API tools faq
paste
banbooo

Untitled

banbooo
May 5th, 2020
73
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 8.21 KB | None | 0 0
raw download clone embed print report
  1. from firewall import *
  2.  
  3. def main():
  4.     ########################################
  5.     # Test
  6.     ########################################
  7.     test = Firewall()
  8.     test.flush()
  9.     test.policy()
  10.     test.policy(test.INPUT,test.DROP)
  11.     test.chain('INPUT').accept()
  12.     test.interface('-i',"eth0").accept('# error test')
  13.     test.chain('INPUT').interface('-i',"eth0").accept('# ok test')
  14.     test.chain('OUTPUT').interface('-o',"eth0").protocol('icmp').accept()
  15.     test.output().interface('-i',"eth0").protocol('tcp').accept('')
  16.     test.chain('OUTPUT').inbound("eth0").protocol('tcp').source('172.16.1.0/24').accept('')
  17.     test.chain('OUTPUT').outbound("eth0").protocol('tcp').destination('172.16.1.1').accept('')
  18.     test.chain('FORWARD').inbound("eth0").outbound("eth0").protocol('tcp').source('172.16.1.0/24').destination('172.16.1.1').accept()
  19.     test.input().interface('-i',"eth0").protocol('tcp').state('NEW').accept()
  20.     test.chain('INPUT').interface('-i',"eth0").protocol('tcp').state('NEW').dport('21').accept()
  21.     test.chain('INPUT').inbound("eth0").protocol('tcp').state('NEW').dport(('3306','1152','5432')).accept('multiport test')
  22.  
  23.     test.forward().source("172.16.0.1/24").protocol('tcp').string('sex').accept()
  24.     test.forward().dport("53").protocol('udp').time('8:00','18:00','Mon,Tue,Wed,Thu,Fri,Sat').accept()
  25.     test.forward().proto('udp').dport("53").string('movie').time('8:00','18:00','Mon,Tue,Wed,Thu,Fri,Sat').accept()
  26.     test.input().inbound('ppp0').connlimit(20).drop()
  27.     test.forward().reject('--reject-with icmp-host-prohibited')
  28.  
  29.     test.show()
  30.     #test.save('/tmp/firewall.txt')
  31.     print()
  32.  
  33.     ########################################
  34.     # Demo Desktop PC
  35.     ########################################
  36.     single = Firewall()
  37.     single.policy(single.INPUT,single.DROP)
  38.     single.policy(single.OUTPUT,single.ACCEPT)
  39.     single.policy(single.FORWARD,single.DROP)
  40.     single.input().protocol('icmp').drop()
  41.     single.input().protocol('tcp').dport(('3389','5900')).accept()
  42.     single.input().protocol('tcp').dport(('137','138','139','145')).accept()
  43.     single.show()
  44.     #single.run()
  45.     #single.list()
  46.     print()
  47.  
  48.     ########################################
  49.     # Demo Office Server
  50.     ########################################
  51.     office = Firewall()
  52.     office.flush()
  53.     office.policy(office.INPUT,office.DROP)
  54.     office.policy(office.OUTPUT,office.ACCEPT)
  55.     office.policy(office.FORWARD,office.DROP)
  56.     office.input().state(('RELATED','ESTABLISHED')).accept()
  57.     office.input().protocol('icmp').accept()
  58.     office.input().inbound('eth0').protocol('udp').dport(('53','1194')).accept()
  59.     office.input().inbound('eth0').protocol('udp').dport(('68','68')).accept()
  60.     office.input().protocol('tcp').dport(('20','21','22','80')).accept()
  61.     office.input().protocol('tcp').dport(('5800','5900')).accept()
  62.     office.input().protocol('tcp').dport(('137','138','139','145')).accept()
  63.  
  64.     office.show()
  65.     #office.run()
  66.     #office.list()
  67.     print()
  68.    
  69.     ########################################
  70.     # Demo IDC Server
  71.     ########################################
  72.     server = Firewall()
  73.     server.flush()
  74.     server.policy(server.INPUT,server.DROP)
  75.     server.policy(server.OUTPUT,server.DROP)
  76.     server.policy(server.FORWARD,server.DROP)
  77.     server.input().state(('RELATED','ESTABLISHED')).accept()
  78.     server.input().protocol('icmp').accept()
  79.     #server.input().destination('192.168.0.0/24').accept()
  80.     server.input().protocol('tcp').dport(('21','22','80')).state('NEW').accept()
  81.     server.input().protocol('udp').dport(('53','1194')).accept()
  82.     server.input().protocol('tcp').source('172.16.1.0/24').dport('3306').accept()
  83.     server.output().protocol('icmp').accept()
  84.     server.output().destination('192.168.0.0/24').accept()
  85.     server.output().destination('172.16.0.5').reject()
  86.     server.output().destination('172.16.0.0/24').accept()
  87.     server.output().protocol('udp').dport('53').accept()
  88.     server.output().protocol('tcp').dport(('80','21','20','22','8000')).accept()
  89.     server.chain('PREROUTING').inbound('eth0').proto('tcp').dport('80').dnat('--to-destination 192.168.0.1:3128')
  90.     server.output().destination('172.16.0.10').proto('tcp').dport('3306').accept()
  91.     #server.show()
  92.     #server.run()
  93.     #server.list()
  94.     print()
  95.  
  96.     www = Firewall()
  97.     #www.flush()
  98.     www.policy(www.INPUT,www.ACCEPT)
  99.     www.policy(www.OUTPUT,www.ACCEPT)
  100.     www.policy(www.FORWARD,www.DROP)
  101.     www.input().state(('RELATED','ESTABLISHED')).accept()
  102.     www.input().protocol('icmp').accept()
  103.     www.input().source('172.16.1.0/24').accept()
  104.     www.input().protocol('tcp').dport(('21','22','80')).state('NEW').accept()
  105.     www.input().protocol('udp').source('113.106.63.1').dport(('53','1194')).accept()
  106.     www.input().protocol('tcp').source('172.16.1.0/24').dport('22').recent('SSH',60,5).reject('--reject-with tcp-reset')
  107.     www.output().protocol('icmp').accept()
  108.     www.output().protocol('tcp').accept()
  109.     www.output().destination('172.16.1.0/24').accept()
  110.     www.output().destination('172.16.3.0/24').reject()
  111.     www.output().destination('172.16.1.5').proto('tcp').dport('3306').accept()
  112.     #www.output().destination('172.16.1.5').accept()
  113.     www.output().protocol('udp').dport('53').accept()
  114.     www.output().protocol('tcp').dport(('80','3306')).accept()
  115.     www.output().protocol('tcp').dport('2049').reject()
  116.     www.output().protocol('tcp').dport('22').reject()
  117.     www.output().protocol('tcp').dport(('20','21')).reject()
  118.     www.chain('PREROUTING').inbound('eth0').proto('tcp').dport('80').dnat('--to-destination 192.168.0.1:3128')
  119.     # HTTP CC 攻击
  120.     www.input().protocol('tcp').inbound('eth0').dport('80').recent('HTTP',2,20).drop()
  121.     www.input().protocol('tcp').inbound('eth0').dport('80').connlimit(30).drop()
  122.     www.input().protocol('tcp').inbound('eth0').dport('80').recent('HTTP').accept()
  123.     # DDOS
  124.     www.input().proto('tcp').dport("80").string('XXDD0S').drop()
  125.     www.show()
  126.     #server.run()
  127.     #server.list()
  128.     print()
  129.    
  130.     """
  131.    #iptables -A INPUT -p tcp --dport 80 -m recent --name CC --update --seconds 2 --hitcount 20 -j DROP
  132.    #iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j DROP
  133.    #iptables -A INPUT -p tcp --dport 80 -m recent --name CC --set -j ACCEPT
  134.    """
  135.     db = Firewall()
  136.     db.flush()
  137.     db.policy(db.INPUT,db.DROP)
  138.     db.policy(db.OUTPUT,db.DROP)
  139.     db.policy(db.FORWARD,db.DROP)
  140.     db.input().state(('RELATED','ESTABLISHED')).accept()
  141.     db.input().protocol('icmp').accept()
  142.     db.input().protocol('tcp').source('172.16.1.10').dport('22').state('NEW').accept()
  143.     db.input().protocol('tcp').source('172.16.1.0/24').dport('3306').state('NEW').accept()
  144.     db.output().protocol('icmp').accept()
  145.     db.output().protocol('udp').dport('53').accept()
  146.     db.output().destination('172.16.1.0/24').accept()
  147.     db.output().destination('172.16.3.0/24').reject()
  148.     db.output().destination('172.16.1.5').proto('tcp').dport('3306').accept()
  149.     db.output().destination('172.16.1.6').proto('tcp').dport('3306').accept()
  150.     db.show()
  151.     #server.run()
  152.     #server.list()
  153.     print()
  154.  
  155.     ########################################
  156.     # Linux Gateway via pppoe
  157.     ########################################
  158.     gateway = Firewall()
  159.     gateway.input().drop()
  160.     gateway.output().accept()
  161.     gateway.inside().state(('RELATED','ESTABLISHED')).accept('# match test')
  162.     gateway.forward().destination('127.16.0.0/24').accept()
  163.     gateway.chain('POSTROUTING').inbound("ppp0").source('172.16.0.0/24').masquerade()
  164.     gateway.show()
  165.     print()
  166.  
  167.     ########################################
  168.     # Cisco ASA Style
  169.     ########################################
  170.     gateway = Firewall()
  171.     gateway.inside().accept()
  172.     gateway.inside().state(('RELATED','ESTABLISHED')).accept('# match test')
  173.     gateway.outside().drop()
  174.     gateway.show()
  175.     print()
  176.  
  177.     ########################################
  178.     # Juniper JunOS Style
  179.     ########################################
  180.     gateway = Firewall()
  181.     gateway.trust().accept()
  182.     gateway.untrust().drop()
  183.     gateway.show()
  184.     print()
  185.    
  186.     return( 0 )
  187.  
  188. if __name__ == '__main__':
  189.     main()
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!