3 # Author: Daniel Hokka Zakrisson <daniel@hozac.com>
11 IPTABLES_RESTORE = "/sbin/iptables-restore"
18 def add(self, table, chain, rule):
19 self.rules[table][chain].append(rule)
21 def add_ext(self, interface):
22 self.extifs.append(interface)
24 def add_int(self, interface):
25 self.intifs.append(interface)
28 # XXX Should make sure the required fields are there
32 # XXX This should check for errors
33 # and make sure the new ruleset differs from the current one
35 if (len(self.extifs) + len(self.intifs) + len(self.pfs)) == 0:
38 restore = subprocess.Popen([self.IPTABLES_RESTORE], stdin=subprocess.PIPE)
39 restore.stdin.write("""*filter
51 -A OUTPUT -j BLACKLIST
52 -A OUTPUT -m mark ! --mark 0/65535 -j SLICESPRE
53 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
56 for int in self.intifs:
57 for ext in self.extifs:
58 restore.stdin.write("-A FORWARD -i %s -o %s -j ACCEPT\n" % (int, ext))
59 restore.stdin.write("-A SLICESPRE -o %s -j SLICES\n" % int)
61 restore.stdin.write("-A FORWARD -m state --state NEW -j PORTFW\n")
63 rule = "-A PORTFW -p %s -d %s " % (pf['protocol'], pf['destination'])
65 rule += "-i %s " % pf['interface']
67 rule += "-s %s " % pf['source']
68 rule += "--dport %s" % pf['new_dport']
69 restore.stdin.write(rule + "\n")
71 restore.stdin.write("-A FORWARD -j LOGDROP\n")
73 # This should have a way to add rules
74 restore.stdin.write("-A SLICES -j LOGDROP\n")
75 restore.stdin.write("""COMMIT
77 :PREROUTING ACCEPT [0:0]
78 :POSTROUTING ACCEPT [0:0]
84 for ext in self.extifs:
85 restore.stdin.write("-A MASQ -o %s -j MASQUERADE\n")
88 rule = "-A PORTFW -p %s " % pf['protocol']
90 rule += "-i %s " % pf['interface']
92 rule += "-s %s " % pf['source']
93 rule += "--dport %s -j DNAT --to %s:%s" % (pf['dport'], pf['destination'],
95 restore.stdin.write(rule + "\n")
97 restore.stdin.write("COMMIT\n")
99 return restore.wait() == 0