def set_chain_policy(self, policy_state):
"""
set input/output chain policy
"""
accept_policy = iptc.Policy('ACCEPT')
drop_policy = iptc.Policy('DROP')
#v4 policy
input_chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT')
output_chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'OUTPUT')
if policy_state.lower() == JSON_RULE_NETWORK_ACCEPT \
or policy_state.lower() == JSON_RULE_ALLOW:
input_chain.set_policy(accept_policy)
output_chain.set_policy(accept_policy)
else:
input_chain.set_policy(drop_policy)
output_chain.set_policy(drop_policy)
#v6 policy
input_chain6 = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'INPUT')
output_chain6 = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'OUTPUT')
if policy_state.lower() == JSON_RULE_NETWORK_ACCEPT \
or policy_state.lower() == JSON_RULE_ALLOW:
input_chain6.set_policy(accept_policy)
output_chain6.set_policy(accept_policy)
else:
input_chain6.set_policy(drop_policy)
output_chain6.set_policy(drop_policy)
def test_chain_policy(self):
table = iptc.TABLE_FILTER
input_chain = iptc.Chain(table, "INPUT")
pol = iptc.Policy("DROP")
input_chain.set_policy(pol)
rpol = input_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("ACCEPT")
input_chain.set_policy(pol)
rpol = input_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("RETURN")
try:
input_chain.set_policy(pol)
except iptc.IPTCError:
pass
else:
fail("managed to set INPUT policy to RETURN")
table = iptc.TABLE_NAT
prerouting_chain = iptc.Chain(table, "PREROUTING")
pol = iptc.Policy("DROP")
prerouting_chain.set_policy(pol)
rpol = prerouting_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("ACCEPT")
prerouting_chain.set_policy(pol)
rpol = prerouting_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("RETURN")
try:
prerouting_chain.set_policy(pol)
except iptc.IPTCError:
pass
else:
fail("managed to set PREROUTING policy to RETURN")
table = iptc.TABLE_MANGLE
forward_chain = iptc.Chain(table, "FORWARD")
pol = iptc.Policy("DROP")
forward_chain.set_policy(pol)
rpol = forward_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("ACCEPT")
forward_chain.set_policy(pol)
rpol = forward_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("RETURN")
try:
forward_chain.set_policy(pol)
except iptc.IPTCError:
pass
else:
fail("managed to set FORWARD policy to RETURN")
def _apply_config(table, config_d, ipv6):
for chain_s in config_d:
if not iptc.easy.has_chain(table, chain_s, ipv6=ipv6):
iptc.easy.add_chain(table, chain_s, ipv6=ipv6)
try:
if config_d[chain_s]["policy"] != "None":
policy = iptc.Policy(config_d[chain_s]["policy"])
iptc.easy.set_policy(table, chain_s, policy=policy, ipv6=ipv6)
except KeyError:
pass
try:
for rule_d in config_d[chain_s]["rules"]:
if iptc.easy.test_rule(rule_d, ipv6=ipv6):
try:
iptc.easy.add_rule(table, chain_s, rule_d, ipv6=ipv6)
except ValueError:
raise IptablesError(
"Malformed rule: {}\n in {}.{}".format(
rule_d, table, chain_s))
else:
raise IptablesError(
"Malformed rule: {}\n in {}.{}".format(
rule_d, table, chain_s))
except KeyError:
pass
def test_filter_policy(self):
if is_table_available(iptc.Table.FILTER):
table = iptc.Table(iptc.Table.FILTER)
input_chain = iptc.Chain(table, "INPUT")
pol = iptc.Policy("DROP")
input_chain.set_policy(pol)
rpol = input_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("ACCEPT")
input_chain.set_policy(pol)
rpol = input_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("RETURN")
try:
input_chain.set_policy(pol)
except iptc.IPTCError:
pass
else:
self.fail("managed to set INPUT policy to RETURN")
def init_chain():
filter_rule.flush_chain(chain_name)
table = iptc.Table(iptc.Table.FILTER)
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), chain_name)
try:
chain.set_policy(iptc.Policy("ACCEPT"))
return 0
except Exception as e:
print(e)
print("Table Error : table.strerror()")
return 1
def flush_tables(ipv6=False):
"""Flush all tables and apply the default policy ACCEPT to standard tables"""
printer = Printer()
with printer.Do("Flushing all tables: ipv6={!r}".format(ipv6)):
iptc.easy.flush_all(ipv6=ipv6)
with printer.Do("Setting ACCEPT policy in all chains"):
policy = iptc.Policy("ACCEPT")
for table_s in iptc.easy.get_tables(ipv6):
for chain_s in iptc.easy.get_chains(table_s, ipv6):
iptc.easy.set_policy(table_s,
chain_s,
policy=policy,
ipv6=ipv6)
def apply_config(config_file, server=None, protocol=None):
"""Apply a configuration to ip[6]tables (depends on the file name)
:raises: IptablesError if an invalid rule is present. This leaves the
table intact with rules applied so far.
"""
table = init_table_from_file_name(config_file)
table_s = table.name
is_ipv6 = is_table_v6(table)
printer = Printer()
with printer.Do("Flushing table '{}', ipv6={!r}".format(table_s, is_ipv6)):
iptc.easy.flush_table(table_s, ipv6=is_ipv6)
policy = iptc.Policy("ACCEPT")
for chain_s in iptc.easy.get_chains(table_s, ipv6=is_ipv6):
iptc.easy.set_policy(table_s, chain_s, policy=policy, ipv6=is_ipv6)
config_base = os.path.basename(config_file)
with printer.Do("Applying '{}'".format(config_base)):
config_d = read_config(config_file, server, protocol)
_apply_config(table_s, config_d, ipv6=is_ipv6)
return True
def test_nat_policy(self):
if is_table_available(iptc.Table.NAT):
table = iptc.Table(iptc.Table.NAT)
prerouting_chain = iptc.Chain(table, "PREROUTING")
pol = iptc.Policy("DROP")
prerouting_chain.set_policy(pol)
rpol = prerouting_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("ACCEPT")
prerouting_chain.set_policy(pol)
rpol = prerouting_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("RETURN")
try:
prerouting_chain.set_policy(pol)
except iptc.IPTCError:
pass
else:
self.fail("managed to set PREROUTING policy to RETURN")
if is_table_available(iptc.Table.MANGLE):
table = iptc.Table(iptc.Table.MANGLE)
forward_chain = iptc.Chain(table, "FORWARD")
pol = iptc.Policy("DROP")
forward_chain.set_policy(pol)
rpol = forward_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("ACCEPT")
forward_chain.set_policy(pol)
rpol = forward_chain.get_policy()
self.assertEquals(id(pol), id(rpol))
pol = iptc.Policy("RETURN")
try:
forward_chain.set_policy(pol)
except iptc.IPTCError:
pass
else:
self.fail("managed to set FORWARD policy to RETURN")
def setChainPolicy(aChain, aPolicy):
# set the policy of aChain
table = iptc.Table(iptc.Table.FILTER)
chain = iptc.Chain(table, aChain)
pol = iptc.Policy(aPolicy)
chain.set_policy(pol, 0)
