def flagCheck(self,flagvalue,flagname, indexNumber, iptflags_config):
self.methodname="flagCheck(self,"+str(flagvalue)+","+str(flagname)+","+str(indexNumber)+","+str(iptflags_config)+")"
self.flagvalue = flagvalue
self.flagname = flagname
valueSupport = ""
log = logger("xml_parser")
if self.verbose:
log.debug("launched "+self.methodname+" of "+self.classname+".")
# check if this flag supports values
# this xpath expression selects the value arguemnt of the given cli_switch argument under the given index number
valueSupport = iptflags_config.xpath('/flags/flag[@index="'+str(indexNumber)+'"]//*[@cli_switch="'+flagname+'"]/@value')
valueSupport = valueSupport[0]
if valueSupport == "no":
self.flagstr = self.flagname+' '
else:
if not self.flagvalue:
self.flagstr = ''
else:
self.flagstr = self.flagname+' '+self.flagvalue+' '
return self.flagstr
def __init__(self, fwconfigpath, interface, rulesfile, ipt_xmlconfig, excludedInterfaces, verbose):
self.classname = "abyleparse"
self.verbose=verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.rulesfile = rulesfile
self.iptflagsfile = ipt_xmlconfig
self.rulesarray = []
self.iptflags_dict = {}
self.excludedInterfaces = excludedInterfaces
self.allowping = ""
log = logger("xml_parser")
if self.verbose:
log.debug(self.classname+" object created")
try:
#old self.iptflags_config = xml.dom.minidom.parse(self.fwconfigpath+self.iptflagsfile).documentElement
self.iptflags_config = etree.parse(self.fwconfigpath+self.iptflagsfile)
if self.excludedInterfaces.count(self.pinterface) > 0:
#old self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile)
self.rules_config = etree.parse(self.fwconfigpath+self.rulesfile)
elif self.pinterface == "default":
#old self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile)
self.rules_config = etree.parse(self.fwconfigpath+self.rulesfile)
else:
# old self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.rulesfile)
self.rules_config = etree.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.rulesfile)
except (IOError):
log.error(sys.exc_info()[1])
def __init__(self, fwconfigpath, interface, xmlconfig, verbose):
self.classname = "abyle_config_parse"
self.verbose=verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.xmlconfig = xmlconfig
self.configarr = []
self.configvar = ''
log = logger("xml_config_parser")
if self.verbose:
log.debug(self.classname+" object created.")
try:
if self.pinterface == "default":
self.abyle_config = etree.parse(self.fwconfigpath+self.xmlconfig)
if self.verbose:
log.debug("trying to parse "+self.fwconfigpath+self.xmlconfig)
else:
self.abyle_config = etree.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig)
if self.verbose:
log.debug("trying to parse "+self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig)
except (IOError):
log.error(str(sys.exc_info()[1]))
def flagCheck(self, flagvalue, flagname, indexNumber, iptflags_config):
self.methodname = "flagCheck(self," + str(flagvalue) + "," + str(
flagname) + "," + str(indexNumber) + "," + str(
iptflags_config) + ")"
self.flagvalue = flagvalue
self.flagname = flagname
valueSupport = ""
log = logger("xml_parser")
if self.verbose:
log.debug("launched " + self.methodname + " of " + self.classname +
".")
# check if this flag supports values
# this xpath expression selects the value arguemnt of the given cli_switch argument under the given index number
valueSupport = iptflags_config.xpath('/flags/flag[@index="' +
str(indexNumber) +
'"]//*[@cli_switch="' + flagname +
'"]/@value')
valueSupport = valueSupport[0]
if valueSupport == "no":
self.flagstr = self.flagname + ' '
else:
if not self.flagvalue:
self.flagstr = ''
else:
self.flagstr = self.flagname + ' ' + self.flagvalue + ' '
return self.flagstr
def __init__(self, fwconfigpath, interface, xmlconfig, verbose):
self.classname = "abyle_config_parse"
self.verbose = verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.xmlconfig = xmlconfig
self.configarr = []
self.configvar = ''
log = logger("xml_config_parser")
if self.verbose:
log.debug(self.classname + " object created.")
try:
if self.pinterface == "default":
self.abyle_config = etree.parse(self.fwconfigpath +
self.xmlconfig)
if self.verbose:
log.debug("trying to parse " + self.fwconfigpath +
self.xmlconfig)
else:
self.abyle_config = etree.parse(self.fwconfigpath +
'interfaces/' +
self.pinterface + '/' +
self.xmlconfig)
if self.verbose:
log.debug("trying to parse " + self.fwconfigpath +
'interfaces/' + self.pinterface + '/' +
self.xmlconfig)
except (IOError):
log.error(str(sys.exc_info()[1]))
def buildUpFinish(self, verbose):
self.verbose = verbose
log = logger("abyle-firewall")
self.defaultrules = self.default_config.getDefaultRules("foot")
log.info("SETTING UP DEFAULT RULES:")
for drule in self.defaultrules:
log.info("default-rule: " + drule)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + drule, self.dryrun)
def buildUpFinish(self, verbose):
self.verbose = verbose
log = logger("abyle-firewall")
self.defaultrules = self.default_config.getDefaultRules("foot")
log.info("SETTING UP DEFAULT RULES:")
for drule in self.defaultrules:
log.info("default-rule: " + drule)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + drule, self.dryrun)
def getConfig(self, configstr):
self.methodname = "getConfig(self," + configstr + ")"
self.configstr = configstr
self.configarr = []
self.configvar = ''
log = logger("xml_config_parser")
if self.verbose:
log.debug("launched " + self.methodname + " of " + self.classname +
".")
if self.configstr == "excluded_interfaces":
#for self.configtag in self.abyle_config.getElementsByTagName("interface"):
configwalk = etree.iterwalk(self.abyle_config,
events=("start", "end"),
tag=str("interface"))
for action, elem, in configwalk:
if action in ('start'):
attributes = elem.attrib
if str(attributes.get("excluded")).upper() == "YES":
if self.verbose:
log.debug(elem.text)
self.configarr.append(elem.text)
return self.configarr
else:
#for self.configtag in self.abyle_config.getElementsByTagName(self.configstr):
configwalk = etree.iterwalk(self.abyle_config,
events=("start", "end"),
tag=str(self.configstr))
for action, elem, in configwalk:
if action in ('start'):
if self.verbose:
log.debug(elem.text)
self.configarr.append(elem.text)
try:
self.configvar = self.configarr[1]
return self.configarr
except (IndexError):
return self.configarr[0]
def getConfig(self,configstr):
self.methodname="getConfig(self,"+configstr+")"
self.configstr = configstr
self.configarr = []
self.configvar = ''
log = logger("xml_config_parser")
if self.verbose:
log.debug("launched "+self.methodname+" of "+self.classname+".")
if self.configstr == "excluded_interfaces":
#for self.configtag in self.abyle_config.getElementsByTagName("interface"):
configwalk = etree.iterwalk(self.abyle_config,events=("start","end"),tag=str("interface"))
for action, elem, in configwalk:
if action in ('start'):
attributes = elem.attrib
if str(attributes.get("excluded")).upper() == "YES":
if self.verbose:
log.debug(elem.text)
self.configarr.append(elem.text)
return self.configarr
else:
#for self.configtag in self.abyle_config.getElementsByTagName(self.configstr):
configwalk = etree.iterwalk(self.abyle_config,events=("start","end"),tag=str(self.configstr))
for action, elem, in configwalk:
if action in ('start'):
if self.verbose:
log.debug(elem.text)
self.configarr.append(elem.text)
try:
self.configvar = self.configarr[1]
return self.configarr
except (IndexError):
return self.configarr[0]
def __init__(self, fwconfigpath, interface, rulesfile, ipt_xmlconfig,
excludedInterfaces, verbose):
self.classname = "abyleparse"
self.verbose = verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.rulesfile = rulesfile
self.iptflagsfile = ipt_xmlconfig
self.rulesarray = []
self.iptflags_dict = {}
self.excludedInterfaces = excludedInterfaces
self.allowping = ""
log = logger("xml_parser")
if self.verbose:
log.debug(self.classname + " object created")
try:
#old self.iptflags_config = xml.dom.minidom.parse(self.fwconfigpath+self.iptflagsfile).documentElement
self.iptflags_config = etree.parse(self.fwconfigpath +
self.iptflagsfile)
if self.excludedInterfaces.count(self.pinterface) > 0:
#old self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile)
self.rules_config = etree.parse(self.fwconfigpath +
self.rulesfile)
elif self.pinterface == "default":
#old self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+self.rulesfile)
self.rules_config = etree.parse(self.fwconfigpath +
self.rulesfile)
else:
# old self.rules_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.rulesfile)
self.rules_config = etree.parse(self.fwconfigpath +
'interfaces/' +
self.pinterface + '/' +
self.rulesfile)
except (IOError):
log.error(sys.exc_info()[1])
def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile,
ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
self.echocmd = echocmd
global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig,
self.verbose)
self.excludedInterfaces = global_config.getConfig(
"excluded_interfaces")
try:
self.tcpabort_file = global_config.getConfig("tcpabortfile")
except IndexError:
self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow"
try:
self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile")
except IndexError:
self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
try:
self.dynaddresshack_file = global_config.getConfig(
"dynaddresshackfile")
except IndexError:
self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr"
try:
self.ipv4conf_path = global_config.getConfig("ipv4confpath")
except IndexError:
self.ipv4conf_path = "/proc/sys/net/ipv4/conf/"
try:
self.antispoofing_file = global_config.getConfig(
"antispoofingfile")
except IndexError:
self.antispoofing_file = "rp_filter"
try:
self.syncookiefile = global_config.getConfig("syncookiefile")
except IndexError:
self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies"
try:
self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile")
except IndexError:
self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward"
try:
self.syncookie = str(global_config.getConfig("syncookie")).upper()
except IndexError:
self.syncookie = "YES"
try:
self.ipv4forward = str(
global_config.getConfig("ipv4forward")).upper()
except IndexError:
self.syncookie = "NO"
try:
self.tcpabort = str(global_config.getConfig("aborttcp")).upper()
except IndexError:
self.tcpabort = "NO"
try:
self.icmpbcastreply = str(
global_config.getConfig("answericmpbroadcast")).upper()
except IndexError:
self.icmpbcastreply = "NO"
try:
self.dynaddresshack = str(
global_config.getConfig("dynaddresshack")).upper()
except IndexError:
self.dynaddresshack = "NO"
try:
self.proxyarp_file = global_config.getConfig("proxyarpfile")
except IndexError:
self.proxyarp_file = "proxy_arp"
try:
self.srouting_file = global_config.getConfig("sroutingfile")
except IndexError:
self.srouting_file = "accept_source_route"
try:
self.icmpredirects_file = global_config.getConfig("icmprdrsfile")
except IndexError:
self.icmpredirects_file = "accept_redirects"
try:
self.secureicmpredirects_file = global_config.getConfig(
"icmpsecurerdrsfile")
except IndexError:
self.secureicmpredirects_file = "secure_redirects"
try:
self.martians_file = global_config.getConfig("martiansfile")
except IndexError:
self.martians_file = "log_martians"
try:
self.bootprelay_file = global_config.getConfig("bootprelayfile")
except IndexError:
self.bootprelay_file = "bootp_relay"
log = logger("firewall")
if not self.tcpabort == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is deactivated")
if not self.icmpbcastreply == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is deactivated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is activated")
if not self.dynaddresshack == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack deactivated")
if not self.ipv4forward == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding deactivated")
if not self.syncookie == "NO":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.syncookiefile, self.dryrun)
log.info("syncookie activated")
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.syncookiefile, self.dryrun)
log.info("syncookie deactivated")
self.default_config = abyleparse(self.fwconfigpath, "default",
self.rulesfile, self.ipt_xmlconfig,
self.excludedInterfaces, self.verbose)
self.defaultrules = self.default_config.getDefaultRules("head")
for drule in self.defaultrules:
log.info("default-rule: " + drule)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + drule, self.dryrun)
import re
import os
import string
import time
import datetime
import sys
from abyle_xmlparser import abyleparse
from abyle_execute import abyle_execute
from abyle_config_xmlparser import abyle_config_parse
from xml.sax.handler import ContentHandler
from xml.sax import make_parser
from abyle_log import logger
control = logger("abyle-control")
class abyle_firewall:
def __init__(self, dryrun, iptablesbin, fwconfigpath, rulesfile,
ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
def getAbstractXmlRules(self, xpathToMainNode):
self.methodname = "getAbstractXmlRules(self," + xpathToMainNode + ")"
log = logger("xml_parser")
if self.verbose:
log.debug("launched " + self.methodname + " of " + self.classname +
".")
# xpathToMainNode example for access rules: "/interface/rules/traffic"
self.abstractRulesArray = []
self.iptflags_indecies = []
if self.allowping == "yes":
self.rules_config = etree.parse(self.fwconfigpath + self.rulesfile)
if xpathToMainNode.find("masquerading") > 0:
self.rules_config = etree.parse(self.fwconfigpath + 'interfaces/' +
self.pinterface + '/' +
self.rulesfile)
# parse the iptables flags config file, getIpTablesFlags returns:
# - a dict of iptablesflags e.g.: 11 -> destination or 12 -> destination-port
# - a sorted array of all available index numbers e.g: 1,2,3,...,12
# - the iptables cli switch for the interface argument: e.g: -i
# - special flag iptables cli switch for portforwarding destination
# - transparent proxy to-port flag
# - masquerading interface flag (outside instead of inside)
# - subflag dictionary
self.iptflags_dict, interface, portfwdDestFlag, transproxyToPortFlag, outsideInterfaceFlag, subflags_dict, subflags_cliswitch_dict = self.getIpTablesFlags(
)
# extract keys (index numbers) in an array and sort it
#self.iptflags_indecies = list(self.iptflags_dict.keys())
for tempIndex in list(self.iptflags_dict.keys()):
self.iptflags_indecies.append(int(tempIndex))
self.iptflags_indecies.sort()
if self.verbose:
log.debug(self.methodname + " - self.iptflags_indecies (sorted) " +
str(self.iptflags_indecies) + ".")
if xpathToMainNode.find("head") > 0:
blockchain = self.rules_config.xpath(
"/interface/blockruleshead/@blockchain")
blockchain = blockchain[0]
blockchain_create_string = " -N " + blockchain
self.abstractRulesArray.append(blockchain_create_string)
if xpathToMainNode.find("masquerading") > 0:
self.interfacestr = outsideInterfaceFlag + ' ' + self.pinterface + ' '
else:
# set the interface string to e.g.: -i eth0
self.interfacestr = interface + ' ' + self.pinterface + ' '
# get list of rules e.g. all traffic nodes or all portforwarding nodes
abstractNodes = self.rules_config.xpath(xpathToMainNode)
if self.verbose:
log.debug(self.methodname + " - abstractNodes " +
str(abstractNodes) + ".")
cnt = 0
for node in abstractNodes:
# get list of all attributes of an rule node
#abstractAttributeNodes = abstractNodes[cnt].xpath("./@*")
abstractAttributeNodes = abstractNodes[cnt].keys()
if self.verbose:
log.debug(self.methodname + " - " + str(node.tag) +
" abstractNode AttributeNames " +
str(abstractNodes[cnt].keys()) + ".")
# log.debug(self.methodname+" - "+str(node.tag)+" attributes "+str(abstractAttributeNodes)+".")
self.attributestr = ""
tempDestIpStr = ""
tempDestPortStr = ""
tempForwardPortStr = ""
# loop through iptables flags index number list to build the right order
for indexNumber in self.iptflags_indecies:
# get the value of a flag out if the iptables flag dict, e.g.: indexNumber=12 then flag_value = destination
flag_value = self.iptflags_dict[str(indexNumber)][0].text
# loop through all found attribute nodes
for attribute in abstractAttributeNodes:
# test if the attribute name is equal to the string in flag value
if attribute == flag_value:
try:
# parse the file with xpath and get the attributenode cli_switch under cfgname which has the searched indexNumber
flag_cli_arg_node = self.iptflags_config.xpath(
"/flags/flag[@index=" + str(indexNumber) +
"]/cfgname/@cli_switch")
#print (flag_cli_arg_node)
# extract the value if the attribute node [0] = assuming that the index is unique
flag_cli_arg = flag_cli_arg_node[0]
# check and build the attribute string with flagCheck()
attributeTmpstr = self.flagCheck(
str(abstractNodes[cnt].get(attribute)),
flag_cli_arg, indexNumber,
self.iptflags_config)
except (KeyError):
log.error(sys.exc_info()[1])
sys.exit(1)
if xpathToMainNode.find(
"portforwarding"
) > 0 and attribute == "destination":
tempDestIpStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find(
"portforwarding"
) > 0 and attribute == "destination-port":
tempDestPortStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find(
"portforwarding"
) > 0 and attribute == "forward-port":
tempForwardPortStr = abstractNodes[cnt].get(
attribute)
elif xpathToMainNode.find(
"transparentproxy"
) > 0 and attribute == "destination":
tempDestIpStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find(
"transparentproxy"
) > 0 and attribute == "destination-port":
tempDestPortStr = abstractNodes[cnt].get(attribute)
else:
# append the temp string to the self.attributestr
self.attributestr = self.attributestr + attributeTmpstr
hasSubflags = "no"
for key in subflags_dict.keys():
if str(key) == str(indexNumber):
hasSubflags = "yes"
if hasSubflags == "yes":
subattributeTmpstr = ""
tempSubflagsArray = subflags_dict[
indexNumber].split(';')
tempSubflagsCliswitchArray = subflags_cliswitch_dict[
indexNumber].split(';')
subflagcnt = 0
for subflag_value in tempSubflagsArray:
for attribute in abstractAttributeNodes:
if attribute.name == subflag_value:
subattributeTmpstr = self.flagCheck(
attribute.value,
tempSubflagsCliswitchArray[
subflagcnt], indexNumber,
self.iptflags_config)
self.attributestr = self.attributestr + subattributeTmpstr
subflagcnt = subflagcnt + 1
cnt = cnt + 1
self.attributestrForward = ""
if xpathToMainNode.find("portforwarding") > 0:
# append interface string to the attribute string
# build the iptablescommand for the PREROUTING chain of the nat table and the FORWARD chain
if not self.pinterface == "default":
self.attributestr = self.interfacestr + self.attributestr
self.attributestrForward = self.attributestr
self.attributestrForward = re.sub("PREROUTING", "FORWARD",
self.attributestrForward)
self.attributestrForward = re.sub("DNAT", "ACCEPT",
self.attributestrForward)
self.attributestrForward = re.sub("-t nat", "",
self.attributestrForward)
self.attributestrForward = re.sub("--dport \d{1,5}", "",
self.attributestrForward)
self.attributestrForward = self.attributestrForward + " --destination-port " + tempDestPortStr + " --destination " + tempDestIpStr
self.attributestr = self.attributestr + "--dport " + tempForwardPortStr + " " + portfwdDestFlag + ' ' + tempDestIpStr + ":" + tempDestPortStr
elif xpathToMainNode.find("transparentproxy") > 0:
self.attributestr = self.interfacestr + self.attributestr + transproxyToPortFlag + ' ' + tempDestPortStr
else:
if not self.pinterface == "default":
self.attributestr = self.interfacestr + self.attributestr
# append the string to the rules array
self.abstractRulesArray.append(self.attributestr)
if not self.attributestrForward == "":
self.abstractRulesArray.append(self.attributestrForward)
return self.abstractRulesArray
#from xml.dom.minidom import *
import re
import sys
#from xml.dom.minidom import Node
from abyle_output import abyle_output
from abyle_log import logger
log = logger("xml_parser")
try:
from lxml import etree
except (ImportError):
log.error("xml parser import error, please install python lxml package")
sys.exit(1)
class abyleparse:
def __init__(self, fwconfigpath, interface, rulesfile, ipt_xmlconfig, excludedInterfaces, verbose):
self.classname = "abyleparse"
self.verbose=verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.rulesfile = rulesfile
self.iptflagsfile = ipt_xmlconfig
self.rulesarray = []
self.iptflags_dict = {}
self.excludedInterfaces = excludedInterfaces
self.allowping = ""
log = logger("xml_parser")
if self.verbose:
log.debug(self.classname+" object created")
#import xml.dom.minidom
import re
import sys
#from xml.dom.minidom import Node
from abyle_output import abyle_output
from abyle_log import logger
log = logger("xml_config_parser")
try:
from lxml import etree
except (ImportError):
log.error("xml parser import error, please install python lxml package")
sys.exit(1)
class abyle_config_parse:
def __init__(self, fwconfigpath, interface, xmlconfig, verbose):
self.classname = "abyle_config_parse"
self.verbose=verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.xmlconfig = xmlconfig
self.configarr = []
self.configvar = ''
log = logger("xml_config_parser")
if self.verbose:
log.debug(self.classname+" object created.")
#import xml.dom.minidom
import re
import sys
#from xml.dom.minidom import Node
from abyle_output import abyle_output
from abyle_log import logger
log = logger("xml_config_parser")
try:
from lxml import etree
except (ImportError):
log.error("xml parser import error, please install python lxml package")
sys.exit(1)
class abyle_config_parse:
def __init__(self, fwconfigpath, interface, xmlconfig, verbose):
self.classname = "abyle_config_parse"
self.verbose = verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.xmlconfig = xmlconfig
self.configarr = []
self.configvar = ''
log = logger("xml_config_parser")
if self.verbose:
log.debug(self.classname + " object created.")
def buildUp(self, protectedif, fwconfigpath, verbose):
self.verbose = verbose
self.protectedif = protectedif
self.fwconfigpath = fwconfigpath
log = logger("abyle-firewall")
self.control = control
if self.protectedif in self.excludedInterfaces:
log.start_stop("securing " + self.protectedif, "EXCLUDED")
else:
log.start_stop("securing " + self.protectedif)
if (
os.path.exists(self.fwconfigpath + "/" + "interfaces/" + self.protectedif)
or self.excludedInterfaces.count(self.protectedif) > 0
):
if self.excludedInterfaces.count(self.protectedif) == 0:
tempFileStr = self.fwconfigpath + "interfaces/" + self.protectedif + "/" + self.xmlconfig
checkWellformed = self.check_well_formedness(tempFileStr)
if checkWellformed != "ok":
log.error(checkWellformed)
sys.exit(1)
else:
log.info(
self.fwconfigpath
+ "interfaces/"
+ self.protectedif
+ "/"
+ self.xmlconfig
+ " is a well-formed xml"
)
# parse the config file
self.if_config = abyle_config_parse(self.fwconfigpath, self.protectedif, self.xmlconfig, self.verbose)
try:
self.antispoofing = self.if_config.getConfig("antispoofing")
except IndexError:
self.antispoofing = "NO"
try:
self.proxyarp = self.if_config.getConfig("proxyarp")
except IndexError:
self.proxyarp = "NO"
try:
self.srouting = self.if_config.getConfig("sourcerouting")
except IndexError:
self.srouting = "NO"
try:
self.icmprdrs = self.if_config.getConfig("icmpredirects")
except IndexError:
self.icmprdrs = "NO"
try:
self.sicmprdrs = self.if_config.getConfig("secureicmpredirects")
except IndexError:
self.sicmprdrs = "NO"
try:
self.martians = self.if_config.getConfig("martianslogging")
except IndexError:
self.martians = "NO"
try:
self.bootprelay = self.if_config.getConfig("drop0slash8packets")
except IndexError:
self.bootprelay = "NO"
try:
self.logging = self.if_config.getConfig("logging")
except IndexError:
self.logging = "NO"
try:
self.allowping = self.if_config.getConfig("allowping")
except IndexError:
self.allowping = "NO"
try:
self.masquerading = self.if_config.getConfig("masquerading")
except IndexError:
self.masquerading = "NO"
try:
self.portforwarding = self.if_config.getConfig("portforwarding")
except IndexError:
self.portforwarding = "NO"
try:
self.tproxy = self.if_config.getConfig("transparent_proxy")
except IndexError:
self.tproxy = "NO"
# end parse the config file
self.antispoofing = str(self.antispoofing).upper()
self.proxyarp = str(self.proxyarp).upper()
self.srouting = str(self.srouting).upper()
self.icmprdrs = str(self.icmprdrs).upper()
self.sicmprdrs = str(self.sicmprdrs).upper()
self.martians = str(self.martians).upper()
self.bootprelay = str(self.bootprelay).upper()
self.logging = str(self.logging).upper()
self.allowping = str(self.allowping).upper()
self.masquerading = str(self.masquerading).upper()
self.portforwarding = str(self.portforwarding).upper()
self.tproxy = str(self.tproxy).upper()
# interface specific protections
if self.proxyarp == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + " 1 > " + self.ipv4conf_path + self.protectedif + "/" + self.proxyarp_file,
self.dryrun,
)
log.info("proxy arp activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + " 0 > " + self.ipv4conf_path + self.protectedif + "/" + self.proxyarp_file,
self.dryrun,
)
log.info("proxy arp deactivated for " + self.protectedif)
if self.srouting == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + " 1 > " + self.ipv4conf_path + self.protectedif + "/" + self.srouting_file,
self.dryrun,
)
log.info("allow source routing activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + " 0 > " + self.ipv4conf_path + self.protectedif + "/" + self.srouting_file,
self.dryrun,
)
log.info("allow source routing deactivated for " + self.protectedif)
if self.icmprdrs == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + " 1 > " + self.ipv4conf_path + self.protectedif + "/" + self.icmpredirects_file,
self.dryrun,
)
log.info("icmp redirects activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + " 0 > " + self.ipv4conf_path + self.protectedif + "/" + self.icmpredirects_file,
self.dryrun,
)
log.info("icmp redirects deactivated for " + self.protectedif)
if self.sicmprdrs == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd
+ " 1 > "
+ self.ipv4conf_path
+ self.protectedif
+ "/"
+ self.secureicmpredirects_file,
self.dryrun,
)
log.info("secure icmp redirects activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd
+ " 0 > "
+ self.ipv4conf_path
+ self.protectedif
+ "/"
+ self.secureicmpredirects_file,
self.dryrun,
)
log.info("secure icmp redirects deactivated for " + self.protectedif)
if self.martians == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + " 1 > " + self.ipv4conf_path + self.protectedif + "/" + self.martians_file,
self.dryrun,
)
log.info("martians logging activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + " 0 > " + self.ipv4conf_path + self.protectedif + "/" + self.martians_file,
self.dryrun,
)
log.info("martians logging deactivated for " + self.protectedif)
if self.bootprelay == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + " 1 > " + self.ipv4conf_path + self.protectedif + "/" + self.bootprelay_file,
self.dryrun,
)
log.info("dropping packets from 0/8 activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + " 0 > " + self.ipv4conf_path + self.protectedif + "/" + self.bootprelay_file,
self.dryrun,
)
log.info("dropping packets from 0/8 deactivated for " + self.protectedif)
if self.antispoofing == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + " 1 > " + self.ipv4conf_path + self.protectedif + "/" + self.antispoofing_file,
self.dryrun,
)
log.info("anti spoofing activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + " 0 > " + self.ipv4conf_path + self.protectedif + "/" + self.antispoofing_file,
self.dryrun,
)
log.info("anti spoofing deactivated for " + self.protectedif)
self.if_config = abyleparse(
self.fwconfigpath,
self.protectedif,
self.rulesfile,
self.ipt_xmlconfig,
self.excludedInterfaces,
self.verbose,
)
self.rules = self.if_config.getRules()
log_rules = logger("firewall-rule")
for rule in self.rules:
time.sleep(self.naptime / 1000.0)
log_rules.info(self.protectedif + " " + rule)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + rule, self.dryrun)
if self.excludedInterfaces.count(self.protectedif) == 0:
if self.portforwarding == "YES":
self.portforwarding = self.if_config.getPortforwarding()
for portfwd in self.portforwarding:
log.info(self.protectedif + " " + portfwd)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + portfwd, self.dryrun)
else:
log.info(self.protectedif + " " + "PORTFORWARDING DISABLED")
if self.tproxy == "YES":
self.tproxy = self.if_config.getTproxy()
for transproxy in self.tproxy:
log.info(self.protectedif + " " + transproxy)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + transproxy, self.dryrun)
else:
log.info(self.protectedif + " " + "TRANSPARENT PROXY DISABLED")
if self.logging == "YES":
self.logging = self.if_config.getLogging()
for log in self.logging:
log.info(self.protectedif + " " + log)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + log, self.dryrun)
else:
log.info(self.protectedif + " " + "LOGGING DISABLED")
if self.allowping == "YES":
self.allowping = self.if_config.getAllowPing()
for ap in self.allowping:
log.info(self.protectedif + " " + ap)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + ap, self.dryrun)
else:
log.info(self.protectedif + " " + "ALLOWPING DISABLED")
if self.masquerading == "YES":
self.masquerading = self.if_config.getMasquerading()
for mg in self.masquerading:
log.info(self.protectedif + " " + mg)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + mg, self.dryrun)
else:
log.info(self.protectedif + " " + "MASQUERADING DISABLED")
else:
log.error(
"no directory found for interface " + self.protectedif + " in " + self.fwconfigpath + "interfaces/"
)
def buildUp(self, protectedif, fwconfigpath, verbose):
self.verbose = verbose
self.protectedif = protectedif
self.fwconfigpath = fwconfigpath
log = logger("abyle-firewall")
self.control = control
if self.protectedif in self.excludedInterfaces:
log.start_stop("securing " + self.protectedif, "EXCLUDED")
else:
log.start_stop("securing " + self.protectedif)
if os.path.exists(self.fwconfigpath + '/' + 'interfaces/' +
self.protectedif) or self.excludedInterfaces.count(
self.protectedif) > 0:
if self.excludedInterfaces.count(self.protectedif) == 0:
tempFileStr = self.fwconfigpath + 'interfaces/' + self.protectedif + '/' + self.xmlconfig
checkWellformed = self.check_well_formedness(tempFileStr)
if checkWellformed != "ok":
log.error(checkWellformed)
sys.exit(1)
else:
log.info(self.fwconfigpath + "interfaces/" +
self.protectedif + "/" + self.xmlconfig +
" is a well-formed xml")
#parse the config file
self.if_config = abyle_config_parse(self.fwconfigpath,
self.protectedif,
self.xmlconfig,
self.verbose)
try:
self.antispoofing = self.if_config.getConfig(
"antispoofing")
except IndexError:
self.antispoofing = "NO"
try:
self.proxyarp = self.if_config.getConfig("proxyarp")
except IndexError:
self.proxyarp = "NO"
try:
self.srouting = self.if_config.getConfig("sourcerouting")
except IndexError:
self.srouting = "NO"
try:
self.icmprdrs = self.if_config.getConfig("icmpredirects")
except IndexError:
self.icmprdrs = "NO"
try:
self.sicmprdrs = self.if_config.getConfig(
"secureicmpredirects")
except IndexError:
self.sicmprdrs = "NO"
try:
self.martians = self.if_config.getConfig("martianslogging")
except IndexError:
self.martians = "NO"
try:
self.bootprelay = self.if_config.getConfig(
"drop0slash8packets")
except IndexError:
self.bootprelay = "NO"
try:
self.logging = self.if_config.getConfig("logging")
except IndexError:
self.logging = "NO"
try:
self.allowping = self.if_config.getConfig("allowping")
except IndexError:
self.allowping = "NO"
try:
self.masquerading = self.if_config.getConfig(
"masquerading")
except IndexError:
self.masquerading = "NO"
try:
self.portforwarding = self.if_config.getConfig(
"portforwarding")
except IndexError:
self.portforwarding = "NO"
try:
self.tproxy = self.if_config.getConfig("transparent_proxy")
except IndexError:
self.tproxy = "NO"
# end parse the config file
self.antispoofing = str(self.antispoofing).upper()
self.proxyarp = str(self.proxyarp).upper()
self.srouting = str(self.srouting).upper()
self.icmprdrs = str(self.icmprdrs).upper()
self.sicmprdrs = str(self.sicmprdrs).upper()
self.martians = str(self.martians).upper()
self.bootprelay = str(self.bootprelay).upper()
self.logging = str(self.logging).upper()
self.allowping = str(self.allowping).upper()
self.masquerading = str(self.masquerading).upper()
self.portforwarding = str(self.portforwarding).upper()
self.tproxy = str(self.tproxy).upper()
# interface specific protections
if self.proxyarp == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.proxyarp_file,
self.dryrun)
log.info("proxy arp activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.proxyarp_file,
self.dryrun)
log.info("proxy arp deactivated for " + self.protectedif)
if self.srouting == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.srouting_file,
self.dryrun)
log.info("allow source routing activated for " +
self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.srouting_file,
self.dryrun)
log.info("allow source routing deactivated for " +
self.protectedif)
if self.icmprdrs == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.icmpredirects_file,
self.dryrun)
log.info("icmp redirects activated for " +
self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.icmpredirects_file,
self.dryrun)
log.info("icmp redirects deactivated for " +
self.protectedif)
if self.sicmprdrs == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.secureicmpredirects_file,
self.dryrun)
log.info("secure icmp redirects activated for " +
self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.secureicmpredirects_file,
self.dryrun)
log.info("secure icmp redirects deactivated for " +
self.protectedif)
if self.martians == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.martians_file,
self.dryrun)
log.info("martians logging activated for " +
self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.martians_file,
self.dryrun)
log.info("martians logging deactivated for " +
self.protectedif)
if self.bootprelay == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.bootprelay_file,
self.dryrun)
log.info("dropping packets from 0/8 activated for " +
self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.bootprelay_file,
self.dryrun)
log.info("dropping packets from 0/8 deactivated for " +
self.protectedif)
if self.antispoofing == "YES":
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 1 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.antispoofing_file,
self.dryrun)
log.info("anti spoofing activated for " + self.protectedif)
else:
stdOut, stdErr = self.executioner.run(
self.echocmd + ' 0 > ' + self.ipv4conf_path +
self.protectedif + '/' + self.antispoofing_file,
self.dryrun)
log.info("anti spoofing deactivated for " +
self.protectedif)
self.if_config = abyleparse(self.fwconfigpath, self.protectedif,
self.rulesfile, self.ipt_xmlconfig,
self.excludedInterfaces, self.verbose)
self.rules = self.if_config.getRules()
log_rules = logger("firewall-rule")
for rule in self.rules:
time.sleep(self.naptime / 1000.0)
log_rules.info(self.protectedif + " " + rule)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + rule, self.dryrun)
if self.excludedInterfaces.count(self.protectedif) == 0:
if self.portforwarding == "YES":
self.portforwarding = self.if_config.getPortforwarding()
for portfwd in self.portforwarding:
log.info(self.protectedif + " " + portfwd)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + portfwd, self.dryrun)
else:
log.info(self.protectedif + " " +
"PORTFORWARDING DISABLED")
if self.tproxy == "YES":
self.tproxy = self.if_config.getTproxy()
for transproxy in self.tproxy:
log.info(self.protectedif + " " + transproxy)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + transproxy, self.dryrun)
else:
log.info(self.protectedif + " " +
"TRANSPARENT PROXY DISABLED")
if self.logging == "YES":
self.logging = self.if_config.getLogging()
for log in self.logging:
log.info(self.protectedif + " " + log)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + log, self.dryrun)
else:
log.info(self.protectedif + " " + "LOGGING DISABLED")
if self.allowping == "YES":
self.allowping = self.if_config.getAllowPing()
for ap in self.allowping:
log.info(self.protectedif + " " + ap)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + ap, self.dryrun)
else:
log.info(self.protectedif + " " + "ALLOWPING DISABLED")
if self.masquerading == "YES":
self.masquerading = self.if_config.getMasquerading()
for mg in self.masquerading:
log.info(self.protectedif + " " + mg)
stdOut, stdErr = self.executioner.run(
self.iptablesbin + ' ' + mg, self.dryrun)
else:
log.info(self.protectedif + " " + "MASQUERADING DISABLED")
else:
log.error("no directory found for interface " + self.protectedif +
" in " + self.fwconfigpath + "interfaces/")
def getAbstractXmlRules(self, xpathToMainNode):
self.methodname="getAbstractXmlRules(self,"+xpathToMainNode+")"
log = logger("xml_parser")
if self.verbose:
log.debug("launched "+self.methodname+" of "+self.classname+".")
# xpathToMainNode example for access rules: "/interface/rules/traffic"
self.abstractRulesArray = []
self.iptflags_indecies = []
if self.allowping == "yes":
self.rules_config = etree.parse(self.fwconfigpath+self.rulesfile)
if xpathToMainNode.find("masquerading") > 0:
self.rules_config = etree.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.rulesfile)
# parse the iptables flags config file, getIpTablesFlags returns:
# - a dict of iptablesflags e.g.: 11 -> destination or 12 -> destination-port
# - a sorted array of all available index numbers e.g: 1,2,3,...,12
# - the iptables cli switch for the interface argument: e.g: -i
# - special flag iptables cli switch for portforwarding destination
# - transparent proxy to-port flag
# - masquerading interface flag (outside instead of inside)
# - subflag dictionary
self.iptflags_dict, interface, portfwdDestFlag, transproxyToPortFlag, outsideInterfaceFlag, subflags_dict, subflags_cliswitch_dict = self.getIpTablesFlags()
# extract keys (index numbers) in an array and sort it
#self.iptflags_indecies = list(self.iptflags_dict.keys())
for tempIndex in list(self.iptflags_dict.keys()):
self.iptflags_indecies.append(int(tempIndex))
self.iptflags_indecies.sort()
if self.verbose:
log.debug(self.methodname+" - self.iptflags_indecies (sorted) "+str(self.iptflags_indecies)+".")
if xpathToMainNode.find("head") > 0:
blockchain = self.rules_config.xpath("/interface/blockruleshead/@blockchain")
blockchain = blockchain[0]
blockchain_create_string = " -N "+blockchain
self.abstractRulesArray.append(blockchain_create_string)
if xpathToMainNode.find("masquerading") > 0:
self.interfacestr = outsideInterfaceFlag+' '+self.pinterface+' '
else:
# set the interface string to e.g.: -i eth0
self.interfacestr = interface+' '+self.pinterface+' '
# get list of rules e.g. all traffic nodes or all portforwarding nodes
abstractNodes = self.rules_config.xpath(xpathToMainNode)
if self.verbose:
log.debug(self.methodname+" - abstractNodes "+str(abstractNodes)+".")
cnt=0
for node in abstractNodes:
# get list of all attributes of an rule node
#abstractAttributeNodes = abstractNodes[cnt].xpath("./@*")
abstractAttributeNodes = abstractNodes[cnt].keys()
if self.verbose:
log.debug(self.methodname+" - "+str(node.tag)+" abstractNode AttributeNames "+str(abstractNodes[cnt].keys())+".")
# log.debug(self.methodname+" - "+str(node.tag)+" attributes "+str(abstractAttributeNodes)+".")
self.attributestr = ""
tempDestIpStr = ""
tempDestPortStr = ""
tempForwardPortStr = ""
# loop through iptables flags index number list to build the right order
for indexNumber in self.iptflags_indecies:
# get the value of a flag out if the iptables flag dict, e.g.: indexNumber=12 then flag_value = destination
flag_value = self.iptflags_dict[str(indexNumber)][0].text
# loop through all found attribute nodes
for attribute in abstractAttributeNodes:
# test if the attribute name is equal to the string in flag value
if attribute == flag_value:
try:
# parse the file with xpath and get the attributenode cli_switch under cfgname which has the searched indexNumber
flag_cli_arg_node = self.iptflags_config.xpath("/flags/flag[@index="+str(indexNumber)+"]/cfgname/@cli_switch")
#print (flag_cli_arg_node)
# extract the value if the attribute node [0] = assuming that the index is unique
flag_cli_arg = flag_cli_arg_node[0]
# check and build the attribute string with flagCheck()
attributeTmpstr = self.flagCheck(str(abstractNodes[cnt].get(attribute)),flag_cli_arg, indexNumber, self.iptflags_config)
except (KeyError):
log.error(sys.exc_info()[1])
sys.exit(1)
if xpathToMainNode.find("portforwarding") > 0 and attribute == "destination" :
tempDestIpStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find("portforwarding") > 0 and attribute == "destination-port":
tempDestPortStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find("portforwarding") > 0 and attribute == "forward-port":
tempForwardPortStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find("transparentproxy") > 0 and attribute == "destination":
tempDestIpStr = abstractNodes[cnt].get(attribute)
elif xpathToMainNode.find("transparentproxy") > 0 and attribute == "destination-port":
tempDestPortStr = abstractNodes[cnt].get(attribute)
else:
# append the temp string to the self.attributestr
self.attributestr = self.attributestr+attributeTmpstr
hasSubflags = "no"
for key in subflags_dict.keys():
if str(key) == str(indexNumber):
hasSubflags = "yes"
if hasSubflags == "yes":
subattributeTmpstr = ""
tempSubflagsArray = subflags_dict[indexNumber].split(';')
tempSubflagsCliswitchArray = subflags_cliswitch_dict[indexNumber].split(';')
subflagcnt = 0
for subflag_value in tempSubflagsArray:
for attribute in abstractAttributeNodes:
if attribute.name == subflag_value:
subattributeTmpstr = self.flagCheck(attribute.value,tempSubflagsCliswitchArray[subflagcnt], indexNumber, self.iptflags_config)
self.attributestr = self.attributestr+subattributeTmpstr
subflagcnt = subflagcnt + 1
cnt = cnt + 1
self.attributestrForward = ""
if xpathToMainNode.find("portforwarding") > 0:
# append interface string to the attribute string
# build the iptablescommand for the PREROUTING chain of the nat table and the FORWARD chain
if not self.pinterface == "default":
self.attributestr = self.interfacestr+self.attributestr
self.attributestrForward = self.attributestr
self.attributestrForward = re.sub("PREROUTING","FORWARD",self.attributestrForward)
self.attributestrForward = re.sub("DNAT","ACCEPT",self.attributestrForward)
self.attributestrForward = re.sub("-t nat","",self.attributestrForward)
self.attributestrForward = re.sub("--dport \d{1,5}","",self.attributestrForward)
self.attributestrForward = re.sub(r"--destination \b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b","",self.attributestrForward)
self.attributestrForward = self.attributestrForward+" --destination-port "+tempDestPortStr+" --destination "+tempDestIpStr
self.attributestr = self.attributestr+"--dport "+tempForwardPortStr+" "+portfwdDestFlag+' '+tempDestIpStr+":"+tempDestPortStr
elif xpathToMainNode.find("transparentproxy") > 0:
self.attributestr = self.interfacestr+self.attributestr+transproxyToPortFlag+' '+tempDestPortStr
else:
if not self.pinterface == "default":
self.attributestr = self.interfacestr+self.attributestr
# append the string to the rules array
self.abstractRulesArray.append(self.attributestr)
if not self.attributestrForward == "":
self.abstractRulesArray.append(self.attributestrForward)
return self.abstractRulesArray
import re
import os
import string
import time
import datetime
import sys
from abyle_xmlparser import abyleparse
from abyle_execute import abyle_execute
from abyle_config_xmlparser import abyle_config_parse
from xml.sax.handler import ContentHandler
from xml.sax import make_parser
from abyle_log import logger
control = logger("abyle-control")
class abyle_firewall:
def __init__(
self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose
):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
def __init__(
self, dryrun, iptablesbin, fwconfigpath, rulesfile, ipt_xmlconfig, xmlconfig, echocmd, logfile, verbose
):
self.naptime = 10 # milliseconds
self.dryrun = dryrun
self.iptablesbin = iptablesbin
self.fwconfigpath = fwconfigpath
self.rulesfile = rulesfile
self.ipt_xmlconfig = ipt_xmlconfig
self.xmlconfig = xmlconfig
self.logfile = logfile
self.verbose = verbose
self.executioner = abyle_execute()
self.echocmd = echocmd
global_config = abyle_config_parse(fwconfigpath, "default", xmlconfig, self.verbose)
self.excludedInterfaces = global_config.getConfig("excluded_interfaces")
try:
self.tcpabort_file = global_config.getConfig("tcpabortfile")
except IndexError:
self.tcpabort_file = "/proc/sys/net/ipv4/tcpicmpbcastfile_abort_on_overflow"
try:
self.icmpbcastreply_file = global_config.getConfig("icmpbcastfile")
except IndexError:
self.icmpbcastreply_file = "/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts"
try:
self.dynaddresshack_file = global_config.getConfig("dynaddresshackfile")
except IndexError:
self.dynaddresshack_file = "/proc/sys/net/ipv4/ip_dynaddr"
try:
self.ipv4conf_path = global_config.getConfig("ipv4confpath")
except IndexError:
self.ipv4conf_path = "/proc/sys/net/ipv4/conf/"
try:
self.antispoofing_file = global_config.getConfig("antispoofingfile")
except IndexError:
self.antispoofing_file = "rp_filter"
try:
self.syncookiefile = global_config.getConfig("syncookiefile")
except IndexError:
self.syncookiefile = "/proc/sys/net/ipv4/tcp_syncookies"
try:
self.ipv4forwardfile = global_config.getConfig("ipv4forwardfile")
except IndexError:
self.ipv4forwardfile = "/proc/sys/net/ipv4/ip_forward"
try:
self.syncookie = str(global_config.getConfig("syncookie")).upper()
except IndexError:
self.syncookie = "YES"
try:
self.ipv4forward = str(global_config.getConfig("ipv4forward")).upper()
except IndexError:
self.syncookie = "NO"
try:
self.tcpabort = str(global_config.getConfig("aborttcp")).upper()
except IndexError:
self.tcpabort = "NO"
try:
self.icmpbcastreply = str(global_config.getConfig("answericmpbroadcast")).upper()
except IndexError:
self.icmpbcastreply = "NO"
try:
self.dynaddresshack = str(global_config.getConfig("dynaddresshack")).upper()
except IndexError:
self.dynaddresshack = "NO"
try:
self.proxyarp_file = global_config.getConfig("proxyarpfile")
except IndexError:
self.proxyarp_file = "proxy_arp"
try:
self.srouting_file = global_config.getConfig("sroutingfile")
except IndexError:
self.srouting_file = "accept_source_route"
try:
self.icmpredirects_file = global_config.getConfig("icmprdrsfile")
except IndexError:
self.icmpredirects_file = "accept_redirects"
try:
self.secureicmpredirects_file = global_config.getConfig("icmpsecurerdrsfile")
except IndexError:
self.secureicmpredirects_file = "secure_redirects"
try:
self.martians_file = global_config.getConfig("martiansfile")
except IndexError:
self.martians_file = "log_martians"
try:
self.bootprelay_file = global_config.getConfig("bootprelayfile")
except IndexError:
self.bootprelay_file = "bootp_relay"
log = logger("firewall")
if not self.tcpabort == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.tcpabort_file, self.dryrun)
log.info("ipv4 send TCP-RST on full buffer is deactivated")
if not self.icmpbcastreply == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is deactivated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.icmpbcastreply_file, self.dryrun)
log.info("ipv4 reply to ICMP Broadcasts is activated")
if not self.dynaddresshack == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.dynaddresshack_file, self.dryrun)
log.info("ipv4 dynamic address hack deactivated")
if not self.ipv4forward == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.ipv4forwardfile, self.dryrun)
log.info("ipv4 forwarding deactivated")
if not self.syncookie == "NO":
stdOut, stdErr = self.executioner.run(self.echocmd + " 1 > " + self.syncookiefile, self.dryrun)
log.info("syncookie activated")
else:
stdOut, stdErr = self.executioner.run(self.echocmd + " 0 > " + self.syncookiefile, self.dryrun)
log.info("syncookie deactivated")
self.default_config = abyleparse(
self.fwconfigpath, "default", self.rulesfile, self.ipt_xmlconfig, self.excludedInterfaces, self.verbose
)
self.defaultrules = self.default_config.getDefaultRules("head")
for drule in self.defaultrules:
log.info("default-rule: " + drule)
stdOut, stdErr = self.executioner.run(self.iptablesbin + " " + drule, self.dryrun)
#from xml.dom.minidom import *
import re
import sys
#from xml.dom.minidom import Node
from abyle_output import abyle_output
from abyle_log import logger
log = logger("xml_parser")
try:
from lxml import etree
except (ImportError):
log.error("xml parser import error, please install python lxml package")
sys.exit(1)
class abyleparse:
def __init__(self, fwconfigpath, interface, rulesfile, ipt_xmlconfig,
excludedInterfaces, verbose):
self.classname = "abyleparse"
self.verbose = verbose
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.rulesfile = rulesfile
self.iptflagsfile = ipt_xmlconfig
self.rulesarray = []
self.iptflags_dict = {}
self.excludedInterfaces = excludedInterfaces
self.allowping = ""
log = logger("xml_parser")
if self.verbose:
import sys
from abyle_output import abyle_output
from xml.dom.minidom import *
import codecs
from abyle_log import logger
log = logger("abyle_config_xmlwriter")
try:
from lxml import etree
except (ImportError):
log.error("xml config parser import error, please install python xpath modules")
sys.exit(1)
class abyle_config_write:
def __init__(self, fwconfigpath, interface, xmlconfig):
self.fwconfigpath = fwconfigpath
self.pinterface = interface
self.xmlconfig = xmlconfig
self.xmlfile = ""
self.buildednode = ""
try:
if self.pinterface == "default":
self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+self.xmlconfig)
self.xmlfile = self.fwconfigpath+self.xmlconfig
else:
self.abyle_config = xml.dom.minidom.parse(self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig)
self.xmlfile = self.fwconfigpath+'interfaces/'+self.pinterface+'/'+self.xmlconfig
except (IOError):
