Difference between revisions of "NAD810 Lab2 Firewall Python"
(New page: This is the NAD810 Lab 2 example firewall script translated from bash to Python. <pre>#!/usr/bin/python #Converted by Gregory Masseau, 4 Feb 2009. from os import system ##################...) |
|||
Line 2: | Line 2: | ||
<pre>#!/usr/bin/python | <pre>#!/usr/bin/python | ||
− | #Converted by | + | #Converted by Katherine Masseau, 4 Feb 2009. |
from os import system | from os import system | ||
############################################################################### | ############################################################################### |
Latest revision as of 22:41, 16 July 2012
This is the NAD810 Lab 2 example firewall script translated from bash to Python.
#!/usr/bin/python #Converted by Katherine Masseau, 4 Feb 2009. from os import system ############################################################################### # Settings ############################################################################### iptables = "/sbin/iptables" modprobe = "/sbin/modprobe" inet = "192.168.10.0/24" # Active rule sequence def activerulesequence(): return [rs_flushRules ,rs_connTrack ,rs_input ,rs_output ,rs_forward ,rs_nat ,rs_forwarding] ############################################################################### # Functions ############################################################################### def mapmap(f,l): return map(liftl(f),l) def fix1of2(f,x): return lambda y: f(x,y) def modprobeMaker(mp): return lambda *s: liftsys(mp+" "+(" ".join(s))) def fwruleMaker(it): return lambda *s: liftsys(it+" "+(" ".join(s))) def cmdMaker(): return lambda *s: liftsys(" ".join(s)) def headapplytailmap(l,r): return lambda x: [l(x[0])]+r(x[1:]) def liftl(f): return lambda l: map(f,l) def liftp(s): return lambda: prnt(s) def liftmsg(s): return liftp("[+] "+s) def liftsys(s): return lambda: system(s) def prnt(s): print s modprobes = headapplytailmap(liftmsg,liftl(modprobeMaker(modprobe))) rules = headapplytailmap(liftmsg,liftl( fwruleMaker(iptables))) cmds = headapplytailmap(liftmsg,liftl( cmdMaker())) ############################################################################### # Firewall Rules ############################################################################### #Flush old rules and set default DROP policies rs_flushRules = rules( ["Flushing old rules and setting default DROP policy on all chains..." ,"-F" ,"-F -t nat" ,"-X" ,"-P INPUT DROP" ,"-P OUTPUT DROP" ,"-P FORWARD DROP"]) #Conntrack rs_connTrack = modprobes( ["Loading connection tracking modules..." # ,"ip_conntrack" ,"iptable_nat" ,"ip_conntrack_ftp" ,"ip_nat_ftp"]) #Input rules rs_input = [liftmsg("Setting up INPUT chain...")] + rules( ["- State tracking rules." ,"-A INPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options" ,"-A INPUT -m state --state INVALID -j DROP" ,"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules( ["- Anti-spoofing rules" ,"-A INPUT -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '" ,"-A INPUT -i eth1 -s ! "+inet+" -j DROP"])+ rules( ["- ACCEPT rules" ,"-A INPUT -i eth1 -p tcp -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT" ,"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules( ["- Default INPUT LOG rule" ,"-A INPUT -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"]) #Output rules rs_output = [liftmsg("Setting up OUTPUT chain...")] + rules( ["- State tracking rules." ,"-A OUTPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options" ,"-A OUTPUT -m state --state INVALID -j DROP" ,"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules( ["- ACCEPT rules for allowing connections out." ,"-A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT" ,"-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules( ["- Default OUTPUT LOG rule." ,"-A OUTPUT -o ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"]) #Forward rules rs_forward = [liftmsg("Setting up FORWARD chain...")] + rules( ["- State tracking rules..." ,"-A FORWARD -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options" ,"-A FORWARD -m state --state INVALID -j DROP" ,"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules( ["- Anti-spoofing rules." ,"-A FORWARD -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '" ,"-A FORWARD -i eth1 -s ! "+inet+" -j DROP"]) + rules( ["- ACCEPT rules" ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 21 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 25 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 43 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 4321 --syn -m state --state NEW -j ACCEPT" ,"-A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT" ,"-A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT" ,"-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT"]) + rules( ["- Default LOG rule." ,"-A FORWARD -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"]) #Enable NAT rs_nat = rules( ["Setting up NAT rules..." ,"-t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.3:80" ,"-t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.10.3:443" ,"-t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to 192.168.10.4:53" ,"-t nat -A POSTROUTING -s "+inet+" -o eth0 -j MASQUERADE"]) #Enable forwarding rs_forwarding = cmds( ["Enabling IP forwarding..." ,"echo 1 > /proc/sys/net/ipv4/ip_forward"]) ############################################################################### # MAIN ############################################################################### if __name__=="__main__": mapmap(apply,activerulesequence())