangle',
                                          chain='IPS')

            Log.log(packet, IPS.FILTERED, engine=IPS.DDOS)
Пример #4
0
def _firewall_rules(zone, action, form):
    error = None
    # moving form data into a simple namespace. this will allow us to validate and mutate it easier
    # that its current state of immutable dict.
    print(form)
    fields = SimpleNamespace(**form)
    if (action == 'remove'):
        try:
            # NOTE: validation needs to know the zone so it can ensure the position is valid
            validate.del_firewall_rule(fields)
        except ValidationError as ve:
            error = ve

        else:
            with IPTableManager() as iptables:
                iptables.delete_rule(fields)

    elif (action =='add'):
        if not all([x in form for x in valid_standard_rule_fields]):
            return INVALID_FORM, zone

        fields.action = 'ACCEPT' if 'accept' in form else 'DROP'

        try:
            validate.add_firewall_rule(fields)
            if (fields.dst_port):
                validate.network_port(fields.dst_port)

            if (fields.src_ip):
                validate.ip_address(fields.src_ip)
                validate.cidr(fields.src_netmask)

            validate.ip_address(fields.dst_ip)
            validate.cidr(fields.dst_netmask)

        except ValidationError as ve:
            error = ve

        else:
            if (not fields.src_ip):
                fields.src_ip, fields.src_netmask = '0', '0'

            with IPTableManager() as iptables:
                iptables.add_rule(fields)

    elif ('change_interface' not in form):
        return INVALID_FORM, zone

    return error, zone
Пример #5
0
    def _ddos_inspect(self):
        ddos = self.ddos_tracker.get(self._packet.protocol)
        with ddos['lock']:
            if not self._ddos_detected(ddos['tracker']): return

        # this is to supress log entries for ddos hosts that are being detected by the engine, but not blocked
        # this behavior would only happen in informational logging mode without block enabled.
        if self._recently_detected(self._packet.conn.tracked_ip): return

        if (self._IPS.ddos_prevention):
            IPTableManager.proxy_add_rule(self._packet.conn.tracked_ip,
                                          table='mangle',
                                          chain='IPS')

        # TODO: add entry for ids mode

        Log.log(self._packet, engine=IPS.DDOS)
Пример #6
0
    def _clear_ip_tables(self):
        # quick check to see if any firewall rules exist
        if not self.IPS.firewall_rules: return

        firewall_rules = self.IPS.firewall_rules
        block_length = self.IPS.block_length
        now = fast_time()

        with IPTableManager() as iptables:
            for tracked_ip, insert_time in list(firewall_rules.items()):
                if (now - insert_time > block_length) and firewall_rules.pop(
                        tracked_ip, None):
                    iptables.proxy_del_rule(tracked_ip,
                                            table='mangle',
                                            chain='IPS')
Пример #7
0
    def _clear_ip_tables(self):
        ips_to_remove = []
        if (self.IPS.active_ddos or not self.IPS.ddos_prevention):
            return ONE_MIN

        now = time.time()
        for tracked_ip, rule_info in self.IPS.fw_rules.items():
            time_added = rule_info['timestamp']
            if (now - time_added < self.IPS.block_length): continue

            ips_to_remove.append(tracked_ip)

        if (not ips_to_remove): return FIVE_MIN

        with IPTableManager() as iptables:
            for tracked_ip in ips_to_remove:
                if not self.IPS.fw_rules.pop(tracked_ip, None): continue

                iptables.proxy_del_rule(tracked_ip,
                                        table='mangle',
                                        chain='IPS')

        return FIVE_MIN
Пример #8
0
    def _clear_ip_tables(self):
        IPS = self.IPS

        if (not IPS.fw_rules): return ONE_MIN

        now, ips_to_remove = fast_time(), []
        for tracked_ip, insert_time in IPS.fw_rules.items():
            if (now - insert_time > IPS.block_length):
                ips_to_remove.append(tracked_ip)

        if (not ips_to_remove): return FIVE_MIN

        with IPTableManager() as iptables:
            for tracked_ip in ips_to_remove:
                # NOTE: if the system is configured in IDS mode when the rule was created, an active rule would not have
                # be inserted into the system. this will still run, but effectively do nothing. maybe we can figure out
                # a way to identify the type of rule in the data set. remember that there could be some thread safety
                # concerns when dealing with this issue so make sure solution is well thought out.
                if IPS.fw_rules.pop(tracked_ip, None):
                    iptables.proxy_del_rule(tracked_ip,
                                            table='mangle',
                                            chain='IPS')

        return FIVE_MIN
Пример #9
0
 def _manage_ip_tables(self):
     IPTableManager.purge_proxy_rules(table='mangle', chain='IPS')
Пример #10
0
 def _manage_ip_tables(self):
     IPTableManager.clear_dns_over_https()
     IPTableManager.update_dns_over_https()
Пример #11
0
 def configure_ipv6_iptables(self):
     IPTables.block_ipv6()
Пример #12
0
 def apply_network_forwarding(self):
     IPTables.network_forwarding()
def update_page(form):
    if ('fw_remove' in form):
        fw_rule = form.get('fw_remove', None)
        chain = 'FIREWALL'
        if (not fw_rule):
            return INVALID_FORM

        try:
            validate.del_firewall_rule(fw_rule, chain)
        except ValidationError as ve:
            return ve
        else:
            with IPTableManager() as iptables:
                iptables.delete_rule(fw_rule, chain='FIREWALL')

    elif ('fw_add' in form):
        pos = form.get('position', None)
        dst_ip = form.get('dst_ip', None)
        dst_netmask = form.get('dst_netmask', None)
        src_ip = form.get('src_ip', None)
        src_netmask = form.get('src_netmask', None)
        protocol = form.get('protocol', None)
        dst_port = form.get('dst_port', False)
        if (dst_port == ''):
            dst_port = None

        if (src_ip == ''):
            src_ip = '0'
            src_netmask = '0'

        if ('accept' in form):
            action = 'ACCEPT'
        else:
            action = 'DROP'

        iptable_rule = {
            'pos': pos,
            'src_ip': src_ip,
            'src_netmask': src_netmask,
            'dst_ip': dst_ip,
            'dst_netmask': dst_netmask,
            'dst_port': dst_port,
            'protocol': protocol,
            'action': action
        }
        # TODO: make this less compiticated?
        if (pos and dst_ip and dst_netmask and src_ip and src_netmask
                and protocol and dst_port is not False):
            try:
                validate.add_firewall_rule(iptable_rule)
                if (dst_port != None):
                    validate.network_port(dst_port)
                if (src_ip != '0'):
                    validate.ip_address(src_ip)
                    validate.cidr(src_netmask)
                validate.cidr(dst_netmask)
                validate.ip_address(dst_ip)

                with IPTableManager() as iptables:
                    iptables.add_rule(iptable_rule)

            except ValidationError as ve:
                return ve
        else:
            return INVALID_FORM

    elif ('nat_remove' in form):
        nat_rule = form.get('nat_remove', None)
        if (not nat_rule):
            return INVALID_FORM

        try:
            validate.del_firewall_rule(nat_rule, chain='NAT')
        except ValidationError as ve:
            return ve
        else:
            configure.del_open_wan_protocol(nat_rule)
            with IPTableManager() as iptables:
                iptables.delete_nat(nat_rule)

    elif ('nat_add' in form):
        host_ip = form.get('host_ip', None)
        protocol = form.get('protocol', None)
        if (protocol in ['tcp', 'udp']):
            dst_port = form.get('dst_port')
            host_port = form.get('host_port')

        elif (protocol in ['icmp']):
            dst_port = None
            host_port = None

            open_protocols = load_configuration('ips.json')
            icmp_allow = open_protocols['ips']['open_protocols']['icmp']
            if (icmp_allow):
                return 'Only one ICMP rule can be active at a time. Remove existing rule before adding another.'
        else:
            return INVALID_FORM

        try:
            if (protocol in ['tcp', 'udp']):
                validate.network_port(dst_port)
                validate.network_port(host_port)
            validate.ip_address(host_ip)
        except ValidationError as ve:
            return ve
        else:
            with IPTableManager() as iptables:
                iptables.add_nat(protocol, dst_port, host_ip, host_port)

            configure.add_open_wan_protocol(protocol, dst_port, host_port)
    else:
        return INVALID_FORM