1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
#
# Copyright 2008
# Krzysztof A. Adamski <krzysztofa@gmail.com>
#
# This software may be freely redistributed under the terms of the GNU
# general public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# our modules
from func.minion.modules import func_module
from func.minion.modules.iptables.common import *
class Port(func_module.FuncModule):
# Update these if need be.
version = "0.0.1"
api_version = "0.0.1"
description = "iptables 'port' submodule"
def drop_from(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
"""
Drop all incomming traffic from/to selected port. Arguments:
* port - destination/source port
* ip - source IP
* prot - protocol (e.g. tcp/udp)
* dir - direction, "dst" for matching destination port or "src" for matching source port
Examples:
* Drop all incoming traffic to local TCP port 80:
> func '*' call iptables.port drop_from 80
* Drop all incomming traffic to local UDP port 53 from 192.168.0.0/24:
> func '*' call iptables.port drop_from 80 192.168.0.0/24 udp
"""
dir=parse_dir(dir)
clear_all("-D INPUT -p %s --%sport %s -s %s -j ACCEPT" % (prot, dir, port, ip) )
clear_all("-D INPUT -p %s --%sport %s -s %s -j REJECT" % (prot, dir, port, ip) )
return call_if_policy("INPUT", "ACCEPT", "-I INPUT -p %s --%sport %s -s %s -j DROP" % (prot, dir, port, ip) )
def reject_from(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
"""
Reject all outgoing traffic from/to port. Arguments:
* port - destination/source port
* ip - source IP
* prot - protocol (e.g. tcp/udp)
* dir - direction, "dst" for matching destination port or "src" for matching source port
Examples:
* Reject all incoming traffic to local TCP port 80:
> func '*' call iptables.port reject_from 80
* Reject incomming traffic to local UDP port 53 from 192.168.0.0/24:
> func '*' call iptables.port reject_from 80 192.168.0.0/24 udp
"""
dir=parse_dir(dir)
clear_all("-D INPUT -p %s --%sport %s -s %s -j ACCEPT" % (prot, dir, port, ip) )
clear_all("-D INPUT -p %s --%sport %s -s %s -j DROP" % (prot, dir, port, ip) )
return call_iptables("-I INPUT -p %s --%sport %s -s %s -j REJECT" % (prot, dir, port, ip) )
def accept_from(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
"""
Accept all incomming traffic from/to port. Arguments:
* port - destination/source port
* ip - source IP
* prot - protocol (e.g. tcp/udp)
* dir - direction, "dst" for matching destination port or "src" for matching source port
Examples:
* Accept all incoming traffic to local TCP port 80:
> func '*' call iptables.port accept_from 80
* Accept incomming traffic to local UDP port 53 from 192.168.0.0/24:
> func '*' call iptables.port accept_from 80 192.168.0.0/24 udp
"""
dir=parse_dir(dir)
clear_all("-D INPUT -p %s --%sport %s -s %s -j DROP" % (prot, dir, port, ip) )
clear_all("-D INPUT -p %s --%sport %s -s %s -j REJECT" % (prot, dir, port, ip) )
return call_if_policy("INPUT", "DROP", "-I INPUT -p %s --%sport %s -s %s -j ACCEPT" % (prot, dir, port, ip) )
def drop_to(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
"""
Drop all outgoing traffic going from/to port. Arguments:
* port - destination/source port
* ip - destination IP
* prot - protocol (e.g. tcp/udp)
* dir - direction, "dst" for matching destination port or "src" for matching source port
Examples:
* Drop outgoing traffic to TCP port 80 on 192.168.0.1:
> func '*' call iptables.port drop_to 80 192.168.0.1
* Drop outgoing traffic from UDP port 53 to 192.168.0.0/24:
> func '*' call iptables.port drop_to 53 192.168.0.0/24 udp src
"""
dir=parse_dir(dir)
clear_all("-D OUTPUT -p %s --%sport %s -d %s -j ACCEPT" % (prot, dir, port, ip) )
clear_all("-D OUTPUT -p %s --%sport %s -d %s -j REJECT" % (prot, dir, port, ip) )
return call_if_policy("OUTPUT", "ACCEPT", "-I OUTPUT -p %s --%sport %s -d %s -j DROP" % (prot, dir, port, ip) )
def reject_to(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
"""
Reject all outgoing traffic going from/to PORT. Arguments:
* port - destination/source port
* ip - destination IP
* prot - protocol (e.g. tcp/udp)
* dir - direction, "dst" for matching destination port or "src" for matching source port
Examples:
* Reject outgoing traffic to TCP port 80 on 192.168.0.1:
> func '*' call iptables.port reject_to 80 192.168.0.1
* Reject outgoing traffic from UDP port 53 to 192.168.0.0/24:
> func '*' call iptables.port reject_to 53 192.168.0.0/24 udp src
"""
dir=parse_dir(dir)
clear_all("-D OUTPUT -p %s --%sport %s -d %s -j ACCEPT" % (prot, dir, port, ip) )
clear_all("-D OUTPUT -p %s --%sport %s -d %s -j DROP" % (prot, dir, port, ip) )
return call_iptables("-I OUTPUT -p %s --%sport %s -d %s -j REJECT" % (prot, dir, port, ip) )
def accept_to(self, port, ip="0.0.0.0", prot="tcp", dir="dst"):
"""
Accept all outgoing traffic going from/to PORT. Arguments:
* port - destination/source port
* ip - destination IP
* prot - protocol (e.g. tcp/udp)
* dir - direction, "dst" for matching destination port or "src" for matching source port
Examples:
* Accept outgoing traffic to TCP port 80 on 192.168.0.1:
> func '*' call iptables.port accept_to 80 192.168.0.1
* Accept outgoing traffic from UDP port 53 to 192.168.0.0/24:
> func '*' call iptables.port accept_to 53 192.168.0.0/24 udp src
"""
dir=parse_dir(dir)
clear_all("-D OUTPUT -p %s --%sport %s -d %s -j DROP" % (prot, dir, port, ip) )
clear_all("-D OUTPUT -p %s --%sport %s -d %s -j REJECT" % (prot, dir, port, ip) )
return call_if_policy("OUTPUT", "DROP", "-I OUTPUT -p %s --%sport %s -d %s -j ACCEPT" % (prot, dir, port, ip) )
def parse_dir(dir):
if (dir == "dst"):
return "d"
elif (dir == "src"):
return "s"
else:
raise exceptions.Exception("Wrong direction!")
|
