Пример #1
0
    def __add_nat_rules(self, chain: str, subnet: str):
        BASE = "sudo iptables -t nat"
        MASQUERADE = "MASQUERADE --to-ports 1024-65535"

        shell(f"{BASE} -A {chain} -s {subnet} -d 224.0.0.0/24 -j RETURN")
        shell(f"{BASE} -A {chain} -s {subnet} -d 255.255.255.255/32 -j RETURN")
        shell(f"{BASE} -A {chain} -s {subnet} ! -d {subnet} -p tcp -j {MASQUERADE}")
        shell(f"{BASE} -A {chain} -s {subnet} ! -d {subnet} -p udp -j {MASQUERADE}")
        shell(f"{BASE} -A {chain} -s {subnet} ! -d {subnet} -j MASQUERADE")
Пример #2
0
    def __add_forward_rules(self, chain: str, subnet: str):
        BASE = "sudo iptables"
        br_name = self.br.name
        ESTABLISHED = "-m conntrack --ctstate RELATED,ESTABLISHED"
        ICMP_UNREACHABLE_REJECT = "REJECT --reject-with icmp-port-unreachable"

        shell(f"{BASE} -A {chain} -i {br_name} -o {br_name} -j ACCEPT") # FW cross
        shell(f"{BASE} -A {chain} -d {subnet} -o {br_name} {ESTABLISHED} -j ACCEPT") # FW in
        shell(f"{BASE} -A {chain} -o {br_name} -j {ICMP_UNREACHABLE_REJECT}") # FW in
        shell(f"{BASE} -A {chain} -s {subnet} -i {br_name} -j ACCEPT") # FW out
        shell(f"{BASE} -A {chain} -i {br_name} -j {ICMP_UNREACHABLE_REJECT}") # FW out
Пример #3
0
    def __add_output_rules(self, chain: str):
        BASE = "sudo iptables"
        br_name = self.br.name

        shell(f"{BASE} -A {chain} -o {br_name} -p udp -m udp --dport 53 -j ACCEPT")
        shell(f"{BASE} -A {chain} -o {br_name} -p tcp -m tcp --dport 53 -j ACCEPT")
        shell(f"{BASE} -A {chain} -o {br_name} -p udp -m udp --dport 68 -j ACCEPT")
        shell(f"{BASE} -A {chain} -o {br_name} -p tcp -m tcp --dport 68 -j ACCEPT")
Пример #4
0
    def __add_direct_forward_rules(self, chain: str):
        BASE = "sudo iptables"
        br_name = self.br.name
        ICMP_UNREACHABLE_REJECT = "REJECT --reject-with icmp-port-unreachable"

        shell(f"{BASE} -A {chain} -i {br_name} -o {br_name} -j ACCEPT")
        shell(f"{BASE} -A {chain} -o {br_name} -j {ICMP_UNREACHABLE_REJECT}")
        shell(f"{BASE} -A {chain} -i {br_name} -j {ICMP_UNREACHABLE_REJECT}")
Пример #5
0
 def __delete_chain(self, chain: str, parent: str, table: str = "filter"):
     shell(f"sudo iptables -t {table} -F {chain}")
     shell(f"sudo iptables -t {table} -D {parent} -j {chain}")
     shell(f"sudo iptables -t {table} -X {chain}")
Пример #6
0
 def __create_chain(self, chain: str, parent: str, table: str = "filter"):
     shell(f"sudo iptables -t {table} -N {chain}")
     shell(f"sudo iptables -t {table} -A {parent} -j {chain}")
Пример #7
0
 def create_with_cloud_localds(self, user_data: UserData, network_config: NetworkConfig):
     shell(f"cloud-localds {self.path} {user_data.path} -N {network_config.path}")
     return self
Пример #8
0
 def __resize(self, size: int):
     shell(f"qemu-img resize {self.path} {size}G")
Пример #9
0
    def __add_no_output_rules(self, chain: str):
        BASE = "sudo iptables"
        br_name = self.br.name
        ICMP_UNREACHABLE_REJECT = "REJECT --reject-with icmp-port-unreachable"

        shell(f"{BASE} -A {chain} -o {br_name} -j {ICMP_UNREACHABLE_REJECT}")
Пример #10
0
 def __create(self):
     shell(f"sudo ip link add {self.name} type bridge")
Пример #11
0
 def __up(self):
     shell(f"sudo ip link set {self.name} up")
Пример #12
0
 def __set_ip(self, ip):
     shell(f"sudo ip addr add dev {self.name} {ip}")
Пример #13
0
 def __delete(self):
     shell(f"sudo ip link del {self.name}")