Re: [RFC] iptables module v2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Changes:
- added inventory(), dump(), save() and panic() methods
- added reject* methods
- some cleanups

Problems:
- panic() method sets iptables to drop all traffic. This means you
  can't get result from funcd (since the connection is droped too).
  Maybe it's not so good idea to have this method?

Please test and comment it.

---
 func/minion/modules/iptables/__init__.py |  149 ++++++++++++++++++++++++++++++
 func/minion/modules/iptables/common.py   |   56 +++++++++++
 func/minion/modules/iptables/port.py     |  137 +++++++++++++++++++++++++++
 3 files changed, 342 insertions(+), 0 deletions(-)
 create mode 100644 func/minion/modules/iptables/__init__.py
 create mode 100644 func/minion/modules/iptables/common.py
 create mode 100644 func/minion/modules/iptables/port.py

diff --git a/func/minion/modules/iptables/__init__.py b/func/minion/modules/iptables/__init__.py
new file mode 100644
index 0000000..11a9333
--- /dev/null
+++ b/func/minion/modules/iptables/__init__.py
@@ -0,0 +1,149 @@
+#
+# Copyright 2008
+# Krzysztof A. Adamski <krzysztofa@xxxxxxxxx>
+#
+# This software may be freely redistributed under the terms of the GNU
+# general public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# our modules
+from func.minion.modules import func_module
+from func.minion.modules.iptables.common import *
+
+IPTABLES_SAVE_FILE = "/etc/sysconfig/iptables"
+
+class Iptables(func_module.FuncModule):
+
+    # Update these if need be.
+    version = "0.0.1"
+    api_version = "0.0.1"
+    description = "iptables module"
+
+    def run(self, args):
+        """
+        Run 'iptables' command with arguments given. For example:
+          > func '*' call iptables run "-L INPUT"
+        """
+        return run_iptables(args)
+
+    def policy(self, chain="INPUT", policy=None):
+        """
+        Check/set default policy for the chain. Examples:
+          * Check default policy for INPUT chain:
+            > func '*' call iptables policy
+            or
+            > func '*' call iptables policy INPUT
+          * Set default policy for OUTPUT:
+            > func '*' call iptables policy OUTPUT DROP
+        """
+        if policy==None:
+            return check_policy(chain)
+        else:
+            return set_policy(chain, policy)
+
+    def flush(self, chain="INPUT"):
+        """
+        Flush the selected chain (or INPUT if none given).
+        """
+        return call_iptables("-F %s" % chain)
+
+    def zero(self, chain="INPUT"):
+        """
+        Zero counters in selected chain (or INPUT if none given).
+        """
+        return call_iptables("-Z %s" % chain)
+
+    def drop_from(self, ip):
+        """
+        Drop all incomming traffic from IP. Example:
+          > func '*' call iptables drop_from 192.168.0.10
+        """
+        clear_all("-D INPUT -s %s -j ACCEPT" % ip)
+        clear_all("-D INPUT -s %s -j REJECT" % ip)
+        return call_if_policy("INPUT", "ACCEPT", "-I INPUT -s %s -j DROP" % ip)
+
+    def reject_from(self, ip):
+        """
+        Reject all incoming traffic from IP. Example:
+          > func '*' call iptables reject_from 192.168.0.10
+        """
+        clear_all("-D INPUT -s %s -j ACCEPT" % ip)
+        clear_all("-D INPUT -s %s -j DROP" % ip)
+        return call_iptables("-I INPUT -s %s -j REJECT" % ip)
+
+    def accept_from(self, ip):
+        """
+        Accept all incoming traffic from IP. Example:
+          > func '*' call iptables accept_from 192.168.0.10
+        """
+        clear_all("-D INPUT -s %s -j DROP" % ip)
+        clear_all("-D INPUT -s %s -j REJECT" % ip)
+        return call_if_policy("INPUT", "DROP", "-I INPUT -s %s -j ACCEPT" % ip)
+
+    def drop_to(self, ip):
+        """
+        Drop all outgoing traffic to IP. Example:
+          > func '*' call iptables drop_to 192.168.0.10
+        """
+        clear_all("-D OUTPUT -d %s -j ACCEPT" % ip)
+        clear_all("-D OUTPUT -d %s -j REJECT" % ip)
+        return call_if_policy("INPUT", "ACCEPT", "-I OUTPUT -d %s -j DROP" % ip)
+
+    def reject_to(self, ip):
+        """
+        Drop all outgoing traffic to IP. Example:
+          > func '*' call iptables reject_to 192.168.0.10
+        """
+        clear_all("-D OUTPUT -d %s -j ACCEPT" % ip)
+        clear_all("-D OUTPUT -d %s -j DROP" % ip)
+        return call_iptables("-I OUTPUT -d %s -j REJECT" % ip)
+
+    def accept_to(self, ip):
+        """
+        Accept all outgoing traffic to IP. Example:
+          > func '*' call iptables accept_to 192.168.0.10
+        """
+        clear_all("-D OUTPUT -d %s -j DROP" % ip)
+        clear_all("-D OUTPUT -d %s -j REJECT" % ip)
+        return call_if_policy("INPUT", "DROP", "-I OUTPUT -d %s -j ACCEPT" % ip)
+
+    def inventory(self):
+        return self.dump()
+
+    def dump(self, counters=False):
+        """
+        Dump iptables configuration in iptables-save format.
+        """
+        args = []
+        if counters:
+            args.append("-c")
+
+        cmd = sub_process.Popen(["/sbin/iptables-save"] + args,
+                                executable="/sbin/iptables-save",
+                                stdout=sub_process.PIPE,
+                                stderr=sub_process.PIPE,
+                                shell=False)
+
+        data, error = cmd.communicate()
+
+        return data
+
+    def save(self, counters=False):
+        """
+        Save iptables state using '/sbin/iptables-save'. If counters=True,
+        save counters too.
+        TODO: maybe some locking?
+        """
+        f=open(IPTABLES_SAVE_FILE, 'w')
+        f.write(self.dump(counters))
+        f.close
+        return True
+
+    def panic(self):
+        self.flush("")
+        self.policy("INPUT", "DROP")
+        self.policy("OUTPUT", "DROP")
+        self.policy("FORWARD", "DROP")
diff --git a/func/minion/modules/iptables/common.py b/func/minion/modules/iptables/common.py
new file mode 100644
index 0000000..c5214f5
--- /dev/null
+++ b/func/minion/modules/iptables/common.py
@@ -0,0 +1,56 @@
+#
+# Copyright 2008
+# Krzysztof A. Adamski <krzysztofa@xxxxxxxxx>
+#
+# This software may be freely redistributed under the terms of the GNU
+# general public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# other modules
+import sub_process
+
+def run_iptables(args):
+    cmd = sub_process.Popen(["/sbin/iptables"] + args.split(),
+                            executable="/sbin/iptables",
+                            stdout=sub_process.PIPE,
+                            stderr=sub_process.PIPE,
+                            shell=False)
+
+    data, error = cmd.communicate()
+
+    results = []
+    for line in data.split("\n"):
+        tokens = line.split()
+        results.append(tokens)
+
+    return results
+
+def call_iptables(args):
+    return sub_process.call(["/sbin/iptables"] + args.split(),
+                            executable="/sbin/iptables",
+                            shell=False)
+
+def check_policy(chain):
+    ret = run_iptables("-L %s" % chain)
+    try:
+        if ret[0][2] == "(policy":
+            return ret[0][3][:-1]
+        else:
+            return False
+    except:
+        return False
+        
+def set_policy(chain, policy):
+    return call_iptables("-P %s %s" % (chain, policy) )
+
+def clear_all(arg):
+    while not call_iptables(arg): pass
+
+def call_if_policy(chain, policy, arg):
+    if check_policy(chain) == policy:
+        return call_iptables(arg)
+    else:
+        return 0
diff --git a/func/minion/modules/iptables/port.py b/func/minion/modules/iptables/port.py
new file mode 100644
index 0000000..49e5970
--- /dev/null
+++ b/func/minion/modules/iptables/port.py
@@ -0,0 +1,137 @@
+#
+# Copyright 2008
+# Krzysztof A. Adamski <krzysztofa@xxxxxxxxx>
+#
+# This software may be freely redistributed under the terms of the GNU
+# general public license.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+# our modules
+from func.minion.modules import func_module
+from func.minion.modules.iptables.common import *
+
+class Port(func_module.FuncModule):
+
+    # Update these if need be.
+    version = "0.0.1"
+    api_version = "0.0.1"
+    description = "iptables 'port' submodule"
+
+    def drop_from(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
+        """
+        Drop all traffic comming from/to PORT. Arguments:
+         * port - destination/source port
+         * ip - source IP
+         * prot - protocol (e.g. tcp/udp)
+         * dir - direction, "dst" for matching destination port or "src" for matching source port
+        Examples:
+         * Drop all incoming traffic to local TCP port 80:
+           > func '*' call iptables.port drop_from 80
+         * Drop incomming traffic to local UDP port 53 from 192.168.0.0/24:
+           > func '*' call iptables.port drop_from 80 192.168.0.0/24 udp 
+        """
+        dir=parse_dir(dir)
+        clear_all("-D INPUT -p %s --%sport %s -s %s -j ACCEPT" % (prot, dir, port, ip) )
+        clear_all("-D INPUT -p %s --%sport %s -s %s -j REJECT" % (prot, dir, port, ip) )
+        return call_if_policy("INPUT", "ACCEPT", "-I INPUT -p %s --%sport %s -s %s -j DROP" % (prot, dir, port, ip) )
+
+    def reject_from(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
+        """
+        Drop all traffic comming from/to PORT. Arguments:
+         * port - destination/source port
+         * ip - source IP
+         * prot - protocol (e.g. tcp/udp)
+         * dir - direction, "dst" for matching destination port or "src" for matching source port
+        Examples:
+         * Drop all incoming traffic to local TCP port 80:
+           > func '*' call iptables.port drop_from 80
+         * Drop incomming traffic to local UDP port 53 from 192.168.0.0/24:
+           > func '*' call iptables.port drop_from 80 192.168.0.0/24 udp 
+        """
+        dir=parse_dir(dir)
+        clear_all("-D INPUT -p %s --%sport %s -s %s -j ACCEPT" % (prot, dir, port, ip) )
+        clear_all("-D INPUT -p %s --%sport %s -s %s -j DROP" % (prot, dir, port, ip) )
+        return call_iptables("-I INPUT -p %s --%sport %s -s %s -j REJECT" % (prot, dir, port, ip) )
+
+    def accept_from(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
+        """
+        Accept all traffic comming from/to PORT. Arguments:
+         * port - destination/source port
+         * ip - source IP
+         * prot - protocol (e.g. tcp/udp)
+         * dir - direction, "dst" for matching destination port or "src" for matching source port
+        Examples:
+         * Accept all incoming traffic to local TCP port 80:
+           > func '*' call iptables.port accept_from 80
+         * Accept incomming traffic to local UDP port 53 from 192.168.0.0/24:
+           > func '*' call iptables.port accept_from 80 192.168.0.0/24 udp 
+        """
+        dir=parse_dir(dir)
+        clear_all("-D INPUT -p %s --%sport %s -s %s -j DROP" % (prot, dir, port, ip) )
+        clear_all("-D INPUT -p %s --%sport %s -s %s -j REJECT" % (prot, dir, port, ip) )
+        return call_if_policy("INPUT", "DROP", "-I INPUT -p %s --%sport %s -s %s -j ACCEPT" % (prot, dir, port, ip) )
+
+    def drop_to(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
+        """
+        Drop all outgoing traffic going from/to PORT. Arguments:
+         * port - destination/source port
+         * ip - destination IP
+         * prot - protocol (e.g. tcp/udp)
+         * dir - direction, "dst" for matching destination port or "src" for matching source port
+        Examples:
+         * Drop outgoing traffic to TCP port 80 on 192.168.0.1:
+           > func '*' call iptables.port drop_to 80 192.168.0.1
+         * Drop outgoing traffic from UDP port 53 to 192.168.0.0/24:
+           > func '*' call iptables.port drop_to 53 192.168.0.0/24 udp src
+        """
+        dir=parse_dir(dir)
+        clear_all("-D OUTPUT -p %s --%sport %s -d %s -j ACCEPT" % (prot, dir, port, ip) )
+        clear_all("-D OUTPUT -p %s --%sport %s -d %s -j REJECT" % (prot, dir, port, ip) )
+        return call_if_policy("OUTPUT", "ACCEPT", "-I OUTPUT -p %s --%sport %s -d %s -j DROP" % (prot, dir, port, ip) )
+
+    def reject_to(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
+        """
+        Drop all outgoing traffic going from/to PORT. Arguments:
+         * port - destination/source port
+         * ip - destination IP
+         * prot - protocol (e.g. tcp/udp)
+         * dir - direction, "dst" for matching destination port or "src" for matching source port
+        Examples:
+         * Drop outgoing traffic to TCP port 80 on 192.168.0.1:
+           > func '*' call iptables.port drop_to 80 192.168.0.1
+         * Drop outgoing traffic from UDP port 53 to 192.168.0.0/24:
+           > func '*' call iptables.port drop_to 53 192.168.0.0/24 udp src
+        """
+        dir=parse_dir(dir)
+        clear_all("-D OUTPUT -p %s --%sport %s -d %s -j ACCEPT" % (prot, dir, port, ip) )
+        clear_all("-D OUTPUT -p %s --%sport %s -d %s -j DROP" % (prot, dir, port, ip) )
+        return call_iptables("-I OUTPUT -p %s --%sport %s -d %s -j REJECT" % (prot, dir, port, ip) )
+
+    def accept_to(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
+        """
+        Accept all outgoing traffic going from/to PORT. Arguments:
+         * port - destination/source port
+         * ip - destination IP
+         * prot - protocol (e.g. tcp/udp)
+         * dir - direction, "dst" for matching destination port or "src" for matching source port
+        Examples:
+         * Accept outgoing traffic to TCP port 80 on 192.168.0.1:
+           > func '*' call iptables.port accept_to 80 192.168.0.1
+         * Accept outgoing traffic from UDP port 53 to 192.168.0.0/24:
+           > func '*' call iptables.port accept_to 53 192.168.0.0/24 udp src
+        """
+        dir=parse_dir(dir)
+        clear_all("-D OUTPUT -p %s --%sport %s -d %s -j DROP" % (prot, dir, port, ip) )
+        clear_all("-D OUTPUT -p %s --%sport %s -d %s -j REJECT" % (prot, dir, port, ip) )
+        return call_if_policy("OUTPUT", "DROP", "-I OUTPUT -p %s --%sport %s -d %s -j ACCEPT" % (prot, dir, port, ip) )
+
+def parse_dir(dir):
+    if (dir == "dst"):
+        return "d"
+    elif (dir == "src"):
+        return "s"
+    else:
+        raise exceptions.Exception("Wrong direction!")

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux