iptables_manager

Author: Athanasios Gkaraliakos email: a.gkaraliakos@gmail.com email: athanasios.gkaraliakos@cern.ch

The script is written on python >=2.6

class bin.iptables_manager.ManageRules(parser, simul=True, generate=False)

The main class of this script. It handles the whole process of validating config files then parse them and create the kernel ipsets and rules to be applied. It create a list of all the rules to be applied and at the end runs all the iptables commands both for IPv4/IPv6

apply_firewall_rules(command_list)

This method is used to apply the firewall rules. It receives a list of iptables commands and runs all the commands one after the other. The iptables rules come with ‘-C’ param in order to check if the exist. If not the ‘-C’ becomes ‘-A’ so we can add them to the configuration.

Parameters:command_list – The final commands list to run. Returns:void

config_integrity_check()

This method add all the section loaded from config files to a list for better handling. Its main purpose is to check the ‘integrity’ of the config files in terms of specifying the right things of avoid logical errors.

Returns:void

handle_bidirectional_rules(general_section, ip_version)

This method is used to build rules serving both INPUT and OUTPUT chains.

Parameters:

• general_section – Name of the rule section
• ip_version – IPv4/IPv6

Returns:

A list of iptables and ip6tables commands to be run so the rules are applied.

handle_ipsets(ipset_section, ip_version, update_only=False)

This method is used to handle the ipsets. It parses ipset sections by extracting the values from the options provided in the files. It is used to create or update(if set exists) an ipset so to be later used by the iptable rules.

:param ipset_section:Name of the ipset section to be parsed :param ip_version: IPv4/IPv6 :param update_only: Bool variable to tell the method to do an update of the existing set. :return: It returns two values. 1. The exit code of the other script that handles ipsets 2. The actual name of the created ipset to be used by the rule/s

handle_list_set(ipset_setction, ip_version, update_only=False)

This method is used to create a list:set type of ipset. This includes other already in memory sets. Works by reading the sections that define the other sets, builds them first and then adds them to it.

Parameters:

• ipset_setction – Section of the list set
• ip_version – ip version to build on IPv4 or IPv6
• update_only – flag to update sets only to be passed to handle ipsets method

Returns:

the response and the name of the set

static handle_nic_cards(query)

This method is used to return a list of network interfaces in order for the rules to be applied to all of them It has 3 modes and can add or subtract interfaces from the list depending on which interfaces you want to apply firewall rules on.

Parameters:query – list of commands to perform e.g. [‘main’,’+en5’, ‘+en4’] or [‘all’, ‘-en5’, ‘-en4’] Returns:the list of interfaces

handle_script_runs(ipset_section, hostname, ipset_type, ip_version)

This method is used to handle set triplets to be used in ipsets.

Parameters:

• ipset_section –
• hostname –
• ipset_type –
• ip_version –

Returns:

ipsets_update(update_list, exclude_list)

This method is used to update existing kernel ipsets. It checks for rules that sections and on those that have an ipset defined calls the –> handle_ipsets() method to update the sets.

Returns:void

iptables_policy(policy)

This method is used to create the rules that set the policy of the default chains.

Parameters:policy – Name of the section that contains the policy Returns:A list of rule/rules depending on the action.

log_with_custom_chain(general_section, ip_version)

This method is used to create rules that jump to the LOG chain. It is mainly used by defining a custom chain to jump after INPUT or OUTPUT chain.

Parameters:

• general_section – Name of the section
• ip_version – IPv4/IPv6

Returns:

A list of rule/rules to create the user defined chain and the rules for the default chains that jum to the user defined chain.

parse_file()

This method is used to distinguish if a section is rule or policy and

Returns:returns the final rules list - actual list of commands

rules_logic_parse(general_section)

This method is used to decide which rule building method will be called for each section on the config files using the ‘action’ option list.

Parameters:general_section – The name iof the section Returns:A list of rule/rules depending on the action.

sect_general_options_list = ['description', 'section_type', 'action', 'default_chain', 'ip_version', 'interface', 'protocol', 'ports', 'custom_chain', 'limit', 'log-level', 'log-prefix', 'set', 'set_directions', 'log-specific-options']

All the allowed option of a section that defines ipsets.

sect_set_option_list = ['description', 'section_type', 'ipset_type', 'set_name', 'netgroup_set_name', 'set_hostnames', 'set_ips_v4', 'set_ips_v6', 'set_net_ranges_v4', 'set_net_ranges_v6', 'netgroup_set_list', 'set_ip_port_ip_v4', 'set_ip_port_ip_v6', 'set_ip_port_net_v4', 'set_ip_port_net_v6', 'list_set_sections']

All the allowed option of a section that defines Policy.

sections = []

All the allowed option of a section that defines iptables rules.

single_chain_rule(general_section, ip_version)

This method is used to create signle rules on one of/both the default chains. Tries to extract the values of the possible options in order to build the rule

Parameters:

• general_section – Name of the section
• ip_version – IPv4/IPv6

Returns:

a list of rule/rules (2 rules if tcp and udp are defined)

class bin.iptables_manager.ReadWriteConfigFiles

Reads the config files using python config parser module. It then creates an object(dict) and adds all the sections of the file as key and its options as value. It contains all the methods to parse extract info from the config files and then build and add the rules to both the ‘iptables’ and ‘ip6tables’ so you configure both IP protocols with the same tool.

read_config_file(filepath)

Reads all the files on the file path list and creates a unique object to be returned to the Managed Rules class

Parameters:filepath – List of config file paths to read Returns:object of config parser to access the configuration

write_config_file(file_path)

Method to write back the current config from memory to the files. (It is not in use for now) :param file_path: list of the files

Returns:void

bin.iptables_manager.iptables_manager(args=None, config=None, interface='main', no_default_config=False, allow=False, drop_all=False, update_sets=False, deploy=False, generate_files=False, update_list=None, exclude_list=None, map_config_files=False)

This function is the actual main function. It is used as ‘proxy’ method so you can either use this script from a another python script or directly from command line. This method is being called with either the ‘args’ param or the all others depending if its being called from the main function or from another python script.

Parameters:

• args – Basically all the other params but in arguments format.
• config – List of the config file paths to load for the configuration.
• interface – Network card to use for the default config
• no_default_config – If set it applies the default configuration
• allow – If set it sets the policy of all the default chains to ACCEPT.
• drop_all – If set it sets the policy of all the default chains to DROP.
• update_sets – If set it reads the config and updates all the existing kernel ipsets
• update_list – Explicitly indicates which ipsets will be updated.
• exclude_list – Explicitly indicates which ipsets will not be updated.
• deploy – If set it applies the configuration. If not all the rules are being displayed instead of run.
• generate_files – It create the actual rule files for iptables and ip6tables to be used with the restore option
• map_config_files – It creates a dot language code that visually maps the rules

Returns:

0 if everything goes smoothly

bin.iptables_manager.main()

Main function use to expose all the parameters to the command line and call iptables_manager function.

Returns:void