Skip to content

Instantly share code, notes, and snippets.

@gbraccialli

gbraccialli/iptables_firewall_zones_emulator.py

Last active August 9, 2016 20:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save gbraccialli/84326084311cfd78e12872f5dfc1ffbf to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save gbraccialli/84326084311cfd78e12872f5dfc1ffbf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables_firewall_zones_emulator.py
import sys, os, stat
zones_hosts = {}
open_zones = {}
incomings = {}
zones_hosts_file = sys.argv[1]
open_zones_file = sys.argv[2]
rules_file = sys.argv[3]
dir_output = "deploy/"
with open(zones_hosts_file) as f:
for line in f:
fields = line.rstrip('\n').split(',')
zone = fields[0]
hostname = fields[1]
ip = fields[2]
if zone not in zones_hosts:
zones_hosts[zone] = []
zones_hosts[zone].append([hostname,ip])
#sys.stdout.write('line is: {0} {1} {2}\n'.format(fields[0], fields[1], fields[2]))
with open(open_zones_file) as f:
for line in f:
fields = line.rstrip('\n').split(',')
zone = fields[0]
hostname = fields[1]
ip = fields[2]
if zone not in open_zones:
open_zones[zone] = []
open_zones[zone].append([hostname,ip])
#sys.stdout.write('line is: {0} {1} {2}\n'.format(fields[0], fields[1], fields[2]))
linenumber=0
with open(rules_file) as f:
for line in f:
linenumber += 1
fields = line.rstrip('\n').split(',')
from_zone = fields[0]
to_zone = fields[1]
port = fields[2]
if from_zone not in zones_hosts:
print "error on line " , linenumber , ": from " , from_zone , " not found in zones_hosts.txt"
if to_zone not in zones_hosts:
print "error on line " , linenumber , ": to " , to_zone , "not found in zones_hosts.txt"
for from_host in zones_hosts[from_zone]:
for to_host in zones_hosts[to_zone]:
if to_host[0] not in incomings:
incomings[to_host[0]] = {}
from_to_port = from_host[1] + '|' + to_host[1] + '|' + port
incomings[to_host[0]][from_to_port] = 1
#print "rule - from host: ", from_host[0] , " to host " , to_host[0], " on port ", port
for zone in open_zones:
for from_host in open_zones[zone]:
for to_host in open_zones[zone]:
#print "all to all", from_host , " to ", to_host
if to_host[0] not in incomings:
incomings[to_host[0]] = {}
from_to_port = from_host[1] + '|' + to_host[1] + '|ALL'
incomings[to_host[0]][from_to_port] = 1
for host in incomings:
print "\n\n*****************"
print "generating iptables shell for HOST: " , host
print "******************"
filename = dir_output + host + "_iptables_off.sh"
if os.path.isfile(filename):
os.remove(filename)
file = open(filename, 'w')
file.write("iptables -P INPUT ACCEPT\n")
file.write("iptables -P OUTPUT ACCEPT\n")
file.write("iptables -P FORWARD ACCEPT\n")
file.write("iptables -F\n")
file.write("iptables -X LOGNDROP\n")
file.write('echo "iptables off for host `hostname`"\n')
os.chmod(filename, stat.S_IRWXU)
file.close
filename = dir_output + host + "_iptables_on.sh"
if os.path.isfile(filename):
os.remove(filename)
file = open(filename, 'w')
file.write("iptables -P INPUT ACCEPT\n")
file.write("iptables -P OUTPUT ACCEPT\n")
file.write("iptables -P FORWARD ACCEPT\n")
file.write("iptables -F\n")
file.write("iptables -X LOGNDROP\n")
file.write("iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n")
file.write("iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n")
for protocol in ["tcp","udp", "icmp"]:
file.write("iptables -A INPUT -p " + protocol + " -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT\n")
#######################file.write("iptables -P INPUT DROP\n")
for incoming in incomings[host]:
in_fields = incoming.split('|')
from_host = in_fields[0]
to_host = in_fields[1]
port = in_fields[2]
if port == "ALL":
port_rule = ""
for protocol in ["tcp","udp", "icmp"]:
file.write("iptables -A INPUT -p " + protocol + " -s " + from_host + " -d " + to_host + port_rule + " -j ACCEPT\n")
else:
port_rule = " --dport " + port
file.write("iptables -A INPUT -p tcp -s " + from_host + " -d " + to_host + port_rule + " -j ACCEPT\n")
file.write("iptables -N LOGNDROP\n")
file.write("iptables -A INPUT -j LOGNDROP\n")
file.write("iptables -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix \"IPTABLES-FIREWALL-EMULATOR TCP: \" --log-level 7\n")
file.write("iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix \"IPTABLES-FIREWALL-EMULATOR UDP: \" --log-level 7\n")
file.write("iptables -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix \"IPTABLES-FIREWALL-EMULATOR ICMP: \" --log-level 7\n")
file.write("iptables -A LOGNDROP -j DROP\n")
file.write('echo "iptables on for host `hostname`"\n')
os.chmod(filename, stat.S_IRWXU)
file.close()
Raw
usage.sh
#cat zones_hosts.txt
#ambari,ambari,10.0.1.1
#hadoop,dn1,10.0.0.1
#hadoop,dn2,10.0.0.2
#hadoop,dn3,10.0.0.3
#cat open_zones.txt
#hadoop,dn1,10.0.0.1
#hadoop,dn2,10.0.0.2
#hadoop,dn3,10.0.0.3
#ambari,ambari,10.0.1.1
#ambari,ranger,10.0.1.2
#cat rules.txt
#ambari,hadoop,8670
#hadoop,ambari,8440
#hadoop,ambari,8441
#hadoop,ambari,8440
#cat copy_firewall.sh
#for host in `cat hosts.txt | paste -s -d' '`
# do
# ssh ${host} rm -rf /tmp/firewall_test/
# ssh ${host} mkdir /tmp/firewall_test
# scp /tmp/firewall_test/* ${host}:/tmp/firewall_test/
# scp /tmp/firewall_test/deploy/* ${host}:/tmp/firewall_test/
# done
python iptables_firewall_zones_emulator.py zones_hosts.txt open_zones.txt rules.txt
./copy_firewall.sh
clush -a "> /var/log/firewall"
clush -a "cd /tmp/firewall_test;/tmp/firewall_test/\`hostname -f\`_iptables_on.sh"
###check drop connections from iptables logs on all nodes
clush -a "grep IPTABLES /var/log/firewall" | awk '{match($0,"DPT=([^ ]+)",port)match($0,"DST=([^ ]+)",dest)match($0,"SRC=([^ ]+)",source)match($0,"PROTO=([^ ]+)",proto)}{print port[1] " - " $1 " - " source[1] " - " dest[1] " - " port[1] " - " proto[1]}' | sort | uniq | grep -v ICMP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment