Пример #1
0
def setup_routing2(client_host, server_host):

    table = Table(Table.NAT)
    table.flush()

    chain_pre = [ch for ch in table.chains if 'PREROUTING' in ch.name][0]
    chain_post = [ch for ch in table.chains if 'POSTROUTING' in ch.name][0]

    snat_r1 = Rule()
    snat_r1.src = server_host.ip_real
    snat_r1.dst = client_host.ip_virtual
    snat_r1.target = snat_r1.create_target("SNAT")
    snat_r1.target.to_source = server_host.ip_virtual
    chain_post.append_rule(snat_r1)

    snat_r2 = Rule()
    snat_r2.src = client_host.ip_real
    snat_r2.dst = server_host.ip_virtual
    snat_r2.target = snat_r2.create_target("SNAT")
    snat_r2.target.to_source = client_host.ip_virtual
    chain_post.append_rule(snat_r2)

    dnat_r1 = Rule()
    dnat_r1.dst = server_host.ip_virtual
    dnat_r1.target = dnat_r1.create_target("DNAT")
    dnat_r1.target.to_destination = server_host.ip_real
    chain_pre.append_rule(dnat_r1)

    dnat_r2 = Rule()
    dnat_r2.dst = client_host.ip_virtual
    dnat_r2.target = dnat_r2.create_target("DNAT")
    dnat_r2.target.to_destination = client_host.ip_real
    chain_pre.append_rule(dnat_r2)

    ip_route_one_args = "ip route add " + client_host.ip_virtual + " dev " + server_host.name
    ip_route_two_args = "ip route add " + server_host.ip_virtual + " dev " + client_host.name
    arp_one_args = "arp -i " + server_host.name + " -s " + client_host.ip_virtual + " " + client_host.mac
    arp_two_args = "arp -i " + client_host.name + " -s " + server_host.ip_virtual + " " + server_host.mac
    show_route = "ip route show table main".split(" ")
    iptables_list = "iptables -t nat -L".split(" ")

    call(ip_route_one_args.split(" "))
    call(arp_one_args.split(" "))
    call(ip_route_two_args.split(" "))
    call(arp_two_args.split(" "))

    call(iptables_list)
    call(show_route)
Пример #2
0
    def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""):
        """create and return a rule (or two if no proto given).

        name can be any string
        target is a string saying what to do, like
                "ACCEPT", "DENY", "DROP", "LOG"
        proto (if not defined, is assumed both udp and tcp)
        src is a realm in the form XXX.XXX.XXX.XXX/YY
        sport is source port. Currently ignored
        dst is a realm in the same form as src
        dport is destination port
        siface is the source interface
        diface is the destination interface
        """
        #print("adding rule %s" % name)
        if (dport or sport) and not proto:
            return [ self.create_rule(name,
                                      target,
                                      dst,
                                      dport,
                                      src,
                                      sport,
                                      proto,
                                      siface,
                                      diface) for proto in ("tcp", "udp") ]
        rule = Rule()
        rule.create_target(target)
        if dst:
            rule.dst = dst
        if dport:
            proto_match = rule.create_match(proto)
            proto_match.dport = str(dport)
            rule.protocol = proto
        if diface:
            rule.in_interface = diface
        if src:
            if src.count("-"):
                iprange_match = rule.create_match("iprange")
                iprange_match.src_range = src
                rule.add_match(iprange_match)
            else:
                rule.src = src
        if sport:
            proto_match = rule.create_match(proto)
            proto_match.sport = str(sport)
            rule.protocol = proto
        if siface:
            rule.out_interface = siface
        # Add a signature as a comment.
        comment_match = rule.create_match("comment")
        comment_match.comment = self.identifier + ":" + name
        rule.final_check()
        return rule
Пример #3
0
    def _build_iptables_accept_rule(self, port, client):
        src, src_port = client

        rule = Rule()
        rule.protocol = "tcp"
        rule.src = src
        match = rule.create_match("tcp")
        match.dport = str(port)
        match.sport = str(src_port)

        target = rule.create_target("ACCEPT")
        chain = Chain(Table(Table.FILTER), "INPUT")
        return chain, rule
Пример #4
0
    def _init_netfilter(self):

        self.nat_table = Table(Table.NAT)
        prerouting_chain = Chain(self.nat_table, "PREROUTING")

        for rule in prerouting_chain.rules:
            if rule.target.name == "UPF":
                prerouting_chain.delete_rule(rule)

        self.upf_chain = Chain(self.nat_table, "UPF")
        if self.upf_chain in self.nat_table.chains:
            self.upf_chain.flush()
        else:
            self.nat_table.create_chain(self.upf_chain)

        self.nat_table.refresh()

        upf_rule = Rule()
        upf_rule.src = self.ue_subnet
        upf_rule.create_target("UPF")
        prerouting_chain.insert_rule(upf_rule)

        self.nat_table.refresh()