def start(self, **args): print("adding rule icmp") rule = Rule() rule.create_target("ACCEPT") rule.protocol = "icmp" icmp_match = rule.create_match("icmp") icmp_match.set_parameter("icmp-type", "8") comment_match = rule.create_match("comment") comment_match.comment = self.identifier + ":icmp" self.input_chain.append_rule(rule) # Top rule should be to allow related, established connections. related_rule = self.create_conntrack_rule("ACCEPT", "ctstate", "RELATED,ESTABLISHED") self.input_chain.insert_rule(related_rule) # Drop igmp packets before logging. drop_igmp_rule = Rule() drop_igmp_rule.create_target("DROP") drop_igmp_rule.protocol = "igmp" self.input_chain.append_rule(drop_igmp_rule) # Log all that is refused in INPUT chain. log_rule = self.create_log_rule("not in allowed services", group="1") self.input_chain.append_rule(log_rule) # Drop invalid packets - as diagnosed by the conntrack processor. # Note that this rule is useless because packets would be dropped anyway. invalid_rule = self.create_conntrack_rule("DROP", "ctstate", "INVALID") self.input_chain.append_rule(invalid_rule) super().start(**args) # commits the table if relevant
def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""): """create and return a rule (or two if no proto given). name can be any string target is a string saying what to do, like "ACCEPT", "DENY", "DROP", "LOG" proto (if not defined, is assumed both udp and tcp) src is a realm in the form XXX.XXX.XXX.XXX/YY sport is source port. Currently ignored dst is a realm in the same form as src dport is destination port siface is the source interface diface is the destination interface """ #print("adding rule %s" % name) if (dport or sport) and not proto: return [ self.create_rule(name, target, dst, dport, src, sport, proto, siface, diface) for proto in ("tcp", "udp") ] rule = Rule() rule.create_target(target) if dst: rule.dst = dst if dport: proto_match = rule.create_match(proto) proto_match.dport = str(dport) rule.protocol = proto if diface: rule.in_interface = diface if src: if src.count("-"): iprange_match = rule.create_match("iprange") iprange_match.src_range = src rule.add_match(iprange_match) else: rule.src = src if sport: proto_match = rule.create_match(proto) proto_match.sport = str(sport) rule.protocol = proto if siface: rule.out_interface = siface # Add a signature as a comment. comment_match = rule.create_match("comment") comment_match.comment = self.identifier + ":" + name rule.final_check() return rule
def _build_iptables_drop_rule(self, port): rule = Rule() rule.protocol = "tcp" match = rule.create_match("tcp") match.dport = str(port) target = rule.create_target("DROP") chain = Chain(Table(Table.FILTER), "INPUT") return chain, rule
def _get_base_rule(self, match): rule = Rule() rule.protocol = match.ip_proto_num rule.dst = "%s/%s" % (match.dst_ip, match.netmask) if match.dst_port != 0: ipt_match = IPT_Match(rule, self._prot_port_supp[match.ip_proto_num]) ipt_match.dport = str(match.dst_port) rule.add_match(ipt_match) return rule
def _build_iptables_accept_rule(self, port, client): src, src_port = client rule = Rule() rule.protocol = "tcp" rule.src = src match = rule.create_match("tcp") match.dport = str(port) match.sport = str(src_port) target = rule.create_target("ACCEPT") chain = Chain(Table(Table.FILTER), "INPUT") return chain, rule
def insert_rule(self): if not self.rule: rule = Rule() rule.protocol = 'tcp' rule.target = rule.create_target(self.target) match = rule.create_match('comment') match.comment = self._comment match = rule.create_match('set') match.match_set = [self.ipset_name, self.match_set_flag] self.rule = rule log.info( '''Inserting a rule with target %s into chain %s (table %s) for ipset "%s" (with comment "%s", rule position: %s)''', self.target, self.chain_name, self.table_name, self.ipset_name, self._comment, self.rule_pos) self.chain.insert_rule(rule, position=self.rule_pos)