3 # Author: Daniel Hokka Zakrisson <daniel@hozac.com>
11 IPTABLES_RESTORE = "/sbin/iptables-restore"
18 def add(self, table, chain, rule):
19 self.rules[table][chain].append(rule)
21 def add_ext(self, interface):
22 self.extifs.append(interface)
24 def add_int(self, interface):
25 self.intifs.append(interface)
28 # XXX Should make sure the required fields are there
32 # XXX This should check for errors
33 # and make sure the new ruleset differs from the current one
35 if (len(self.extifs) + len(self.intifs) + len(self.pfs)) == 0:
38 restore = subprocess.Popen([self.IPTABLES_RESTORE, "--noflush"], stdin=subprocess.PIPE)
39 restore.stdin.write("""*filter
54 -A OUTPUT -j BLACKLIST
55 -A OUTPUT -m mark ! --mark 0/65535 -j SLICESPRE
56 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
59 for int in self.intifs:
60 for ext in self.extifs:
61 restore.stdin.write("-A FORWARD -i %s -o %s -j ACCEPT\n" % (int, ext))
62 restore.stdin.write("-A SLICESPRE -o %s -j SLICES\n" % int)
64 restore.stdin.write("-A FORWARD -m state --state NEW -j PORTFW\n")
66 rule = "-A PORTFW -p %s -d %s " % (pf['protocol'], pf['destination'])
68 rule += "-i %s " % pf['interface']
70 rule += "-s %s " % pf['source']
71 rule += "--dport %s" % pf['new_dport']
72 restore.stdin.write(rule + "\n")
74 restore.stdin.write("-A FORWARD -j LOGDROP\n")
76 # This should have a way to add rules
77 restore.stdin.write("-A SLICES -j LOGDROP\n")
78 restore.stdin.write("""COMMIT
80 :PREROUTING ACCEPT [0:0]
81 :POSTROUTING ACCEPT [0:0]
91 for ext in self.extifs:
92 restore.stdin.write("-A MASQ -o %s -j MASQUERADE\n")
95 rule = "-A PORTFW -p %s " % pf['protocol']
97 rule += "-i %s " % pf['interface']
99 rule += "-s %s " % pf['source']
100 rule += "--dport %s -j DNAT --to %s:%s" % (pf['dport'], pf['destination'],
102 restore.stdin.write(rule + "\n")
104 restore.stdin.write("COMMIT\n")
105 restore.stdin.close()
106 return restore.wait() == 0