^Oc@sdZddlZddlZddlZddlZddlZddlZddlmZm Z m Z m Z ddl m Z mZmZmZmZddlZdejjfdYZdS(s-backend_iptables.py: iptables backend for ufwiN(tUFWErrortUFWRulet config_dirt state_dir(twarntdebugtmsgtcmdtcmd_pipetUFWBackendIptablescBseZdZdZdZdZdZeedZdZ dZ dZ d Z d Z d Zd Zed ZedZdZedZdZdZdZRS(sInstance class for UFWBackendcCsdtjjd|_i}tjjtd|ddddgD]-}d|||f}|j |j|qWqpW|j dj|d|j dj|dqWdd d!d"d#d$d%d&g|_d'|_d(S()s!UFWBackendIptables initializations# s _comment #s user.rulestrulessufw/before.rulest before_rulessufw/after.rulest after_ruless user6.rulestrules6sufw/before6.rulest before6_rulessufw/after6.rulest after6_rulessufw-inittinittiptablestbeforetusertaftertmisct4t6tufwtinputtoutputtforwards%s-%s-logging-%ss -logging-denys-logging-allowsufw-user-limits-mtlimits--limits3/minutes-jtLOGs --log-prefixs[UFW LIMIT BLOCK]N(Rtcommont programNamet comment_strtostpathtjoinRRtbackendt UFWBackendt__init__tchainstuse_ipv6tappendtufw_user_limit_logtufw_user_limit_log_text(tselftdryruntfilestvert chain_prefixtlocttargettchain((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyR& s8%        cCsztd}|jddkr,|d7}nJ|jddkrL|d7}n*|jddkrl|d7}n |d 7}|S( sGet current policys New profiles:tdefault_application_policytaccepts allowtdrops denytrejects rejects skip(t_tdefaults(R,trstr((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytget_default_application_policyEs     c Cs|js|dkrL|dkrL|dkrLtd|}t|n|dkr|dkrtd|}t|nd}|dkrd }nd }d }|dkry"|j|jd d |d Wntk rnXd}d}n|dkrRy"|j|jd d |dWntk rBnXd}d}nEy"|j|jd d |dWntk rnXd}d}tjd |}x|jd|jdgD]}ytj j |} Wntk rnX| d} xV| dD]J} |j | rDtj j | |j || q tj j | | q Wytj j| Wqtk rqXqWntdi|d6|d6} | td7} | S(sSets default policy of firewalltallowtdenyR7sUnsupported policy '%s'tincomingtoutgoings%Unsupported policy for direction '%s'tINPUTtOUTPUTtR9sDEFAULT_%s_POLICYs"ACCEPT"s UFW BLOCKs UFW ALLOWs"REJECT"s"DROP"R Rttmptorigs5Default %(direction)s policy changed to '%(policy)s' t directiontpolicys*(be sure to update your rules accordingly)(R-R8Rt set_defaultR.t ExceptiontretcompileRtutilt open_filestsearcht write_to_filetsubt close_files( R,RFREterr_msgR3t old_log_strt new_log_strtpattftfnstfdtlineR:((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytset_default_policySst $             !  "  c Cs|jr1dtd}|dtd7}|Sddddg}g}g}|dkr|jd d d d dg}d d dg}n|d kr}x9dddgD](}|jd||jd|qWx?dddddgD](}|jd||jd|qWx6ddgD](}|jd||jd|q#WxdddgD]}|jd|q_Wn|dkrxdddgD](}|jd||jd|qWns|dkr-x9dddgD](}|jd||jd|qW|jd |jd!n|d"krxxdddgD](}|jd#||jd$|qIWn|d%kr;x}dddgD]l}|jd&||jd'||jd(||jd)||jd*||jd+|qW|jd,|jd-|jd.|jd/nd0|}x|D]}d1|kr|jd1\} }|d2| 7}t|jg||d | g\} } n#t|jg||g\} } || 7}|dkr|d37}n| d4krLt|qLqLW|dks*|jr|d57}x|D]}d1|kr|jd1\} }|d2| 7}t|jg||d | g\} } n#t|jg||g\} } || 7}|dkr|d37}n| d4kr;t|q;q;Wn|S(6s'Show current running status of firewalls> sChecking raw iptables sChecking raw ip6tables s-ns-vs-xs-Ltraws-ttfiltertnattmangletbuiltinsR@tFORWARDRAs filter:%st PREROUTINGt POSTROUTINGs mangle:%ssraw:%ssnat:%sRRRRs ufw-before-%ssufw6-before-%sRs ufw-user-%ss ufw6-user-%ssufw-user-limit-acceptsufw-user-limitRs ufw-after-%ss ufw6-after-%stloggingsufw-before-logging-%ssufw6-before-logging-%ssufw-user-logging-%ssufw6-user-logging-%ssufw-after-logging-%ssufw6-after-logging-%ssufw-logging-allowsufw-logging-denysufw6-logging-allowsufw6-logging-denys IPV4 (%s): t:s(%s) s is IPV6: ( R-R8R)tsplitRRRR(t ip6tables( R,t rules_typetouttargstitemstitems6tctbtitttrcRC((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytget_running_raws                ,#       ,#    c!Csd}|jrFdtd}|jrB|dtd7}n|Std}xddgD]}t|jdd |d g\}}|d krtd S|d krt|d|n|jr_t|jdd|d g\}}|d krt|dqq_q_Wd}d} |j|j} d } i} x| D]} d}i}d}t }| r| j dks| j dkrt }| j }| j|rtd|qIqt | | sChecking iptables sChecking ip6tables sproblem runningRRs-Ls ufw-user-%ss-nisStatus: inactiveis iptables: %s s ufw6-user-%ss ip6tablessSkipping found tuple '%s'tdsttsrcs::/0s (v6)s 0.0.0.0/0tanyt t/s (%st)tAnywheres on %sRgs (%s)s, s[%2d] tins%-26s %-12s%s%s s s tTotFromtActions%-26s %-12s%s sutf-8tignoret-s s.Default: %(in)s (incoming), %(out)s (outgoing)s0Status: active %(log)s %(pol)s %(app)s%(status)stlogtpoltapptstatussStatus: active%sN(%R-R8R(RRRReR R tTruetdapptsapptFalset get_app_tuplethas_keyRRqtv6tdportRrtsporttprotocolt interface_int interface_outtlogtypeREtlowerR)tlenR#tuppertactiontdecodetencodet get_loglevelt_get_default_policyR;(!R,tverboset show_countRgRQRERotout6tststr_outR tcountt app_rulestrttmp_strtlocationttuplt show_protoR1tportRCtattribst attrib_strtdir_strtfull_strtstr_totstr_fromt str_actiont rules_headertlevelt logging_strt policy_strtapp_policy_str((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt get_statuss$           %               $             !        cCsxtd}|jr,tdtdnHt|jddg\}}|dkrtt|t|dndS( sStop the firewallsproblem runnings> srunning ufw-initRs force-stopis ufw-initN(R8R-RRR.RR(R,RQRoRg((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt stop_firewalls    cCs+td}|jr,tdtdnt|jddg\}}|dkrtt|t|dn|jjd s|jd|j j kry|j d Wq't k rtd }t|q'XnDy|j |jdWn)t k r&td }t|nXd S( sStart the firewallsproblem runnings> srunning ufw-initRtstartis ufw-inittlogleveltlowsCould not set LOGLEVELsCould not load logging rulesN(R8R-RRR.RRR9Rt loglevelstkeyst set_loglevelRHtupdate_logging(R,RQRoRg((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytstart_firewalls&        c Cs|jr tSd}|j}|r4d}|j}nxdddddgD]j}|rt|dksJ|dkrtqJnt|dd |d |g\}}|d krJtd tSqJWtS( sCheck if all chains existRtufw6RRRRs limit-accepts-ns-Ls-user-is_need_reload: forcing reload(R-RRReRRR(R,RtprefixtexeR3RoRg((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt _need_reloads   &  cCsYtd}|jr;td|jrUtdqUn|jrUyHxA|jdD]2}|j|d|g|j|d|gqXWWntk rt|nXt d|j dg|j d g\}}|d krt|d n|jrUt d|j d g|j d g\}}|d krRt|d qRqUndS(sReload firewall rules filesproblem runnings> | iptables-restores> | ip6tables-restoreRs-Fs-ZtcatR s-nis iptablesR s ip6tablesN( R8R-RR(t is_enabledR't _chain_cmdRHRRR.tiptables_restoretip6tables_restore(R,RQRkRoRg((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt_reload_user_ruless*         cCs,g}tjd}tjd}tjd}|j|r|j|r|j|r|j|jd|jd|n|j|jd||j|jd|q|j|jd|n |j|tjd}tjd } tjd } d } xVt|D]H\} } |j| r&|jd | j}|jd krtd}n!|jdkrd}nd}d| |f}| j| sd|}n|jd| || <|j| |jd|d|| |j| | jd|d||jd| |j| | jd|d||jd|| q&q&Wtjd}xt|D]\} } |j| r|jd| }|jddd|d| }|jd|d | }||| <|j| ||j| |qqW|S(!s5Return list of iptables rules appropriate for sendings-p all sport s-j (REJECT(_log(-all)?)?)s-p tcp s-j \1 --reject-with tcp-resets-p udp RBs(.*)-j ([A-Z]+)_log(-all)?(.*)s-j [A-Z]+_log-alls(-A|-D) ([a-zA-Z0-9\-]+)s'-m limit --limit 3/min --limit-burst 10s\2R5tALLOWRtLIMITtBLOCKs"%s -j LOG --log-prefix "[UFW %s] "s-m state --state NEW s \1-j \2\4s\1-j s-user-logging-s\1 s \1-j RETURNs\1s -j LIMITs% -m state --state NEW -m recent --sets -m state --state NEW -m recents# --update --seconds 30 --hitcount 6s -j s -user-limits-user-limit-accept( RIRJRMR)ROt enumeratetstripRtinsert(R,tfruleRtsuffixtsnippetst pat_prototpat_portt pat_rejecttpat_logt pat_logallt pat_chaint limit_argsRmRRFtlstrt pat_limitttmp1ttmp2ttmp3((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt_get_rules_from_formattedsh        !   c Csg}|j|||}tjd}xt|D]\}}|j|jd|j|j|r7||jd||j|jd|jdd||c|jd|j7s      "(