def test_rule_standard_target(self):
try:
target = iptc.Target(iptc.Rule(), "jump_to_chain")
except:
pass
else:
self.fail("target accepted invalid name jump_to_chain")
rule = iptc.Rule()
rule.protocol = "tcp"
rule.src = "127.0.0.1"
target = iptc.Target(rule, "RETURN")
self.assertEquals(target.name, "RETURN")
target = iptc.Target(rule, "ACCEPT")
self.assertEquals(target.name, "ACCEPT")
target = iptc.Target(rule, "")
self.assertEquals(target.name, "")
target.standard_target = "ACCEPT"
self.assertEquals(target.name, "ACCEPT")
self.assertEquals(target.standard_target, "ACCEPT")
target = iptc.Target(rule, self.chain.name)
rule.target = target
self.chain.insert_rule(rule)
self.chain.delete_rule(rule)
def test_flush_user_chains(self):
chain1 = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_flush_chain1")
chain2 = iptc.Chain(iptc.Table(iptc.Table.FILTER),
"iptc_test_flush_chain2")
iptc.Table(iptc.Table.FILTER).create_chain(chain1)
iptc.Table(iptc.Table.FILTER).create_chain(chain2)
rule = iptc.Rule()
rule.target = iptc.Target(rule, chain2.name)
chain1.append_rule(rule)
rule = iptc.Rule()
rule.target = iptc.Target(rule, chain1.name)
chain2.append_rule(rule)
self.assertEquals(len(chain1.rules), 1)
self.assertEquals(len(chain2.rules), 1)
filter_table = iptc.Table(iptc.Table.FILTER)
filter_table.flush()
self.assertTrue(not filter_table.is_chain(chain1.name))
self.assertTrue(not filter_table.is_chain(chain2.name))
def test_rule_insert(self):
rules = []
rule = iptc.Rule6()
rule.protocol = "tcp"
rule.src = "::1"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
self.chain.insert_rule(rule)
rules.append(rule)
rule = iptc.Rule6()
rule.protocol = "udp"
rule.src = "::1"
target = iptc.Target(rule, "REJECT")
target.reject_with = "addr-unreach"
rule.target = target
self.chain.insert_rule(rule)
rules.append(rule)
rule = iptc.Rule6()
rule.protocol = "tcp"
rule.dst = "2001::/16"
target = iptc.Target(rule, "RETURN")
rule.target = target
self.chain.insert_rule(rule)
rules.append(rule)
crules = self.chain.rules
self.failUnless(len(rules) == len(crules))
for rule in rules:
self.failUnless(rule in crules)
crules.remove(rule)
def permBan(net, unban=False):
global lock
if type(ipaddress.ip_network(net, strict=False)) is ipaddress.IPv4Network:
with lock:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
rule = iptc.Rule()
rule.src = net
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule not in chain.rules and not unban:
logCrit('Add host/network %s to blacklist' % net)
chain.insert_rule(rule)
r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
elif rule in chain.rules and unban:
logCrit('Remove host/network %s from blacklist' % net)
chain.delete_rule(rule)
r.hdel('F2B_PERM_BANS', '%s' % net)
else:
with lock:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
rule = iptc.Rule6()
rule.src = net
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule not in chain.rules and not unban:
logCrit('Add host/network %s to blacklist' % net)
chain.insert_rule(rule)
r.hset('F2B_PERM_BANS', '%s' % net, int(round(time.time())))
elif rule in chain.rules and unban:
logCrit('Remove host/network %s from blacklist' % net)
chain.delete_rule(rule)
r.hdel('F2B_PERM_BANS', '%s' % net)
def initChain():
# Is called before threads start, no locking
print("Initializing mailcow netfilter chain")
# IPv4
if not iptc.Chain(iptc.Table(iptc.Table.FILTER), "MAILCOW") in iptc.Table(
iptc.Table.FILTER).chains:
iptc.Table(iptc.Table.FILTER).create_chain("MAILCOW")
for c in ['FORWARD', 'INPUT']:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), c)
rule = iptc.Rule()
rule.src = '0.0.0.0/0'
rule.dst = '0.0.0.0/0'
target = iptc.Target(rule, "MAILCOW")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
# IPv6
if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER),
"MAILCOW") in iptc.Table6(iptc.Table6.FILTER).chains:
iptc.Table6(iptc.Table6.FILTER).create_chain("MAILCOW")
for c in ['FORWARD', 'INPUT']:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), c)
rule = iptc.Rule6()
rule.src = '::/0'
rule.dst = '::/0'
target = iptc.Target(rule, "MAILCOW")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
def unban(net):
global lock
if not net in bans:
logInfo(
'%s is not banned, skipping unban and deleting from queue (if any)'
% net)
r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
return
logInfo('Unbanning %s' % net)
if type(ipaddress.ip_network(net)) is ipaddress.IPv4Network:
with lock:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
rule = iptc.Rule()
rule.src = net
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule in chain.rules:
chain.delete_rule(rule)
else:
with lock:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
rule = iptc.Rule6()
rule.src = net
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule in chain.rules:
chain.delete_rule(rule)
r.hdel('F2B_ACTIVE_BANS', '%s' % net)
r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
if net in bans:
del bans[net]
def set_internal_firewall(network,port_list):
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.flush()
for port in port_list:
rule = iptc.Rule()
rule.target = iptc.Target(rule, "ACCEPT")
rule.protocol = "tcp"
rule.src = network
match = iptc.Match(rule, "tcp")
match.dport = str(port)
rule.add_match(match)
chain.insert_rule(rule)
rule = iptc.Rule()
rule.target = iptc.Target(rule, "ACCEPT")
match = iptc.Match(rule, "state")
match.state = "RELATED,ESTABLISHED"
rule.add_match(match)
chain.insert_rule(rule)
rule = iptc.Rule()
rule.target = iptc.Target(rule, "ACCEPT")
rule.in_interface = "lo"
chain.insert_rule(rule)
chain.set_policy("DROP")
def unban(net):
log['time'] = int(round(time.time()))
log['priority'] = 'info'
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
#if not net in bans:
# log['message'] = '%s is not banned, skipping unban and deleting from queue (if any)' % net
# r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
# print '%s is not banned, skipping unban and deleting from queue (if any)' % net
# r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
# return
log['message'] = 'Unbanning %s' % net
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
print 'Unbanning %s' % net
if type(ipaddress.ip_network(net.decode('ascii'))) is ipaddress.IPv4Network:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
rule = iptc.Rule()
rule.src = net
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule in chain.rules:
chain.delete_rule(rule)
else:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
rule = iptc.Rule6()
rule.src = net
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule in chain.rules:
chain.delete_rule(rule)
r.hdel('F2B_ACTIVE_BANS', '%s' % net)
r.hdel('F2B_QUEUE_UNBAN', '%s' % net)
if net in bans:
del bans[net]
def initialize(self):
tb = iptc.Table(iptc.Table.FILTER)
c = iptc.Chain(tb, 'INPUT')
c.flush()
# Accept loopback
r = iptc.Rule()
r.in_interface = 'lo'
t = iptc.Target(r, 'ACCEPT')
r.target = t
c.append_rule(r)
# Accept designated apps
r = iptc.Rule()
t = iptc.Target(r, 'genesis-apps')
r.target = t
c.append_rule(r)
# Allow ICMP (ping)
shell('iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT')
# Accept established/related connections
# Unfortunately this has to be done clasically
shell('iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT')
# Reject all else by default
r = iptc.Rule()
t = iptc.Target(r, 'DROP')
r.target = t
c.append_rule(r)
self.save()
def test_rule_insert(self):
rules = []
rule = iptc.Rule()
rule.protocol = "tcp"
rule.src = "127.0.0.1"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
self.chain.insert_rule(rule)
rules.append(rule)
rule = iptc.Rule()
rule.protocol = "udp"
rule.src = "127.0.0.1"
target = iptc.Target(rule, "REJECT")
target.reject_with = "host-unreach"
rule.target = target
self.chain.insert_rule(rule)
rules.append(rule)
rule = iptc.Rule()
rule.protocol = "tcp"
rule.dst = "10.1.1.0/255.255.255.0"
target = iptc.Target(rule, "RETURN")
rule.target = target
self.chain.insert_rule(rule)
rules.append(rule)
crules = self.chain.rules
self.failUnless(len(rules) == len(crules))
for rule in rules:
self.failUnless(rule in crules)
crules.remove(rule)
def initChain():
# Is called before threads start, no locking
print "Initializing mailcow netfilter chain"
# IPv4
if not iptc.Chain(iptc.Table(iptc.Table.FILTER), "MAILCOW") in iptc.Table(iptc.Table.FILTER).chains:
iptc.Table(iptc.Table.FILTER).create_chain("MAILCOW")
for c in ['FORWARD', 'INPUT']:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), c)
rule = iptc.Rule()
rule.src = '0.0.0.0/0'
rule.dst = '0.0.0.0/0'
target = iptc.Target(rule, "MAILCOW")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
# IPv6
if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER), "MAILCOW") in iptc.Table6(iptc.Table6.FILTER).chains:
iptc.Table6(iptc.Table6.FILTER).create_chain("MAILCOW")
for c in ['FORWARD', 'INPUT']:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), c)
rule = iptc.Rule6()
rule.src = '::/0'
rule.dst = '::/0'
target = iptc.Target(rule, "MAILCOW")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
# Apply blacklist
BLACKLIST = r.hgetall('F2B_BLACKLIST')
if BLACKLIST:
for bl_key in BLACKLIST:
if type(ipaddress.ip_network(bl_key.decode('ascii'), strict=False)) is ipaddress.IPv4Network:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
rule = iptc.Rule()
rule.src = bl_key
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule not in chain.rules:
log['time'] = int(round(time.time()))
log['priority'] = 'crit'
log['message'] = 'Blacklisting host/network %s' % bl_key
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
print log['message']
chain.insert_rule(rule)
r.hset('F2B_PERM_BANS', '%s' % bl_key, int(round(time.time())))
else:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
rule = iptc.Rule6()
rule.src = bl_key
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule not in chain.rules:
log['time'] = int(round(time.time()))
log['priority'] = 'crit'
log['message'] = 'Blacklisting host/network %s' % bl_key
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
print log['message']
chain.insert_rule(rule)
r.hset('F2B_PERM_BANS', '%s' % bl_key, int(round(time.time())))
def __init__(self):
self.backup()
log.debug("Starting FirewallManager")
table = iptc.Table(iptc.Table.FILTER)
# Crear chain
try:
table.create_chain("c-lock")
except Exception as e:
log.debug("c-lock exists!")
# TODO ¿Debería venir desde ACCEPT?
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
# TODO Añadir que mande aquí todos los puertos protegidos, o todas las conexiones si se protege todo
rule = iptc.Rule() # *
rule.protocol = "tcp"
# Apuntar INPUT a c-lock
rule.target = iptc.Target(rule, "c-lock")
chain.insert_rule(rule, position=len(chain.rules))
# c-lock config
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "c-lock")
'''
TODO 1b53c7b5-55d7-4834-9719-1ef86a7bfe12
if unmanaged_ports:
OPEN(unmanaged_ports)
DROP_ALL
else:
DROP (PROTECTED_PORTS)
'''
# Drop all the rest
rule = iptc.Rule()
rule.protocol = "tcp"
rule.target = iptc.Target(rule, "DROP")
chain.insert_rule(rule)
# Accept all established
rule = iptc.Rule()
rule.protocol = "tcp"
rule.target = iptc.Target(rule, "ACCEPT")
match = iptc.Match(rule, "state")
match.state = "RELATED,ESTABLISHED"
rule.add_match(match)
chain.insert_rule(rule)
# TODO Accept all OUTPUT
# Accept all localhost connections
rule = iptc.Rule() # *
rule.protocol = "tcp"
rule.src = "127.0.0.1"
rule.target = iptc.Target(rule, "ACCEPT")
chain.insert_rule(rule)
def test_target_compare(self):
t1 = iptc.Target(iptc.Rule(), "MARK")
t1.set_mark = "0x123"
t2 = iptc.Target(iptc.Rule(), "MARK")
t2.set_mark = "0x123"
self.failUnless(t1 == t2)
t2.reset()
t2.set_mark = "0x124"
self.failIf(t1 == t2)
def initChain():
print "Initializing mailcow netfilter chain"
# IPv4
if not iptc.Chain(iptc.Table(iptc.Table.FILTER), "MAILCOW") in iptc.Table(
iptc.Table.FILTER).chains:
iptc.Table(iptc.Table.FILTER).create_chain("MAILCOW")
for c in ['FORWARD', 'INPUT']:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), c)
rule = iptc.Rule()
rule.src = '0.0.0.0/0'
rule.dst = '0.0.0.0/0'
target = iptc.Target(rule, "MAILCOW")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
# IPv6
if not iptc.Chain(iptc.Table6(iptc.Table6.FILTER),
"MAILCOW") in iptc.Table6(iptc.Table6.FILTER).chains:
iptc.Table6(iptc.Table6.FILTER).create_chain("MAILCOW")
for c in ['FORWARD', 'INPUT']:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), c)
rule = iptc.Rule6()
rule.src = '::/0'
rule.dst = '::/0'
target = iptc.Target(rule, "MAILCOW")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
# Apply blacklist
BLACKLIST = r.hgetall('F2B_BLACKLIST')
if BLACKLIST:
for bl_key in BLACKLIST:
if type(ipaddress.ip_network(
bl_key.decode('ascii'),
strict=False)) is ipaddress.IPv4Network:
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
rule = iptc.Rule()
rule.src = bl_key
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
else:
chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')
rule = iptc.Rule6()
rule.src = bl_key
target = iptc.Target(rule, "REJECT")
rule.target = target
if rule not in chain.rules:
chain.insert_rule(rule)
def init_vnsf_forward_chain():
# sudo iptables -t nat -A POSTROUTING --out-interface eth2 -j MASQUERADE
table = iptc.Table(iptc.Table.NAT)
chain = iptc.Chain(table, "POSTROUTING")
chain.flush()
rule = iptc.Rule()
rule.out_interface = settings.wan_interface
target = iptc.Target(rule, "MASQUERADE")
rule.target = target
chain.insert_rule(rule)
# iptables -N vnsf-forward
table = iptc.Table(iptc.Table.FILTER)
vnsf_forward_chain = table.create_chain(settings.vnsf_forward_chain)
# iptables -A vnsf-forward -j RETURN
rule = iptc.Rule()
target = iptc.Target(rule, "RETURN")
rule.target = target
vnsf_forward_chain.append_rule(rule)
# iptables -A FORWARD --in-interface eth1 -j vnsf-forward
chain = iptc.Chain(table, "FORWARD")
chain.flush()
rule = iptc.Rule()
rule.in_interface = settings.lan_interface
target = iptc.Target(rule, settings.vnsf_forward_chain)
rule.target = target
chain.insert_rule(rule)
# iptables -A FORWARD --in-interface eth1 --out-interface eth2 -j ACCEPT
rule = iptc.Rule()
rule.in_interface = settings.lan_interface
rule.out_interface = settings.wan_interface
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.append_rule(rule)
# iptables -A FORWARD --in-interface eth2 --out-interface eth1 -m state \
# --state ESTABLISHED, RELATED -j ACCEPT
rule = iptc.Rule()
rule.in_interface = settings.wan_interface
rule.out_interface = settings.lan_interface
match = iptc.Match(rule, "state")
match.state = "RELATED,ESTABLISHED"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
rule.add_match(match)
chain.append_rule(rule)
def allowFwd(anIP):
# allows all forwarding to/by a client on the network
# iptables -A FORWARD -s $IP_CLIENT -j ACCEPT
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "FORWARD")
rule = iptc.Rule()
rule.src = anIP + "/255.255.255.255"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.append_rule(rule)
# iptables -A FORWARD -d $IP_CLIENT -j ACCEPT
rule2 = iptc.Rule()
rule2.dst = anIP + "/255.255.255.255"
target2 = iptc.Target(rule2, "ACCEPT")
rule2.target = target
chain.append_rule(rule2)
def main():
#global parse_packet.block
global chain, set_ips
print "block packet", parse_packet.set_block
#tup=()
print "length of block", len(parse_packet.set_block)
#for j in range(len(parse_packet.set_block)):
for tup in parse_packet.set_block:
#tup=parse_packet.set_block.pop()
if tup[1] == "tcp":
print "TUPLE VALUE", tup[0]
rule = iptc.Rule()
rule.in_interfaces = "eth0"
rule.src = tup[0]
rule.protocol = "tcp"
match = rule.create_match("tcp")
#match.dport = str(tup[1])
rule.target = iptc.Target(rule, "DROP")
print rule
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
#iptc.Chain.insert_rule(,rule,position=1)
chain.insert_rule(rule)
set_ips.add(("eth0", "tcp", "INPUT chain", "DROP", "%s" % tup[0]))
print "set_ips", set_ips
if tup[1] == "icmp":
print "TUPLE VALUE", tup[0]
rule = iptc.Rule()
rule.in_interfaces = "eth0"
rule.src = tup[0]
rule.protocol = "icmp"
match = rule.create_match("icmp")
#match.dport = str(tup[1])
rule.target = iptc.Target(rule, "DROP")
print "rule", rule
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
print "chain ", chain
#iptc.Chain.insert_rule(,rule,position=1)
chain.insert_rule(rule)
set_ips.add(("eth0", "icmp", "INPUT chain", "DROP", "%s" % tup[0]))
print "set_ips", set_ips
print "chain rule", chain.rules
print "deleting ", len(chain.rules)
print "chain name", chain.name
def create_rule(self, ip, port):
"""Create a new firewall rule
Args:
ip: IP address
port: port number
Returns:
The firewall rule to white list
Raises:
Hyp3rArmorFirewallError: if something is wrong with the IP or port
"""
if not (ip and valid_ip(ip)):
raise Hyp3rArmorFirewallError(
"Not valid IP address: {}".format(ip))
if not (port and valid_port(port)):
raise Hyp3rArmorFirewallError("Not valid port: {}".format(port))
rule = iptc.Rule()
rule.src = str(ip) + "/32"
rule.protocol = "tcp"
rule.target = iptc.Target(rule, "ACCEPT")
m_dport = iptc.Match(rule, "tcp")
#iptc wants this as a string
m_dport.dport = str(port)
rule.add_match(m_dport)
m_state = iptc.Match(rule, "state")
m_state.state = "NEW"
return rule
def allow_loopback(chain: iptc.Chain) -> None:
"""Allow local loopback services"""
logger.debug('Allowing loopback packages...')
rule = iptc.Rule()
rule.target = iptc.Target(rule, 'ACCEPT')
rule.in_interface = 'lo'
ensure_rule(chain, rule)
def allowEstablished():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'INPUT')
rule = iptc.Rule()
match = rule.create_match('state')
match.state = "RELATED,ESTABLISHED"
rule.target = iptc.Target(rule, 'ACCEPT')
chain.insert_rule(rule)
def allowLoopback():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.in_interface = "lo"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.insert_rule(rule)
def drop():
# chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), Chain)
# rule = iptc.Rule()
# rule.protocol = protocol
# rule.in_interface = interface
# rule.add_match(match)
# match = iptc.Match(rule, "iprange")
# match.src_range = "192.168.1.100-192.168.1.200"
# match.dst_range = "172.22.33.106"
# rule.add_match(match)
# target = iptc.Target(rule, targets)
# rule.target = target
# chain.insert_rule(rule)
rule = iptc.Rule()
rule.protocol = protocol
match = iptc.Match(rule, protocol)
match.sport = source_port
match.dport = destination_port
rule.add_match(match)
match = iptc.Match(rule, "iprange")
match.src_range = source_Range
match.dst_range = destination_Range
rule.src = source
rule.dst = destination
rule.add_match(match)
rule.target = iptc.Target(rule, targets)
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), Chain)
chain.insert_rule(rule)
def test_rule_replace(self):
rule = iptc.Rule()
rule.protocol = "tcp"
rule.src = "127.0.0.1"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
self.chain.insert_rule(rule, 0)
rule = iptc.Rule()
rule.protocol = "udp"
rule.src = "127.0.0.1"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
self.chain.replace_rule(rule, 0)
self.failUnless(self.chain.rules[0] == rule)
def addToBlacklist(ip, port):
user = Blacklist(ip=ip, port=port)
try:
db.session.add(user)
db.session.commit()
if port != '*':
command = ("iptables -A INPUT -p tcp --sport {} -s {} -j DROP").format(str(port), str(ip))
if os.name == 'nt':
command = "netsh advfirewall firewall add rule name=IPblock dir=in protocol=tcp remoteip={} localport={} action=block".format(ip, port)
print(command)
os.system(command)
return "blocked"
else:
if os.name == 'nt':
command = "netsh advfirewall firewall add rule name=IPblock dir=in protocol=tcp remoteip={} action=block".format(ip)
print(command)
os.system(command)
return "blocked"
rule = iptc.Rule()
rule.protocol = 0
rule.src = str(ip)
target = iptc.Target(rule, "DROP")
rule.target = target
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)
return "blocked"
except sqlalchemy.exc.IntegrityError:
return "ip {} is already blocked on {} port".format(ip, port if port != '*' else "all")
def setUpCommon(self):
EnableObjStats()
SetTraceLevel(7)
self._ip = '127.0.0.1'
self._port = 8282
self._serverAddr = self._ip + ':' + str(self._port)
self._idle = 2
self._interval = 2
self._probe = 2
timeMargin = 1 # for the margin of error
self._timeout = self._idle + (self._interval *
self._probe) + timeMargin
# iptables -[A|D] OUTPUT -p tcp --sport $port -j DROP
self._chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'OUTPUT')
self._rule = iptc.Rule()
self._rule.protocol = 'tcp'
match = self._rule.create_match('tcp')
match.sport = str(self._port)
self._rule.target = iptc.Target(self._rule, 'DROP')
self._ioSvc = BasicIoService()
self._os = ObexServer(self.__class__.__name__, '', self._port,
self._ioSvc)
self._oc = ObexClient(self.__class__.__name__, self._ioSvc)
def createRule(cmdDic):
rule = iptc.Rule()
if cmdDic['-s'] != '':
rule.src = cmdDic['-s']
if cmdDic['-d'] != '':
rule.dst = cmdDic['-p']
if cmdDic['-p'] != '':
rule.protocol = cmdDic['-p']
match = iptc.Match(rule, cmdDic['-p'])
if cmdDic['-dport'] != '':
match.dport = cmdDic['-dport']
if cmdDic['-sport'] != '':
match.sport = cmdDic['-sport']
rule.add_match(match)
if cmdDic['-m'] != '':
match = iptc.Match(rule, cmdDic['-m'])
if cmdDic['-src-range'] != '':
match.src_range = cmdDic['-src-range']
if cmdDic['-dst-range'] != '':
match.dst_range = cmdDic['-dst-range']
rule.add_match(match)
if cmdDic['-j'] != '':
rule.target = iptc.Target(rule, cmdDic['-j'])
return rule
def rule_builder6(self):
self._rule6.target = iptc.Target(self._rule6, self._target)
log.debug('Set rule6 target: %s', self._rule6.target)
if self._proto:
self._rule6.protocol = self._proto
log.debug('Set rule6 proto: %s', self._rule6.protocol)
if self._ports:
self._rule6.create_match(self._rule6.protocol).dport = self._ports
log.debug('Set rule6 dport: %s', self._ports)
if self._sources:
self._rule6.src = ','.join([
ip.compressed for ip in self._sources
if isinstance(ip, IPv6Network)
])
log.debug('Set rule6 src: %s', self._rule6.src)
if self._dests:
self._rule6.dst = ','.join([
ip.compressed for ip in self._dests
if isinstance(ip, IPv6Network)
])
log.debug('Set rule6 src: %s', self._rule6.dst)
uid = str(uuid.uuid4())
m = self._rule6.create_match("comment")
m.comment = f"{Configuration.get('self-uuid')}-{uid}"
self._uuids.append(uid)
log.info('Built IPTables rule: %s', self._rule6)
def drop_udp_rule(self):
rule = iptc.Rule()
rule.in_interface = "eth0"
rule.src = self.ip
rule.protocol = "udp"
rule.target = iptc.Target(rule, "DROP")
return rule
def setMarking(self,
flowId,
table="mangle",
chain="POSTROUTING",
markId=None):
if not markId:
tcMgr = TrafficControl()
markId = tcMgr.generateMark()
rule = iptc.Rule()
if flowId.srcAddress:
rule.src = flowId.srcAddress
if flowId.dstAddress:
rule.dst = flowId.dstAddress
if flowId.prot:
rule.protocol = flowId.prot
match = iptc.Match(rule, flowId.prot)
if flowId.srcPort:
match.sport = flowId.srcPort
if flowId.dstPort:
match.dport = flowId.dstPort
rule.add_match(match)
target = iptc.Target(rule, "MARK")
target.set_mark = str(markId)
rule.target = target
chain = iptc.Chain(iptc.Table(table), chain)
chain.insert_rule(rule)
def allowEthernet():
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
rule = iptc.Rule()
rule.in_interface = "eth0"
target = iptc.Target(rule, "ACCEPT")
rule.target = target
chain.insert_rule(rule)
