#!/usr/bin/env python
###########################################
# Linux Firewall Management Pkg
###########################################
# homepage:
# author: neo chen
# nickname: netkiller
###########################################
import os, sys
import types
class Service():
def __init__(self):
pass
def name(self):
pass
def protocol(self):
pass
def port(self, src, dst):
pass
class Address():
def __init__(self):
pass
class Firewall(Service, Address):
INPUT = 'INPUT'
OUTPUT = 'OUTPUT'
FORWARD = 'FORWARD'
PREROUTING = 'PREROUTING'
POSTROUTING = 'POSTROUTING'
ACCEPT = 'ACCEPT'
DROP = 'DROP'
REJECT = 'REJECT'
#
def __init__(self):
self.accesslist = []
self.match = []
self.nic = []
self.iptables = 'iptables'
self.A = ''
self.p = ''
self.src = ''
self.dst = ''
self.port = ''
self.ip = ''
self.m = ''
self.err = True
#self.clear()
def clear(self):
self.match = []
self.nic = []
self.A = ''
self.p = ''
self.src = ''
self.dst = ''
self.port = ''
self.ip = ''
self.m = ''
self.err = True
#
def flush(self):
self.accesslist.append('iptables -F')
self.accesslist.append('iptables -F -t nat')
self.accesslist.append('iptables -F -t filter')
self.accesslist.append('iptables -t nat -P PREROUTING ACCEPT')
self.accesslist.append('iptables -t nat -P POSTROUTING ACCEPT')
def policy(self,chain = None, target = None):
if chain and target:
self.accesslist.append('iptables -P '+chain+' '+target)
else:
self.accesslist.append('iptables -P INPUT ACCEPT')
self.accesslist.append('iptables -P OUTPUT ACCEPT')
self.accesslist.append('iptables -P FORWARD ACCEPT')
pass
def chain(self,tmp):
if tmp in ('INPUT', 'OUTPUT', 'FORWARD', 'PREROUTING', 'POSTROUTING'):
self.A = '-A ' + tmp
self.err = False
else:
self.A = None
self.err = True
return( self )
def input(self):
return self.chain('INPUT')
def output(self):
return self.chain('OUTPUT')
def forward(self):
return self.chain('FORWARD')
def inside(self):
return self.chain('OUTPUT')
def outside(self):
return self.chain('INPUT')
def trust(self):
return self.chain('OUTPUT')
def untrust(self):
return self.chain('INPUT')
def interface(self,inter, name):
if inter and name:
self.nic.append(inter + ' ' + name)
return( self )
#
def inbound(self,tmp):
if tmp:
self.interface('-i', tmp)
return( self )
def outbound(self,tmp):
if tmp:
self.interface('-o', tmp)
return( self )
def protocol(self,tmp):
if tmp in ('tcp', 'udp', 'icmp','gre'):
self.p = "-p " + tmp
else:
self.p = ''
return( self )
def proto(self,tmp):
return self.protocol(tmp)
def source(self, src):
if src :
self.src = "-s " + src
else:
self.src = ''
return( self )
def destination(self, dst):
if dst:
self.dst = "-d " + dst
else:
self.dst = ''
return( self )
#
def state(self, tmp):
if type(tmp) == types.StringType:
self.match.append('-m state --state ' + tmp)
elif type(tmp) == types.TupleType:
self.match.append('-m state --state ' + ','.join(tmp))
else:
pass
return( self )
def string(self, tmp):
if tmp:
self.match.append('-m string --string "' +tmp+'"')
else:
pass
return( self )
def time(self, start, stop, days):
if start and stop and days:
self.match.append('-m time --timestart '+start+' --timestop '+stop+' --days ' +days+' ')
else:
pass
return( self )
def connlimit(self, tmp):
if tmp:
self.match.append('-m connlimit --connlimit-above ' +str(tmp)+'')
else:
pass
return( self )
def sport(self,tmp):
if type(tmp) == types.StringType:
self.match.append('--sports ' + tmp)
elif type(tmp) == types.TupleType:
self.match.append('-m multiport --sports ' + ','.join(tmp))
else:
pass
return( self )
def dport(self,tmp):
if type(tmp) == types.StringType:
self.match.append('--dports ' + tmp)
elif type(tmp) == types.TupleType:
self.match.append('-m multiport --dports ' + ','.join(tmp))
else:
pass
return( self )
#
def target(self, targetname, desc = None):
if targetname in ('ACCEPT', 'DROP', 'REJECT', 'RETURN', 'QUEUE', 'MASQUERADE'):
self.acl_line = []
self.acl_line.append(self.iptables)
if self.A: self.acl_line.append(self.A)
if self.nic: self.acl_line.append(' '.join(self.nic))
if self.p: self.acl_line.append(self.p)
if self.src: self.acl_line.append(self.src)
if self.dst: self.acl_line.append(self.dst)
if self.match: self.acl_line.append(' '.join(self.match))
self.acl_line.append('-j ' + targetname)
if desc:
self.acl_line.append(desc)
if self.err:
acsess_list = '# ' + ' '.join(self.acl_line)
else:
acsess_list = ' '.join(self.acl_line)
self.accesslist.append(acsess_list)
self.clear()
def accept(self,desc = None):
self.target('ACCEPT', desc)
def reject(self,desc = None):
self.target('REJECT', desc)
def drop(self,desc = None):
self.target('DROP', desc)
def masquerade(self):
self.target('MASQUERADE')
def show(self):
#self.iptables
print('\n'.join(self.accesslist))
#
single = Firewall()
single.flush()
single.policy()
single.policy(single.INPUT,single.DROP)
single.chain('INPUT').accept('sss')
single.interface('-i',"eth0").accept('# error test')
single.chain('INPUT').interface('-i',"eth0").accept('# ok test')
single.chain('OUTPUT').interface('-o',"eth0").protocol('icmp').accept()
single.output().interface('-i',"eth0").protocol('tcp').accept('')
single.chain('OUTPUT').inbound("eth0").protocol('tcp').source('172.16.1.0/24').accept('')
single.chain('OUTPUT').outbound("eth0").protocol('tcp').destination('172.16.1.1').accept('')
single.chain('FORWARD').inbound("eth0").outbound("eth0").protocol('tcp').source('172.16.1.0/24').destination('172.16.1.1').accept()
single.input().interface('-i',"eth0").protocol('tcp').state('NEW').accept()
single.chain('INPUT').interface('-i',"eth0").protocol('tcp').state('NEW').dport('21').accept()
single.chain('INPUT').inbound("eth0").protocol('tcp').state('NEW').dport(('3306','1152','5432')).accept('multiport test')
#
single.forward().source("172.16.0.1/24").protocol('tcp').string('***').accept()
single.forward().dport("53").protocol('udp').time('8:00','18:00','Mon,Tue,Wed,Thu,Fri,Sat').accept()
single.forward().proto('udp').dport("53").string('movie').time('8:00','18:00','Mon,Tue,Wed,Thu,Fri,Sat').accept()
single.input().inbound('ppp0').connlimit(20).drop()
single.forward().reject('--reject-with icmp-host-prohibited')
single.show()
#
########################################
# Linux Style
########################################
gateway = Firewall()
gateway.input().drop()
gateway.output().accept()
gateway.inside().state(('RELATED','ESTABLISHED')).accept('# match test')
gateway.chain('POSTROUTING').inbound("ppp0").source('172.16.0.0/24').masquerade()
#gateway.show()
#
########################################
# Cisco ASA Style
########################################
gateway = Firewall()
gateway.inside().accept()
gateway.inside().state(('RELATED','ESTABLISHED')).accept('# match test')
gateway.outside().drop()
#gateway.show()
#
########################################
# Juniper JunOS Style
########################################
gateway = Firewall()
gateway.trust().accept()
gateway.untrust().drop()
#gateway.show()
#
阅读(282) | 评论(1) | 转发(0) |
