2
edits
Changes
New page: This is the NAD810 Lab 2 example firewall script translated from bash to Python. <pre>#!/usr/bin/python #Converted by Gregory Masseau, 4 Feb 2009. from os import system ##################...
This is the NAD810 Lab 2 example firewall script translated from bash to Python.
<pre>#!/usr/bin/python
#Converted by Gregory Masseau, 4 Feb 2009.
from os import system
###############################################################################
# Settings
###############################################################################
iptables = "/sbin/iptables"
modprobe = "/sbin/modprobe"
inet = "192.168.10.0/24"
# Active rule sequence
def activerulesequence():
return [rs_flushRules
,rs_connTrack
,rs_input
,rs_output
,rs_forward
,rs_nat
,rs_forwarding]
###############################################################################
# Functions
###############################################################################
def mapmap(f,l): return map(liftl(f),l)
def fix1of2(f,x): return lambda y: f(x,y)
def modprobeMaker(mp): return lambda *s: liftsys(mp+" "+(" ".join(s)))
def fwruleMaker(it): return lambda *s: liftsys(it+" "+(" ".join(s)))
def cmdMaker(): return lambda *s: liftsys(" ".join(s))
def headapplytailmap(l,r): return lambda x: [l(x[0])]+r(x[1:])
def liftl(f): return lambda l: map(f,l)
def liftp(s): return lambda: prnt(s)
def liftmsg(s): return liftp("[+] "+s)
def liftsys(s): return lambda: system(s)
def prnt(s): print s
modprobes = headapplytailmap(liftmsg,liftl(modprobeMaker(modprobe)))
rules = headapplytailmap(liftmsg,liftl( fwruleMaker(iptables)))
cmds = headapplytailmap(liftmsg,liftl( cmdMaker()))
###############################################################################
# Firewall Rules
###############################################################################
#Flush old rules and set default DROP policies
rs_flushRules = rules(
["Flushing old rules and setting default DROP policy on all chains..."
,"-F"
,"-F -t nat"
,"-X"
,"-P INPUT DROP"
,"-P OUTPUT DROP"
,"-P FORWARD DROP"])
#Conntrack
rs_connTrack = modprobes(
["Loading connection tracking modules..."
# ,"ip_conntrack"
,"iptable_nat"
,"ip_conntrack_ftp"
,"ip_nat_ftp"])
#Input rules
rs_input = [liftmsg("Setting up INPUT chain...")] + rules(
["- State tracking rules."
,"-A INPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
,"-A INPUT -m state --state INVALID -j DROP"
,"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
["- Anti-spoofing rules"
,"-A INPUT -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '"
,"-A INPUT -i eth1 -s ! "+inet+" -j DROP"])+ rules(
["- ACCEPT rules"
,"-A INPUT -i eth1 -p tcp -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT"
,"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
["- Default INPUT LOG rule"
,"-A INPUT -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Output rules
rs_output = [liftmsg("Setting up OUTPUT chain...")] + rules(
["- State tracking rules."
,"-A OUTPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
,"-A OUTPUT -m state --state INVALID -j DROP"
,"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
["- ACCEPT rules for allowing connections out."
,"-A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
["- Default OUTPUT LOG rule."
,"-A OUTPUT -o ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Forward rules
rs_forward = [liftmsg("Setting up FORWARD chain...")] + rules(
["- State tracking rules..."
,"-A FORWARD -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
,"-A FORWARD -m state --state INVALID -j DROP"
,"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
["- Anti-spoofing rules."
,"-A FORWARD -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '"
,"-A FORWARD -i eth1 -s ! "+inet+" -j DROP"]) + rules(
["- ACCEPT rules"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 21 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 25 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 43 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 4321 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT"
,"-A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT"
,"-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
["- Default LOG rule."
,"-A FORWARD -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Enable NAT
rs_nat = rules(
["Setting up NAT rules..."
,"-t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.3:80"
,"-t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.10.3:443"
,"-t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to 192.168.10.4:53"
,"-t nat -A POSTROUTING -s "+inet+" -o eth0 -j MASQUERADE"])
#Enable forwarding
rs_forwarding = cmds(
["Enabling IP forwarding..."
,"echo 1 > /proc/sys/net/ipv4/ip_forward"])
###############################################################################
# MAIN
###############################################################################
if __name__=="__main__":
mapmap(apply,activerulesequence())
</pre>
<pre>#!/usr/bin/python
#Converted by Gregory Masseau, 4 Feb 2009.
from os import system
###############################################################################
# Settings
###############################################################################
iptables = "/sbin/iptables"
modprobe = "/sbin/modprobe"
inet = "192.168.10.0/24"
# Active rule sequence
def activerulesequence():
return [rs_flushRules
,rs_connTrack
,rs_input
,rs_output
,rs_forward
,rs_nat
,rs_forwarding]
###############################################################################
# Functions
###############################################################################
def mapmap(f,l): return map(liftl(f),l)
def fix1of2(f,x): return lambda y: f(x,y)
def modprobeMaker(mp): return lambda *s: liftsys(mp+" "+(" ".join(s)))
def fwruleMaker(it): return lambda *s: liftsys(it+" "+(" ".join(s)))
def cmdMaker(): return lambda *s: liftsys(" ".join(s))
def headapplytailmap(l,r): return lambda x: [l(x[0])]+r(x[1:])
def liftl(f): return lambda l: map(f,l)
def liftp(s): return lambda: prnt(s)
def liftmsg(s): return liftp("[+] "+s)
def liftsys(s): return lambda: system(s)
def prnt(s): print s
modprobes = headapplytailmap(liftmsg,liftl(modprobeMaker(modprobe)))
rules = headapplytailmap(liftmsg,liftl( fwruleMaker(iptables)))
cmds = headapplytailmap(liftmsg,liftl( cmdMaker()))
###############################################################################
# Firewall Rules
###############################################################################
#Flush old rules and set default DROP policies
rs_flushRules = rules(
["Flushing old rules and setting default DROP policy on all chains..."
,"-F"
,"-F -t nat"
,"-X"
,"-P INPUT DROP"
,"-P OUTPUT DROP"
,"-P FORWARD DROP"])
#Conntrack
rs_connTrack = modprobes(
["Loading connection tracking modules..."
# ,"ip_conntrack"
,"iptable_nat"
,"ip_conntrack_ftp"
,"ip_nat_ftp"])
#Input rules
rs_input = [liftmsg("Setting up INPUT chain...")] + rules(
["- State tracking rules."
,"-A INPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
,"-A INPUT -m state --state INVALID -j DROP"
,"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
["- Anti-spoofing rules"
,"-A INPUT -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '"
,"-A INPUT -i eth1 -s ! "+inet+" -j DROP"])+ rules(
["- ACCEPT rules"
,"-A INPUT -i eth1 -p tcp -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT"
,"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
["- Default INPUT LOG rule"
,"-A INPUT -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Output rules
rs_output = [liftmsg("Setting up OUTPUT chain...")] + rules(
["- State tracking rules."
,"-A OUTPUT -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
,"-A OUTPUT -m state --state INVALID -j DROP"
,"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
["- ACCEPT rules for allowing connections out."
,"-A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT"
,"-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
["- Default OUTPUT LOG rule."
,"-A OUTPUT -o ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Forward rules
rs_forward = [liftmsg("Setting up FORWARD chain...")] + rules(
["- State tracking rules..."
,"-A FORWARD -m state --state INVALID -j LOG --log-prefix 'DROP INVALID ' --log-ip-options --log-tcp-options"
,"-A FORWARD -m state --state INVALID -j DROP"
,"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"]) + rules(
["- Anti-spoofing rules."
,"-A FORWARD -i eth1 -s ! "+inet+" -j LOG --log-prefix 'SPOOFED PKT '"
,"-A FORWARD -i eth1 -s ! "+inet+" -j DROP"]) + rules(
["- ACCEPT rules"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 21 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 22 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 25 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 43 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp -i eth1 -s "+inet+" --dport 4321 --syn -m state --state NEW -j ACCEPT"
,"-A FORWARD -p tcp --dport 53 -m state --state NEW -j ACCEPT"
,"-A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT"
,"-A FORWARD -p icmp --icmp-type echo-request -j ACCEPT"]) + rules(
["- Default LOG rule."
,"-A FORWARD -i ! lo -j LOG --log-prefix 'DROP ' --log-ip-options --log-tcp-options"])
#Enable NAT
rs_nat = rules(
["Setting up NAT rules..."
,"-t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.10.3:80"
,"-t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.10.3:443"
,"-t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to 192.168.10.4:53"
,"-t nat -A POSTROUTING -s "+inet+" -o eth0 -j MASQUERADE"])
#Enable forwarding
rs_forwarding = cmds(
["Enabling IP forwarding..."
,"echo 1 > /proc/sys/net/ipv4/ip_forward"])
###############################################################################
# MAIN
###############################################################################
if __name__=="__main__":
mapmap(apply,activerulesequence())
</pre>