Open main menu

CDOT Wiki β

NAD810 Lab2 Firewall Python

Revision as of 22:41, 16 July 2012 by Bombshelter13 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This is the NAD810 Lab 2 example firewall script translated from bash to Python.

#!/usr/bin/python
#Converted by Katherine Masseau, 4 Feb 2009.
from os import system
###############################################################################
# Settings
###############################################################################
iptables  = "/sbin/iptables"
modprobe  = "/sbin/modprobe"
inet      = "192.168.10.0/24"
# Active rule sequence
def activerulesequence():
  return [rs_flushRules
         ,rs_connTrack
         ,rs_input
         ,rs_output
         ,rs_forward
         ,rs_nat
         ,rs_forwarding]
###############################################################################
# Functions
###############################################################################
def mapmap(f,l):               return map(liftl(f),l) 
def fix1of2(f,x):              return lambda y:  f(x,y)
def modprobeMaker(mp):         return lambda *s: liftsys(mp+" "+(" ".join(s)))
def fwruleMaker(it):           return lambda *s: liftsys(it+" "+(" ".join(s)))
def cmdMaker():                return lambda *s: liftsys(" ".join(s))
def headapplytailmap(l,r):     return lambda x:  [l(x[0])]+r(x[1:])
def liftl(f):                  return lambda l:  map(f,l)
def liftp(s):                  return lambda:    prnt(s)
def liftmsg(s):                return liftp("[+] "+s)
def liftsys(s):                return lambda:    system(s)
def prnt(s):                   print s
modprobes = headapplytailmap(liftmsg,liftl(modprobeMaker(modprobe)))
rules     = headapplytailmap(liftmsg,liftl(  fwruleMaker(iptables)))
cmds      = headapplytailmap(liftmsg,liftl(     cmdMaker()))
###############################################################################
# Firewall Rules
###############################################################################
#Flush old rules and set default DROP policies
rs_flushRules =  rules(
  ["Flushing old rules and setting default DROP policy on all chains..."
  ,"-F"
  ,"-F -t nat"
  ,"-X"
  ,"-P INPUT DROP"
  ,"-P OUTPUT DROP"
  ,"-P FORWARD DROP"])
#Conntrack
rs_connTrack = modprobes(
  ["Loading connection tracking modules..."
#  ,"ip_conntrack"
  ,"iptable_nat"
  ,"ip_conntrack_ftp"
  ,"ip_nat_ftp"])
#Input rules
rs_input = [liftmsg("Setting up INPUT chain...")] + rules(
  ["- State tracking rules."
  ,"-A INPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
  ,"-A INPUT -m state --state INVALID -j DROP"
  ,"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
  ["- Anti-spoofing rules"
  ,"-A INPUT -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '"
  ,"-A INPUT -i eth1 -s ! "+inet+" -j DROP"])+ rules(
  ["- ACCEPT rules"
  ,"-A INPUT -i eth1 -p tcp -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT"
  ,"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
  ["- Default INPUT LOG rule"
  ,"-A INPUT -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Output rules
rs_output = [liftmsg("Setting up OUTPUT chain...")] + rules(
  ["- State tracking rules."
  ,"-A OUTPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
  ,"-A OUTPUT -m state --state INVALID -j DROP"
  ,"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
  ["- ACCEPT rules for allowing connections out."
  ,"-A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT"
  ,"-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
  ["- Default OUTPUT LOG rule."
  ,"-A OUTPUT -o ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Forward rules
rs_forward = [liftmsg("Setting up FORWARD chain...")] + rules(
  ["- State tracking rules..."
  ,"-A FORWARD -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
  ,"-A FORWARD -m state --state INVALID -j DROP"
  ,"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
  ["- Anti-spoofing rules."
  ,"-A FORWARD -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '"
  ,"-A FORWARD -i eth1 -s ! "+inet+" -j DROP"]) + rules(
  ["- ACCEPT rules"
  ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 21 --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 25 --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 43 --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp --dport 80  --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 4321 --syn -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT"
  ,"-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
  ["- Default LOG rule."
  ,"-A FORWARD -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Enable NAT
rs_nat = rules(
  ["Setting up NAT rules..."
  ,"-t nat -A PREROUTING -p tcp --dport 80  -i eth0 -j DNAT --to 192.168.10.3:80"
  ,"-t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.10.3:443"
  ,"-t nat -A PREROUTING -p udp --dport 53  -i eth0 -j DNAT --to 192.168.10.4:53"
  ,"-t nat -A POSTROUTING -s "+inet+" -o eth0 -j MASQUERADE"])
#Enable forwarding
rs_forwarding = cmds(
  ["Enabling IP forwarding..."
  ,"echo 1 > /proc/sys/net/ipv4/ip_forward"])
###############################################################################
# MAIN
###############################################################################
if __name__=="__main__":
  mapmap(apply,activerulesequence())