pax_global_header00006660000000000000000000000064126155100250014507gustar00rootroot0000000000000052 comment=4c09d7dd5691f7e28c42db844ecb96648d624c96 IPTables-Parse-1.6/000077500000000000000000000000001261551002500140705ustar00rootroot00000000000000IPTables-Parse-1.6/Changes000066400000000000000000000117661261551002500153760ustar00rootroot00000000000000Revision history for Perl extension IPTables::Parse. 1.6 Sat Nov 07 08:45:15 2015 - (Miloslav Trmač) Fixed a vulnerability to not use predictable names for temporary files. This vulnerability would allow an attacker on a multi- user system to set up symlinks to overwrite any file the current user has write access to. If a user manually overrides the temporary file locations with the 'iptout' and 'ipterr' hash keys, it is recommended to not use predictable names either. - Updated to use the '-w' argument on the iptables command line (a test is performed to see if it is supported). This acquires an exclusive lock on iptables command execution. This can be disable by the user if necessary by setting the new lockless_ipt_exec hash key. 1.5 Mon Sep 07 20:18:16 2015 - Bug fix to support additional characters in iptables chain names such as dashes and special characters. Stuart Schneider reported this bug and submitted a patch. Closes github issue #1. - Added 'rule_num' hash key to chain_rules() results (suggested by Stuart Schneider). - Updated _iptout and _ipterr tmp file paths to use the current PID as an extension by default if these files are not set when instantiating an IPTables::Parse object. Also added a DESTROY block to clean these tmp files up. Patch submitted by Stuart Schneider. 1.4 Sun Mar 01 15:30:29 2015 - Bump version to 1.4 so that CPAN recognizes it as a new version. 1.3.1 Sat Feb 28 07:15:55 2015 - Fix version number in META.json and META.yml files. 1.3 Thu Feb 19 20:09:55 2015 - Added support for systems with 'firewalld' via the 'firewall-cmd' command. Such systems include Fedora 21 for example. - Added list_table_chains() to return an array reference of all chains within the specified table. This feature was submitted as a patch by Fabien Mazieres - Added 'use_ipv6' and 'ipt_rules_file' keys to object constructor. These force ip6tables usage and specify a path to a file where 'iptables -nL -v' output is included. - Updated perldoc documentation. 1.2 Sun Mar 04 21:21:11 2012 - Major update to add a new 'parse_keys' hash to IPTables::Parse objects so that other modules can easily see what portions of iptables rules can be parsed into the data returned by chain_rules(). - Added 'mac_source' into extended hash for parsed iptables rules. - Added support for the iptables 'length' match. 1.1 Fri Mar 02 22:31:12 2012 - Minor update to print the iptables binary name in 'croak' error conditions. The binary name is either 'iptables' or 'ip6tables'. - Minor perldoc updates to render links better (two spaces at the beginning of lines). 1.0 Tue Feb 28 21:45:19 2012 - Added META.{yml,json} files to fix this bug: https://rt.cpan.org/Ticket/Display.html?id=75366 - Added the ability to specify 'ip6tables' when instantiating an IPTables::ChainMgr object via 'new'. - Updated license to the Artistic license. 0.9 Sun Feb 26 21:01:45 2012 - Applied slightly modified patch from SSIMON to properly pick up usage of state tracking in rule extended information as shown in this bug: https://rt.cpan.org/Ticket/Display.html?id=67372#txn-925687 Rule 'extended' hash now includes the 'state' or 'ctstate' key depending on which iptables state tracking module is being used (if any). 0.8 Sun Feb 26 14:03:24 2012 - Major update to support ip6tables policies. - Added test suite script t/basic_tests.pl to exercise major functions for both iptables and ip6tables. - Bugfix for default_log() and default_drop() functions to ensure that a proper return value is given in addition to the return of a results hash. - Migrated to git for source control: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=IPTables-Parse.git;a=summary https://github.com/mrash/IPTables-Parse 0.7 Fri Oct 17 11:55:01 2008 - Completely re-worked the manner in which iptables commands are executed so that they are sent through a single function with various options (described below) for controlling execution. - Added the ability to control iptables execution model. The default is to use waitpid(), but other options are to use system() or popen(). - Added the ability to introduce a configurable time delay between each iptables command. - Added the ability to use a function reference for the SIGCHLD signal handler. - Added the ability to configure the number of seconds used as the alarm timeout for iptables command execution in the waitpid() execution model. 0.6 Mon May 19 10:15:01 2008 - Added perldoc documentation for 0.6 release. 0.3 12/18/2005 - Added test for ULOG target - Update to allow -v iptables output (which may be supplied in a file). 0.01 Sat Feb 5 15:18:37 2005 - original version; created by h2xs 1.23 with options -A -X -b 5.6.0 -n IPTables::Parse IPTables-Parse-1.6/MANIFEST000066400000000000000000000001611261551002500152170ustar00rootroot00000000000000Changes Makefile.PL MANIFEST README t/IPTables-Parse.t t/basic_tests.pl t/basic_ipv4.rules lib/IPTables/Parse.pm IPTables-Parse-1.6/META.json000066400000000000000000000015631261551002500155160ustar00rootroot00000000000000{ "abstract" : "Perl extension for parsing iptables and ip6tables firewall rulesets", "author" : [ "Michael Rash " ], "dynamic_config" : 1, "generated_by" : "ExtUtils::MakeMaker version 6.55_02, CPAN::Meta::Converter version 2.120530", "license" : [ "artistic_1" ], "meta-spec" : { "url" : "http://search.cpan.org/perldoc?CPAN::Meta::Spec", "version" : "2" }, "name" : "IPTables-Parse", "no_index" : { "directory" : [ "t", "inc" ] }, "prereqs" : { "build" : { "requires" : { "ExtUtils::MakeMaker" : "0" } }, "configure" : { "requires" : { "ExtUtils::MakeMaker" : "0" } }, "runtime" : { "requires" : {} } }, "release_status" : "stable", "version" : "1.6" } IPTables-Parse-1.6/META.yml000066400000000000000000000011011261551002500153320ustar00rootroot00000000000000--- #YAML:1.1 name: IPTables-Parse version: 1.6 abstract: Perl extension for parsing iptables and ip6tables firewall rulesets author: - Michael Rash license: Artistic distribution_type: module configure_requires: ExtUtils::MakeMaker: 0 build_requires: ExtUtils::MakeMaker: 0 requires: {} no_index: directory: - t - inc generated_by: ExtUtils::MakeMaker version 6.55_02 meta-spec: url: http://module-build.sourceforge.net/META-spec-v1.4.html version: 1.4 IPTables-Parse-1.6/Makefile.PL000066400000000000000000000010541261551002500160420ustar00rootroot00000000000000use 5.006; use ExtUtils::MakeMaker; # See lib/ExtUtils/MakeMaker.pm for details of how to influence # the contents of the Makefile that is written. WriteMakefile( NAME => 'IPTables::Parse', VERSION_FROM => 'lib/IPTables/Parse.pm', # finds $VERSION PREREQ_PM => {}, # e.g., Module::Name => 1.1 ($] >= 5.005 ? ## Add these new keywords supported since 5.005 (ABSTRACT_FROM => 'lib/IPTables/Parse.pm', # retrieve abstract from module AUTHOR => 'Michael Rash ') : ()), ); IPTables-Parse-1.6/README000066400000000000000000000023031261551002500147460ustar00rootroot00000000000000IPTables-Parse version 1.6 =========================== The README is used to introduce the module and provide instructions on how to install the module, any machine dependencies it may have (for example C compilers and installed libraries) and any other information that should be provided before the module is installed. A README file is required for CPAN modules since CPAN extracts the README file from a module distribution so that people browsing the archive can use it get an idea of the modules uses. It is usually a good idea to provide version information here so that people can decide whether fixes for the module are worth downloading. INSTALLATION To install this module type the following: perl Makefile.PL make make test make install DEPENDENCIES This module has no external module dependencies outside of those that are included in perl Core. COPYRIGHT AND LICENCE This module is distributed under the same license as perl itself. Copyright (C) 2005-2015 by Michael Rash This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.5 or, at your option, any later version of Perl 5 you may have available. IPTables-Parse-1.6/VERSION000066400000000000000000000000041261551002500151320ustar00rootroot000000000000001.6 IPTables-Parse-1.6/lib/000077500000000000000000000000001261551002500146365ustar00rootroot00000000000000IPTables-Parse-1.6/lib/IPTables/000077500000000000000000000000001261551002500163015ustar00rootroot00000000000000IPTables-Parse-1.6/lib/IPTables/Parse.pm000066400000000000000000001212251261551002500177140ustar00rootroot00000000000000# ################################################################## # # File: IPTables::Parse.pm # # Purpose: Perl interface to parse iptables and ip6tables rulesets. # # Author: Michael Rash (mbr@cipherdyne.org) # # Version: 1.6 # ################################################################## # package IPTables::Parse; use 5.006; use POSIX ":sys_wait_h"; use Carp; use File::Temp; use strict; use warnings; use vars qw($VERSION); $VERSION = '1.6'; sub new() { my $class = shift; my %args = @_; my $ipt_bin = '/sbin/iptables'; my $ipt6_bin = '/sbin/ip6tables'; my $fwc_bin = '/usr/bin/firewall-cmd'; my $self = { _iptables => $args{'iptables'} || $args{'ip6tables'} || '', _firewall_cmd => $args{'firewall-cmd'} || '', _fwd_args => $args{'fwd_args'} || '--direct --passthrough ipv4', _ipv6 => $args{'use_ipv6'} || 0, _iptout => $args{'iptout'} || mktemp('/tmp/ipt.out.XXXXXX'), _ipterr => $args{'ipterr'} || mktemp('/tmp/ipt.err.XXXXXX'), _ipt_alarm => $args{'ipt_alarm'} || 30, _debug => $args{'debug'} || 0, _verbose => $args{'verbose'} || 0, _ipt_rules_file => $args{'ipt_rules_file'} || '', _ipt_exec_style => $args{'ipt_exec_style'} || 'waitpid', _ipt_exec_sleep => $args{'ipt_exec_sleep'} || 0, _sigchld_handler => $args{'sigchld_handler'} || \&REAPER, _skip_ipt_exec_check => $args{'skip_ipt_exec_check'} || 0, _lockless_ipt_exec => $args{'lockless_ipt_exec'} || 0, }; if ($self->{'_skip_ipt_exec_check'}) { unless ($self->{'_firewall_cmd'} or $self->{'_iptables'}) { ### default $self->{'_iptables'} = $ipt_bin; } } else { if ($self->{'_firewall_cmd'}) { croak "[*] $self->{'_firewall_cmd'} incorrect path.\n" unless -e $self->{'_firewall_cmd'}; croak "[*] $self->{'_firewall_cmd'} not executable.\n" unless -x $self->{'_firewall_cmd'}; } elsif ($self->{'_iptables'}) { croak "[*] $self->{'_iptables'} incorrect path.\n" unless -e $self->{'_iptables'}; croak "[*] $self->{'_iptables'} not executable.\n" unless -x $self->{'_iptables'}; } else { ### check for firewall-cmd first since systems with it ### will have iptables installed as well (but firewall-cmd ### should be used instead if it exists) if (-e $fwc_bin and -x $fwc_bin) { $self->{'_firewall_cmd'} = $fwc_bin; } elsif (-e $ipt_bin and -x $ipt_bin) { $self->{'_iptables'} = $ipt_bin; } elsif (-e $ipt6_bin and -x $ipt6_bin) { $self->{'_iptables'} = $ipt6_bin; } else { croak "[*] Could not find/execute iptables, " . "specify path via _iptables\n"; } } } if ($self->{'_ipv6'} and $self->{'_iptables'} eq $ipt_bin) { if (-e $ipt6_bin and -x $ipt6_bin) { $self->{'_iptables'} = $ipt6_bin; } else { croak "[*] Could not find/execute ip6tables, " . "specify path via _iptables\n"; } } ### set the firewall binary name $self->{'_ipt_bin_name'} = 'iptables'; if ($self->{'_firewall_cmd'}) { $self->{'_ipt_bin_name'} = $1 if $self->{'_firewall_cmd'} =~ m|.*/(\S+)|; } else { $self->{'_ipt_bin_name'} = $1 if $self->{'_iptables'} =~ m|.*/(\S+)|; } ### handle ipv6 if ($self->{'_ipv6'}) { if ($self->{'_firewall_cmd'}) { if ($self->{'_fwd_args'} =~ /ipv4/i) { $self->{'_fwd_args'} = '--direct --passthrough ipv6'; } } else { if ($self->{'_ipt_bin_name'} eq 'iptables') { unless ($self->{'_skip_ipt_exec_check'}) { croak "[*] use_ipv6 is true, " . "but $self->{'_iptables'} not ip6tables.\n"; } } } } $self->{'_ipv6'} = 1 if $self->{'_ipt_bin_name'} eq 'ip6tables'; if ($self->{'_firewall_cmd'}) { $self->{'_ipv6'} = 1 if $self->{'_fwd_args'} =~ /ipv6/; } ### set the main command string to allow for iptables execution ### via firewall-cmd if necessary $self->{'_cmd'} = $self->{'_iptables'}; if ($self->{'_firewall_cmd'}) { $self->{'_cmd'} = "$self->{'_firewall_cmd'} $self->{'_fwd_args'}"; } unless ($self->{'_skip_ipt_exec_check'}) { unless ($self->{'_lockless_ipt_exec'}) { ### now that we have the iptables command defined, see whether ### it supports -w to acquire an exclusive lock my ($rv, $out_ar, $err_ar) = &exec_iptables($self, "$self->{'_cmd'} -w -t filter -n -L INPUT"); $self->{'_cmd'} .= ' -w' if $rv; } } $self->{'parse_keys'} = &parse_keys(); bless $self, $class; } sub DESTROY { my $self = shift; ### clean up tmp files unless ($self->{'_debug'}) { unlink $self->{'_iptout'}; unlink $self->{'_ipterr'}; } return; } sub parse_keys() { my $self = shift; ### only used for IPv4 + NAT my $ipv4_re = qr|(?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2}|; my %keys = ( 'regular' => { 'packets' => { 'regex' => '', 'ipt_match' => '' }, 'bytes' => { 'regex' => '', 'ipt_match' => '' }, 'target' => { 'regex' => '', 'ipt_match' => '' }, 'protocol' => { 'regex' => '', 'ipt_match' => '-p' }, 'proto' => { 'regex' => '', 'ipt_match' => '-p' }, 'intf_in' => { 'regex' => '', 'ipt_match' => '-i' }, 'intf_out' => { 'regex' => '', 'ipt_match' => '-o' }, 'src' => { 'regex' => '', 'ipt_match' => '-s' }, 'dst' => { 'regex' => '', 'ipt_match' => '-d' } }, 'extended' => { 's_port' => { 'regex' => qr/\bspts?:(\S+)/, 'ipt_match' => '--sport' }, 'sport' => { 'regex' => qr/\bspts?:(\S+)/, 'ipt_match' => '--sport' }, 'd_port' => { 'regex' => qr/\bdpts?:(\S+)/, 'ipt_match' => '--dport' }, 'dport' => { 'regex' => qr/\bdpts?:(\S+)/, 'ipt_match' => '--dport' }, 'to_ip' => { 'regex' => qr/\bto:($ipv4_re):\d+/, 'ipt_match' => '' }, 'to_port' => { 'regex' => qr/\bto:$ipv4_re:(\d+)/, 'ipt_match' => '' }, 'mac_source' => { 'regex' => qr/\bMAC\s+(\S+)/, 'ipt_match' => '-m mac --mac-source' }, 'state' => { 'regex' => qr/\bstate\s+(\S+)/, 'ipt_match' => '-m state --state' }, 'ctstate' => { 'regex' => qr/\bctstate\s+(\S+)/, 'ipt_match' => '-m conntrack --ctstate' }, 'comment' => { 'regex' => qr|\/\*\s(.*?)\s\*\/|, 'ipt_match' => '-m comment --comment', 'use_quotes' => 1 }, 'string' => { 'regex' => qr|STRING\s+match\s+\"(.*?)\"|, 'ipt_match' => '-m string --algo bm --string', 'use_quotes' => 1 }, 'length' => { 'regex' => qr|\blength\s(\S+)|, 'ipt_match' => '-m length --length', }, }, 'rule_num' => '', 'raw' => '' ); return \%keys; } sub list_table_chains() { my $self = shift; my $table = shift || croak '[*] Specify a table, e.g. "nat"'; my $file = shift || ''; my @ipt_lines = (); my @chains = (); if ($self->{'_ipt_rules_file'} and not $file) { $file = $self->{'_ipt_rules_file'}; } if ($file) { ### read the iptables rules out of $file instead of executing ### the iptables command. open F, "< $file" or croak "[*] Could not open file $file: $!"; @ipt_lines = ; close F; } else { my ($rv, $out_ar, $err_ar) = $self->exec_iptables( "$self->{'_cmd'} -t $table -v -n -L"); @ipt_lines = @$out_ar; } for (@ipt_lines) { if (/^\s*Chain\s(.*?)\s\(/) { push @chains, $1; } } return \@chains; } sub chain_policy() { my $self = shift; my $table = shift || croak '[*] Specify a table, e.g. "nat"'; my $chain = shift || croak '[*] Specify a chain, e.g. "OUTPUT"'; my $file = shift || ''; my @ipt_lines = (); if ($self->{'_ipt_rules_file'} and not $file) { $file = $self->{'_ipt_rules_file'}; } if ($file) { ### read the iptables rules out of $file instead of executing ### the iptables command. open F, "< $file" or croak "[*] Could not open file $file: $!"; @ipt_lines = ; close F; } else { my ($rv, $out_ar, $err_ar) = $self->exec_iptables( "$self->{'_cmd'} -t $table -v -n -L $chain"); @ipt_lines = @$out_ar; } my $policy = ''; for my $line (@ipt_lines) { ### Chain INPUT (policy ACCEPT 16 packets, 800 bytes) if ($line =~ /^\s*Chain\s+$chain\s+\(policy\s+(\w+)/) { $policy = $1; last; } } return $policy; } sub chain_action_rules() { return &chain_rules(); } sub chain_rules() { my $self = shift; my $table = shift || croak '[*] Specify a table, e.g. "nat"'; my $chain = shift || croak '[*] Specify a chain, e.g. "OUTPUT"'; my $file = shift || ''; my $found_chain = 0; my @ipt_lines = (); my $fh = *STDERR; $fh = *STDOUT if $self->{'_verbose'}; ### only used for IPv4 + NAT my $ip_re = qr|(?:[0-2]?\d{1,2}\.){3}[0-2]?\d{1,2}|; ### array of hash refs my @chain = (); my @global_accept_state = (); if ($self->{'_ipt_rules_file'} and not $file) { $file = $self->{'_ipt_rules_file'}; } if ($file) { ### read the iptables rules out of $file instead of executing ### the iptables command. open F, "< $file" or croak "[*] Could not open file $file: $!"; @ipt_lines = ; close F; } else { my ($rv, $out_ar, $err_ar) = $self->exec_iptables( "$self->{'_cmd'} -t $table -v -n -L $chain --line-numbers"); @ipt_lines = @$out_ar; } ### determine the output style (e.g. "-nL -v" or just plain "-nL"; if the ### policy data came from a file then -v might not have been used) my $ipt_verbose = 0; for my $line (@ipt_lines) { if ($line =~ /\spkts\s+bytes\s+target/) { $ipt_verbose = 1; last; } } my $has_line_numbers = 0; for my $line (@ipt_lines) { if ($line =~ /^num\s+pkts\s+bytes\s+target/) { $has_line_numbers = 1; last; } } my $rule_num = 0; LINE: for my $line (@ipt_lines) { chomp $line; last LINE if ($found_chain and $line =~ /^\s*Chain\s+/); if ($line =~ /^\s*Chain\s\Q$chain\E\s\(/i) { $found_chain = 1; next LINE; } next LINE if $line =~ /\starget\s{2,}prot/i; next LINE unless $found_chain; next LINE unless $line; ### track the rule number independently of --line-numbers, ### but the values should always match $rule_num++; ### initialize hash my %rule = ( 'extended' => '', 'raw' => $line, 'rule_num' => $rule_num ); for my $key (keys %{$self->{'parse_keys'}->{'regular'}}) { $rule{$key} = ''; } for my $key (keys %{$self->{'parse_keys'}->{'extended'}}) { $rule{$key} = ''; } my $rule_body = ''; my $packets = ''; my $bytes = ''; my $rnum = ''; if ($ipt_verbose) { if ($has_line_numbers) { if ($line =~ /^\s*(\d+)\s+(\S+)\s+(\S+)\s+(.*)/) { $rnum = $1; $packets = $2; $bytes = $3; $rule_body = $4; } } else { if ($line =~ /^\s*(\S+)\s+(\S+)\s+(.*)/) { $packets = $1; $bytes = $2; $rule_body = $3; } } } else { if ($has_line_numbers) { if ($line =~ /^\s*(\d+)\s+(.*)/) { $rnum = $1; $rule_body = $2; } } else { $rule_body = $line; $rnum = $rule_num; $rnum = $rule_num; } } if ($rnum and $rnum ne $rule_num) { croak "[*] Rule number mis-match."; } if ($ipt_verbose) { ### iptables: ### 0 0 ACCEPT tcp -- eth1 * 192.168.10.3 0.0.0.0/0 tcp dpt:80 ### 0 0 ACCEPT tcp -- eth1 * 192.168.10.15 0.0.0.0/0 tcp dpt:22 ### 33 2348 ACCEPT tcp -- eth1 * 192.168.10.2 0.0.0.0/0 tcp dpt:22 ### 0 0 ACCEPT tcp -- eth1 * 192.168.10.2 0.0.0.0/0 tcp dpt:80 ### 0 0 DNAT tcp -- * * 123.123.123.123 0.0.0.0/0 tcp dpt:55000 to:192.168.12.12:80 ### ip6tables: ### 0 0 ACCEPT tcp * * ::/0 fe80::aa:0:1/128 tcp dpt:12345 ### 0 0 LOG all * * ::/0 ::/0 LOG flags 0 level 4 my $match_re = qr/^(\S+)\s+(\S+)\s+\-\-\s+ (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s*(.*)/x; if ($self->{'_ipt_bin_name'} eq 'ip6tables' or ($self->{'_ipt_bin_name'} eq 'firewall-cmd' and $self->{'_fwd_args'} =~ /\sipv6/)) { $match_re = qr/^(\S+)\s+(\S+)\s+ (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s*(.*)/x; } if ($rule_body =~ $match_re) { $rule{'packets'} = $packets; $rule{'bytes'} = $bytes; $rule{'target'} = $1; my $proto = $2; $proto = 'all' if $proto eq '0'; $rule{'protocol'} = $rule{'proto'} = lc($proto); $rule{'intf_in'} = $3; $rule{'intf_out'} = $4; $rule{'src'} = $5; $rule{'dst'} = $6; $rule{'extended'} = $7 || ''; &parse_rule_extended(\%rule, $self->{'parse_keys'}->{'extended'}); } else { if ($self->{'_debug'}) { print $fh localtime() . " -v Did not match parse regex: $line\n"; } } } else { ### iptables: ### ACCEPT tcp -- 164.109.8.0/24 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 ### ACCEPT tcp -- 216.109.125.67 0.0.0.0/0 tcp dpts:7000:7500 ### ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:7000:7500 ### ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:!7000 ### ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ### ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:35000 dpt:5000 ### ACCEPT tcp -- 10.1.1.1 0.0.0.0/0 ### LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP ' ### LOG all -- 127.0.0.2 0.0.0.0/0 LOG flags 0 level 4 ### DNAT tcp -- 123.123.123.123 0.0.0.0/0 tcp dpt:55000 to:192.168.12.12:80 ### ip6tables: ### ACCEPT tcp ::/0 fe80::aa:0:1/128 tcp dpt:12345 ### LOG all ::/0 ::/0 LOG flags 0 level 4 my $match_re = qr/^(\S+)\s+(\S+)\s+\-\-\s+(\S+)\s+(\S+)\s*(.*)/; if ($self->{'_ipt_bin_name'} eq 'ip6tables' or ($self->{'_ipt_bin_name'} eq 'firewall-cmd' and $self->{'_fwd_args'} =~ /\sipv6/)) { $match_re = qr/^(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s*(.*)/; } if ($rule_body =~ $match_re) { $rule{'target'} = $1; my $proto = $2; $proto = 'all' if $proto eq '0'; $rule{'protocol'} = $rule{'proto'} = lc($proto); $rule{'src'} = $3; $rule{'dst'} = $4; $rule{'extended'} = $5 || ''; &parse_rule_extended(\%rule, $self->{'parse_keys'}->{'extended'}); } else { if ($self->{'_debug'}) { print $fh localtime() . " Did not match parse regex: $line\n"; } } } push @chain, \%rule; } return \@chain; } sub parse_rule_extended() { my ($rule_hr, $ext_keys_hr) = @_; for my $key (keys %$ext_keys_hr) { if ($rule_hr->{'extended'} =~ /$ext_keys_hr->{$key}->{'regex'}/) { $rule_hr->{$key} = $1; } } if ($rule_hr->{'protocol'} eq '0') { $rule_hr->{'s_port'} = $rule_hr->{'sport'} = 0; $rule_hr->{'d_port'} = $rule_hr->{'dport'} = 0; } elsif ($rule_hr->{'protocol'} eq 'tcp' or $rule_hr->{'protocol'} eq 'udp') { $rule_hr->{'s_port'} = $rule_hr->{'sport'} = 0 if $rule_hr->{'s_port'} eq ''; $rule_hr->{'d_port'} = $rule_hr->{'dport'} = 0 if $rule_hr->{'d_port'} eq ''; } return; } sub default_drop() { my $self = shift; my $table = shift || croak "[*] Specify a table, e.g. \"nat\""; my $chain = shift || croak "[*] Specify a chain, e.g. \"OUTPUT\""; my $file = shift || ''; my @ipt_lines = (); if ($self->{'_ipt_rules_file'} and not $file) { $file = $self->{'_ipt_rules_file'}; } if ($file) { ### read the iptables rules out of $file instead of executing ### the iptables command. open F, "< $file" or croak "[*] Could not open file $file: $!"; @ipt_lines = ; close F; } else { ### FIXME -v for interfaces? my ($rv, $out_ar, $err_ar) = $self->exec_iptables( "$self->{'_cmd'} -t $table -n -L $chain"); @ipt_lines = @$out_ar; } return "[-] Could not get $self->{'_ipt_bin_name'} output!", 0 unless @ipt_lines; my %protocols = (); my $found_chain = 0; my $found_default_drop = 0; my $rule_ctr = 1; my $prefix; my $policy = 'ACCEPT'; my $any_ip_re = qr/(?:0\.){3}0\x2f0|\x3a{2}\x2f0/; LINE: for my $line (@ipt_lines) { chomp $line; last if ($found_chain and $line =~ /^\s*Chain\s+/); ### Chain INPUT (policy DROP) ### Chain FORWARD (policy ACCEPT) if ($line =~ /^\s*Chain\s+$chain\s+\(policy\s+(\w+)\)/) { $policy = $1; $found_chain = 1; } next LINE if $line =~ /^\s*target\s/i; next LINE unless $found_chain; ### include ULOG target as well my $log_re = qr/^\s*U?LOG\s+(\w+)\s+\-\-\s+.* $any_ip_re\s+$any_ip_re\s+(.*)/x; my $drop_re = qr/^DROP\s+(\w+)\s+\-\-\s+.* $any_ip_re\s+$any_ip_re\s*$/x; if ($self->{'_ipt_bin_name'} eq 'ip6tables' or ($self->{'_ipt_bin_name'} eq 'firewall-cmd' and $self->{'_fwd_args'} =~ /ipv6/)) { $log_re = qr/^\s*U?LOG\s+(\w+)\s+ $any_ip_re\s+$any_ip_re\s+(.*)/x; $drop_re = qr/^DROP\s+(\w+)\s+ $any_ip_re\s+$any_ip_re\s*$/x; } ### might as well pick up any default logging rules as well if ($line =~ $log_re) { my $proto = $1; my $p_tmp = $2; my $prefix = 'NONE'; ### some recent iptables versions return "0" instead of "all" ### for the protocol number $proto = 'all' if $proto eq '0'; ### LOG flags 0 level 4 prefix `DROP ' if ($p_tmp && $p_tmp =~ m|LOG.*\s+prefix\s+ \`\s*(.+?)\s*\'|x) { $prefix = $1; } ### $proto may equal "all" here $protocols{$proto}{'LOG'}{'prefix'} = $prefix; $protocols{$proto}{'LOG'}{'rulenum'} = $rule_ctr; } elsif ($policy eq 'ACCEPT' and $line =~ $drop_re) { my $proto = $1; $proto = 'all' if $proto eq '0'; ### DROP all -- 0.0.0.0/0 0.0.0.0/0 $protocols{$1}{'DROP'} = $rule_ctr; $found_default_drop = 1; } $rule_ctr++; } ### if the policy in the chain is DROP, then we don't ### necessarily need to find a default DROP rule. if ($policy eq 'DROP') { $protocols{'all'}{'DROP'} = 0; $found_default_drop = 1; } return "[-] There are no default drop rules in the " . "$self->{'_ipt_bin_name'} policy!", 0 unless %protocols and $found_default_drop; return \%protocols, 1; } sub default_log() { my $self = shift; my $table = shift || croak "[*] Specify a table, e.g. \"nat\""; my $chain = shift || croak "[*] Specify a chain, e.g. \"OUTPUT\""; my $file = shift || ''; my $any_ip_re = qr/(?:0\.){3}0\x2f0|\x3a{2}\x2f0/; my @ipt_lines = (); my %log_chains = (); my %log_rules = (); if ($self->{'_ipt_rules_file'} and not $file) { $file = $self->{'_ipt_rules_file'}; } ### note that we are not restricting the view to the current chain ### with the iptables -nL output; we are going to parse the given ### chain and all chains to which packets are jumped from the given ### chain. if ($file) { ### read the iptables rules out of $file instead of executing ### the iptables command. open F, "< $file" or croak "[*] Could not open file $file: $!"; @ipt_lines = ; close F; } else { my ($rv, $out_ar, $err_ar) = $self->exec_iptables( "$self->{'_cmd'} -t $table -n -L $chain"); @ipt_lines = @$out_ar; } ### determine the output style (e.g. "-nL -v" or just plain "-nL"; if the ### policy data came from a file then -v might not have been used) my $ipt_verbose = 0; for my $line (@ipt_lines) { if ($line =~ /^\s*pkts\s+bytes\s+target/) { $ipt_verbose = 1; last; } } return "[-] Could not get $self->{'_ipt_bin_name'} output!", 0 unless @ipt_lines; ### first get all logging rules and associated chains my $log_chain; for my $line (@ipt_lines) { chomp $line; ### Chain INPUT (policy DROP) ### Chain fwsnort_INPUT_eth1 (1 references) if ($line =~ /^\s*Chain\s+(.*?)\s+\(/ and $line !~ /0\s+references/) { $log_chain = $1; } $log_chain = '' unless $line =~ /\S/; next unless $log_chain; my $proto = ''; my $found = 0; if ($ipt_verbose) { if ($self->{'_ipt_bin_name'} eq 'ip6tables' or ($self->{'_ipt_bin_name'} eq 'firewall-cmd' and $self->{'_fwd_args'} =~ /\sipv6/)) { if ($line =~ m|^\s*\d+\s+\d+\s*U?LOG\s+(\w+)\s+ \S+\s+\S+\s+$any_ip_re \s+$any_ip_re\s+.*U?LOG|x) { $proto = $1; $found = 1; } } else { if ($line =~ m|^\s*\d+\s+\d+\s*U?LOG\s+(\w+)\s+\-\-\s+ \S+\s+\S+\s+$any_ip_re \s+$any_ip_re\s+.*U?LOG|x) { $proto = $1; $found = 1; } } } else { if ($self->{'_ipt_bin_name'} eq 'ip6tables' or ($self->{'_ipt_bin_name'} eq 'firewall-cmd' and $self->{'_fwd_args'} =~ /\sipv6/)) { if ($line =~ m|^\s*U?LOG\s+(\w+)\s+$any_ip_re \s+$any_ip_re\s+.*U?LOG|x) { $proto = $1; $found = 1; } } else { if ($line =~ m|^\s*U?LOG\s+(\w+)\s+\-\-\s+$any_ip_re \s+$any_ip_re\s+.*U?LOG|x) { $proto = $1; $found = 1; } } } if ($found) { $proto = 'all' if $proto eq '0'; ### the above regex allows the limit target to be used $log_chains{$log_chain}{$proto} = ''; ### protocol $log_rules{$proto} = '' if $log_chain eq $chain; } } return "[-] There are no default logging rules " . "in the $self->{'_ipt_bin_name'} policy!", 0 unless %log_chains; my %sub_chains = (); ### get all sub-chains of the main chain we passed into default_log() &sub_chains($chain, \%sub_chains, \@ipt_lines); ### see which (if any) logging rules can be mapped back to the ### main chain we passed in. for my $log_chain (keys %log_chains) { if (defined $sub_chains{$log_chain}) { ### the logging rule is in the main chain (e.g. INPUT) for my $proto (keys %{$log_chains{$log_chain}}) { $log_rules{$proto} = ''; } } } return \%log_rules, 1; } sub sub_chains() { my ($start_chain, $chains_hr, $ipt_lines_ar) = @_; my $found = 0; for my $line (@$ipt_lines_ar) { chomp $line; ### Chain INPUT (policy DROP) ### Chain fwsnort_INPUT_eth1 (1 references) if ($line =~ /^\s*Chain\s+\Q$start_chain\E\s+\(/ and $line !~ /0\s+references/) { $found = 1; next; } next unless $found; if ($found and $line =~ /^\s*Chain\s/) { last; } if ($line =~ m|^\s*(\S+)\s+\S+\s+|) { my $new_chain = $1; if ($new_chain ne 'LOG' and $new_chain ne 'DROP' and $new_chain ne 'REJECT' and $new_chain ne 'ACCEPT' and $new_chain ne 'RETURN' and $new_chain ne 'QUEUE' and $new_chain ne 'SNAT' and $new_chain ne 'DNAT' and $new_chain ne 'MASQUERADE' and $new_chain ne 'pkts' and $new_chain ne 'Chain' and $new_chain ne 'target') { $chains_hr->{$new_chain} = ''; &sub_chains($new_chain, $chains_hr, $ipt_lines_ar); } } } return; } sub exec_iptables() { my $self = shift; my $cmd = shift || croak "[*] Must specify an " . "$self->{'_ipt_bin_name'} command to run."; my $iptout = $self->{'_iptout'}; my $ipterr = $self->{'_ipterr'}; my $debug = $self->{'_debug'}; my $ipt_alarm = $self->{'_ipt_alarm'}; my $verbose = $self->{'_verbose'}; my $ipt_exec_style = $self->{'_ipt_exec_style'}; my $ipt_exec_sleep = $self->{'_ipt_exec_sleep'}; my $sigchld_handler = $self->{'_sigchld_handler'}; croak "[*] $cmd does not look like an $self->{'_ipt_bin_name'} command." unless $cmd =~ m|^\s*iptables| or $cmd =~ m|^\S+/iptables| or $cmd =~ m|^\s*ip6tables| or $cmd =~ m|^\S+/ip6tables| or $cmd =~ m|^\s*firewall-cmd| or $cmd =~ m|^\S+/firewall-cmd|; ### sanitize $cmd - this is not bullet proof, but better than ### nothing (especially for strange iptables chain names). Further, ### quotemeta() is too aggressive since things like IPv6 addresses ### contain ":" chars, etc. $cmd =~ s/([;<>\$\|`\@&\(\)\[\]\{\}])/\\$1/g; my $rv = 1; my @stdout = (); my @stderr = (); my $fh = *STDERR; $fh = *STDOUT if $verbose; if ($debug or $verbose) { print $fh localtime() . " [+] IPTables::Parse::", "exec_iptables(${ipt_exec_style}()) $cmd\n"; if ($ipt_exec_sleep > 0) { print $fh localtime() . " [+] IPTables::Parse::", "exec_iptables() sleep seconds: $ipt_exec_sleep\n"; } } if ($ipt_exec_sleep > 0) { if ($debug or $verbose) { print $fh localtime() . " [+] IPTables::Parse: ", "sleeping for $ipt_exec_sleep seconds before ", "executing $self->{'_ipt_bin_name'} command.\n"; } sleep $ipt_exec_sleep; } if ($ipt_exec_style eq 'system') { system qq{$cmd > $iptout 2> $ipterr}; } elsif ($ipt_exec_style eq 'popen') { open CMD, "$cmd 2> $ipterr |" or croak "[*] Could not execute $cmd: $!"; @stdout = ; close CMD; open F, "> $iptout" or croak "[*] Could not open $iptout: $!"; print F for @stdout; close F; } else { my $ipt_pid; if ($debug or $verbose) { print $fh localtime() . " [+] IPTables::Parse: " . "Setting SIGCHLD handler to: " . $sigchld_handler . "\n"; } local $SIG{'CHLD'} = $sigchld_handler; if ($ipt_pid = fork()) { eval { ### iptables should never take longer than 30 seconds to execute, ### unless there is some absolutely enormous policy or the kernel ### is exceedingly busy local $SIG{'ALRM'} = sub {die "[*] $self->{'_ipt_bin_name'} " . "command timeout.\n"}; alarm $ipt_alarm; waitpid($ipt_pid, 0); alarm 0; }; if ($@) { kill 9, $ipt_pid unless kill 15, $ipt_pid; } } else { croak "[*] Could not fork $self->{'_ipt_bin_name'}: $!" unless defined $ipt_pid; ### exec the iptables command and preserve stdout and stderr exec qq{$cmd > $iptout 2> $ipterr}; } } if (-e $iptout) { open F, "< $iptout" or croak "[*] Could not open $iptout"; @stdout = ; close F; } if (-e $ipterr) { open F, "< $ipterr" or croak "[*] Could not open $ipterr"; @stderr = ; close F; $rv = 0 if @stderr; } if (@stdout) { if ($stdout[$#stdout] =~ /^success/) { pop @stdout; } if ($self->{'_ipt_bin_name'} eq 'firewall-cmd') { for (@stdout) { if (/COMMAND_FAILED/) { $rv = 0; last; } } } } if ($debug or $verbose) { print $fh localtime() . " $self->{'_ipt_bin_name'} " . "command stdout:\n"; for my $line (@stdout) { if ($line =~ /\n$/) { print $fh $line; } else { print $fh $line, "\n"; } } print $fh localtime() . " $self->{'_ipt_bin_name'} " . "command stderr:\n"; for my $line (@stderr) { if ($line =~ /\n$/) { print $fh $line; } else { print $fh $line, "\n"; } } } if ($debug or $verbose) { print $fh localtime() . " Return value: $rv\n"; } return $rv, \@stdout, \@stderr; } sub REAPER { my $stiff; while(($stiff = waitpid(-1,WNOHANG))>0){ # do something with $stiff if you want } local $SIG{'CHLD'} = \&REAPER; return; } 1; __END__ =head1 NAME IPTables::Parse - Perl extension for parsing iptables and ip6tables policies =head1 SYNOPSIS use IPTables::Parse; my %opts = ( 'use_ipv6' => 0, # can set to 1 to force ip6tables usage 'ipt_rules_file' => '', # optional file path from # which to read iptables rules 'debug' => 0, 'verbose' => 0 ); my $ipt_obj = IPTables::Parse->new(%opts) or die "[*] Could not acquire IPTables::Parse object"; my $rv = 0; ### look for default DROP rules in the filter table INPUT chain my ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT'); if ($rv) { if (defined $ipt_hr->{'all'}) { print "The INPUT chain has a default DROP rule for all protocols.\n"; } else { my $found = 0; for my $proto (qw/tcp udp icmp/) { if (defined $ipt_hr->{$proto}) { print "The INPUT chain drops $proto by default.\n"; $found = 1; } } unless ($found) { print "The INPUT chain does not have any default DROP rule.\n"; } } } else { print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy\n"; } ### look for default LOG rules in the filter table INPUT chain ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT'); if ($rv) { if (defined $ipt_hr->{'all'}) { print "The INPUT chain has a default LOG rule for all protocols.\n"; } else { my $found = 0; for my $proto (qw/tcp udp icmp/) { if (defined $ipt_hr->{$proto}) { print "The INPUT chain logs $proto by default.\n"; $found = 1; } } unless ($found) { print "The INPUT chain does not have any default LOG rule.\n"; } } } else { print "[-] Could not parse $ipt_obj->{'_ipt_bin_name'} policy\n"; } ### print all chains in the filter table for my $chain (@{$ipt_obj->list_table_chains('filter')}) { print $chain, "\n"; } =head1 DESCRIPTION The C package provides an interface to parse iptables or ip6tables rules on Linux systems through the direct execution of iptables/ip6tables commands, or from parsing a file that contains an iptables/ip6tables policy listing. Note that the 'firewalld' infrastructure on Fedora21 is also supported through execution of the 'firewall-cmd' binary. By default, the path to iptables is assumed to be '/sbin/iptables', but if the firewall is 'firewalld', then the '/usr/bin/firewall-cmd' is used. With this module, you can get the current policy applied to a table/chain, look for a specific user-defined chain, check for a default DROP policy, or determine whether or not a default LOG rule exists. Also, you can get a listing of all rules in a chain with each rule parsed into its own hash. Note that if you initialize the IPTables::Parse object with the 'ipt_rules_file' key, then all parsing routines will open the specified file for iptables rules data. So, you can create this file with a command like 'iptables -t filter -nL -v > ipt.rules', and then initialize the object with IPTables::Parse->new('ipt_rules_file' => 'ipt.rules'). Further, if you are running on a system without iptables installed, but you have an iptables policy written to the ipt.rules file, then you can pass in 'skip_ipt_exec_check=>1' in order to analyze the file without having IPTables::Parse check for the iptables binary. In summary, in addition to the hash keys mentioned above, optional keys that can be passed to new() include 'iptables' (set path to iptables binary), 'firewall_cmd' (set path to 'firewall-cmd' binary for systems with 'firewalld'), 'fwd_args' (set 'firewall-cmd' usage args; defaults to '--direct --passthrough ipv4'), 'ipv6' (set IPv6 mode for ip6tables), 'debug', 'verbose', and 'lockless_ipt_exec' (disable usage of the iptables '-w' argument that acquires an exclusive lock on command execution). =head1 FUNCTIONS The IPTables::Parse extension provides an object interface to the following functions: =over 4 =item chain_policy($table, $chain) This function returns the policy (e.g. 'DROP', 'ACCEPT', etc.) for the specified table and chain: print "INPUT policy: ", $ipt_obj->chain_policy('filter', 'INPUT'), "\n"; =item chain_rules($table, $chain) This function parses the specified chain and table and returns an array reference for all rules in the chain. Each element in the array reference is a hash with the following keys (that contain values depending on the rule): C, C, C, C, C, C, C, C, C, C, C, C, C, C, and C. The C element contains the rule output past the protocol information, and the C element contains the complete rule itself as reported by iptables or ip6tables. Here is an example of checking whether the second rule in the INPUT chain (array index 1) allows traffic from any IP to TCP port 80: $rules_ar = $ipt_obj->chain_rules('filter', 'INPUT); if ($rules_ar->[1]->{'src'} eq '0.0.0.0/0' and $rules_ar->[1]->{'protocol'} eq 'tcp' and $rules_ar->[1]->{'d_port'} eq '80' and $rules_ar->[1]->{'target'} eq 'ACCEPT') { print "traffic accepted to TCP port 80 from anywhere\n"; } =item default_drop($table, $chain) This function parses the running iptables or ip6tables policy in order to determine if the specified chain contains a default DROP rule. Two values are returned, a hash reference whose keys are the protocols that are dropped by default (if a global ACCEPT rule has not accepted matching packets first), along with a return value that tells the caller if parsing the iptables or ip6tables policy was successful. Note that if all protocols are dropped by default, then the hash key 'all' will be defined. ($ipt_hr, $rv) = $ipt_obj->default_drop('filter', 'INPUT'); =item default_log($table, $chain) This function parses the running iptables or ip6tables policy in order to determine if the specified chain contains a default LOG rule. Two values are returned, a hash reference whose keys are the protocols that are logged by default (if a global ACCEPT rule has not accepted matching packets first), along with a return value that tells the caller if parsing the iptables or ip6tables policy was successful. Note that if all protocols are logged by default, then the hash key 'all' will be defined. An example invocation is: ($ipt_hr, $rv) = $ipt_obj->default_log('filter', 'INPUT'); =item list_table_chains($table) This function parses the specified table for all chains that are defined within the table. Data is returned as an array reference. For example, if there are no user-defined chains in the 'filter' table, then the returned array reference will contain the strings 'INPUT', 'FORWARD', and 'OUTPUT'. for my $chain (@{$ipt_obj->list_table_chains('filter')}) { print $chain, "\n"; } =back =head1 AUTHOR Michael Rash, Embr@cipherdyne.orgE =head1 SEE ALSO The IPTables::Parse module is used by the IPTables::ChainMgr extension in support of the psad and fwsnort projects to parse iptables or ip6tables policies (see the psad(8), and fwsnort(8) man pages). As always, the iptables(8) and ip6tables(8) man pages provide the best information on command line execution and theory behind iptables and ip6tables. Although there is no mailing that is devoted specifically to the IPTables::Parse extension, questions about the extension will be answered on the following lists: The psad mailing list: http://lists.sourceforge.net/lists/listinfo/psad-discuss The fwsnort mailing list: http://lists.sourceforge.net/lists/listinfo/fwsnort-discuss The latest version of the IPTables::Parse extension can be found on CPAN and also here: http://www.cipherdyne.org/modules/ Source control is provided by git: https://github.com/mrash/IPTables-Parse.git =head1 CREDITS Thanks to the following people: Franck Joncourt Stuart Schneider Grant Ferley Fabien Mazieres Miloslav Trmač =head1 AUTHOR The IPTables::Parse extension was written by Michael Rash Fmbr@cipherdyne.orgE> to support the psad and fwsnort projects. Please send email to this address if there are any questions, comments, or bug reports. =head1 VERSION Version 1.6 (November, 2015) =head1 COPYRIGHT AND LICENSE Copyright (C) 2005-2015 Michael Rash. All rights reserved. This module is free software. You can redistribute it and/or modify it under the terms of the Artistic License 2.0. More information can be found here: http://www.perl.com/perl/misc/Artistic.html This program is distributed "as is" in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. =cut IPTables-Parse-1.6/t/000077500000000000000000000000001261551002500143335ustar00rootroot00000000000000IPTables-Parse-1.6/t/IPTables-Parse.t000066400000000000000000000010041261551002500172260ustar00rootroot00000000000000# Before `make install' is performed this script should be runnable with # `make test'. After `make install' it should work as `perl IPTables-Parse.t' ######################### # change 'tests => 1' to 'tests => last_test_to_print'; use Test; BEGIN { plan tests => 1 }; use IPTables::Parse; ok(1); # If we made it this far, we're ok. ######################### # Insert your test code below, the Test::More module is use()ed here so read # its man page ( perldoc Test::More ) for help writing this test script. IPTables-Parse-1.6/t/basic_ipv4.rules000066400000000000000000000012031261551002500174260ustar00rootroot00000000000000Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 429 141K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x17/0x02 LOG flags 0 level 4 prefix "(NEW w/o SYN) INPUT:DROP " 2 429 141K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x17/0x02 3 2055 179K SUBNET all -- eth1 * 0.0.0.0/0 3.4.5.6 4 2481 119K REJECT all -- * * 123.1.1.2 0.0.0.0/0 reject-with icmp-port-unreachable IPTables-Parse-1.6/t/basic_tests.pl000077500000000000000000000262171261551002500172060ustar00rootroot00000000000000#!/usr/bin/perl -w use lib '../lib'; use Data::Dumper; use Getopt::Long 'GetOptions'; use strict; require IPTables::Parse; #==================== config ===================== my $iptables_bin = '/sbin/iptables'; my $ip6tables_bin = '/sbin/ip6tables'; my $fw_cmd_bin = '/bin/firewall-cmd'; my $dummy_path = '/bin/invalidpath'; my $logfile = 'test.log'; my $ipt_rules_file = 'ipt_rules.tmp'; my $basic_ipv4_rules_file = 'basic_ipv4.rules'; my $PRINT_LEN = 68; #================== end config =================== my $verbose = 0; my $debug = 0; my $help = 0; my $use_fw_cmd = 0; die "[*] See '$0 -h' for usage information" unless (GetOptions( 'verbose' => \$verbose, 'debug' => \$debug, 'help' => \$help, )); &usage() if $help; my %ipt_opts = ( 'debug' => $debug, 'verbose' => $verbose ); my %ipt6_opts = ( 'use_ipv6' => 1, 'debug' => $debug, 'verbose' => $verbose ); my %targets = ( 'ACCEPT' => '', 'DROP' => '', 'QUEUE' => '', 'RETURN' => '', ); my %iptables_chains = ( 'mangle' => [qw/PREROUTING INPUT OUTPUT FORWARD POSTROUTING/], 'raw' => [qw/PREROUTING OUTPUT/], 'filter' => [qw/INPUT OUTPUT FORWARD/], 'nat' => [qw/PREROUTING OUTPUT POSTROUTING/] ); my %ip6tables_chains = ( 'mangle' => [qw/PREROUTING INPUT OUTPUT FORWARD POSTROUTING/], 'raw' => [qw/PREROUTING OUTPUT/], 'filter' => [qw/INPUT OUTPUT FORWARD/], ); my $passed = 0; my $failed = 0; my $executed = 1; my $SKIP_IPT_EXEC_CHECK = 1; my $IPT_EXEC_CHECK = 0; &init(); ### main testing routines &parse_basic_ipv4_policy(); &iptables_tests('', $IPT_EXEC_CHECK); &iptables_tests($ipt_rules_file, $IPT_EXEC_CHECK); &iptables_tests($ipt_rules_file, $SKIP_IPT_EXEC_CHECK); &ip6tables_tests('', $IPT_EXEC_CHECK); &ip6tables_tests($ipt_rules_file, $IPT_EXEC_CHECK); &ip6tables_tests($ipt_rules_file, $SKIP_IPT_EXEC_CHECK); &logr("\n[+] passed/failed/executed: $passed/$failed/$executed tests\n\n"); exit 0; sub iptables_tests() { my ($rules_file, $skip_ipt_exec_check) = @_; if ($rules_file) { if ($skip_ipt_exec_check) { &logr("\n[+] Running $iptables_bin $rules_file " . "(skip ipt exec check) tests...\n"); } else { &logr("\n[+] Running $iptables_bin $rules_file tests...\n"); } $ipt_opts{'ipt_rules_file'} = $rules_file; if ($skip_ipt_exec_check == $SKIP_IPT_EXEC_CHECK) { $ipt_opts{'skip_ipt_exec_check'} = $skip_ipt_exec_check; } } else { &logr("\n[+] Running $iptables_bin tests...\n"); $ipt_opts{'ipt_rules_file'} = ''; } my $ipt_obj = IPTables::Parse->new(%ipt_opts) or die "[*] Could not acquire IPTables::Parse object"; &chain_policy_tests($ipt_obj, \%iptables_chains); &chain_rules_tests($ipt_obj, \%iptables_chains); &default_log_tests($ipt_obj); &default_drop_tests($ipt_obj); return; } sub ip6tables_tests() { my ($rules_file, $skip_ipt_exec_check) = @_; if ($rules_file) { if ($skip_ipt_exec_check) { &logr("\n[+] Running $ip6tables_bin $rules_file " . "(skip ipt exec check) tests...\n"); } else { &logr("\n[+] Running $ip6tables_bin $rules_file tests...\n"); } $ipt_opts{'ipt_rules_file'} = $rules_file; if ($skip_ipt_exec_check == $SKIP_IPT_EXEC_CHECK) { $ipt_opts{'iptables'} = $dummy_path; $ipt_opts{'skip_ipt_exec_check'} = $skip_ipt_exec_check; } } else { &logr("\n[+] Running $ip6tables_bin tests...\n"); $ipt_opts{'ipt_rules_file'} = ''; } my $ipt_obj = IPTables::Parse->new(%ipt6_opts) or die "[*] Could not acquire IPTables::Parse object"; &chain_policy_tests($ipt_obj, \%ip6tables_chains); &chain_rules_tests($ipt_obj, \%ip6tables_chains); &default_log_tests($ipt_obj); &default_drop_tests($ipt_obj); return; } sub default_log_tests() { my $ipt_obj = shift; for my $chain (qw/INPUT OUTPUT FORWARD/) { &dots_print("default_log($ipt_obj->{'_ipt_rules_file'}): filter $chain"); if ($ipt_obj->{'_ipt_rules_file'}) { &write_rules($ipt_obj, "$ipt_obj->{'_cmd'} -t filter -v -n -L $chain"); } my ($ipt_log, $rv) = $ipt_obj->default_log('filter', $chain); $executed++; if ($rv) { &logr("pass ($executed) (found)\n"); $passed++; } else { &logr("fail ($executed) (not found)\n"); $failed++; } } return; } sub default_drop_tests() { my $ipt_obj = shift; for my $chain (qw/INPUT OUTPUT FORWARD/) { &dots_print("default_drop($ipt_obj->{'_ipt_rules_file'}): filter $chain"); if ($ipt_obj->{'_ipt_rules_file'}) { &write_rules($ipt_obj, "$ipt_obj->{'_cmd'} -t filter -v -n -L $chain"); } my ($ipt_drop, $rv) = $ipt_obj->default_drop('filter', $chain); $executed++; if ($rv) { &logr("pass ($executed) (found)\n"); $passed++; } else { &logr("fail ($executed) (not found)\n"); $failed++; } } return; } sub chain_policy_tests() { my ($ipt_obj, $tables_chains_hr) = @_; for my $table (keys %$tables_chains_hr) { for my $chain (@{$tables_chains_hr->{$table}}) { if ($ipt_obj->{'_ipt_rules_file'}) { &write_rules($ipt_obj, "$ipt_obj->{'_cmd'} -t $table -v -n -L $chain"); } &dots_print("chain_policy($ipt_obj->{'_ipt_rules_file'}): $table $chain policy"); my $target = $ipt_obj->chain_policy($table, $chain); $executed++; if (defined $targets{$target}) { &logr("pass ($executed) ($target)\n"); $passed++; } else { &logr("fail ($executed) ($target)\n"); &logr(" Unrecognized target '$target'\n"); $failed++; } } } return; } sub parse_basic_ipv4_policy() { $ipt_opts{'ipt_rules_file'} = $basic_ipv4_rules_file; &logr("\n[+] Running basic IPv4 chain_rules() parse test...\n"); &dots_print("parse $basic_ipv4_rules_file via chain_rules()"); my $ipt_obj = IPTables::Parse->new(%ipt_opts) or die "[*] Could not acquire IPTables::Parse object"; my $rules_ar = $ipt_obj->chain_rules('filter', 'INPUT'); if ($#$rules_ar > -1) { &logr("pass ($executed)\n"); $passed++; } else { &logr("fail ($executed)\n"); $failed++; } $executed++; $ipt_opts{'ipt_rules_file'} = ''; return; } sub chain_rules_tests() { my ($ipt_obj, $tables_chains_hr) = @_; for my $table (keys %$tables_chains_hr) { &dots_print("list_table_chains($ipt_obj->{'_ipt_rules_file'}): $table"); if ($ipt_obj->{'_ipt_rules_file'}) { &write_rules($ipt_obj, "$ipt_obj->{'_cmd'} -t $table -v -n -L"); } my $chains_ar = $ipt_obj->list_table_chains($table); if ($#$chains_ar > -1) { &logr("pass ($executed)\n"); $passed++; } else { &logr("fail ($executed)\n"); $failed++; } $executed++; for my $chain (@{$tables_chains_hr->{$table}}) { &dots_print("chain_rules($ipt_obj->{'_ipt_rules_file'}): $table $chain rules"); my $out_ar = &write_rules($ipt_obj, "$ipt_obj->{'_cmd'} -t $table -v -n -L $chain"); if ($ipt_obj->{'_ipt_rules_file'}) { } my $rules_ar = $ipt_obj->chain_rules($table, $chain); $executed++; my $matched_state = 1; for (my $i=2; $i<=$#$out_ar; $i++) { if ($out_ar->[$i] =~ /\sctstate/) { unless (defined $rules_ar->[$i-2]->{'ctstate'} and $rules_ar->[$i-2]->{'ctstate'}) { $matched_state = 0; last; } } elsif ($out_ar->[$i] =~ /\sstate/) { unless (defined $rules_ar->[$i-2]->{'state'} and $rules_ar->[$i-2]->{'state'}) { $matched_state = 0; last; } } } ### compare raw rules list with parsed chain_rules() ### output - basic number check if (($#$out_ar - 2) == $#$rules_ar and $matched_state) { &logr("pass ($executed)\n"); $passed++; } else { &logr("fail ($executed)\n"); if ($matched_state) { &logr(" chain_rules() missed extended state info.\n"); } else { if (($#$out_ar - 2) > $#$rules_ar) { &logr(" chain_rules() missed rules.\n"); } elsif (($#$out_ar - 2) < $#$rules_ar) { &logr(" chain_rules() added inappropriate rules.\n"); } } $failed++; } } } return; } sub dots_print() { my $msg = shift; &logr($msg); my $dots = ''; for (my $i=length($msg); $i < $PRINT_LEN; $i++) { $dots .= '.'; } &logr($dots); return; } sub logr() { my $msg = shift; print STDOUT $msg; open F, ">> $logfile" or die $!; print F $msg; close F; return; } sub init() { $|++; ### turn off buffering $< == 0 && $> == 0 or die "[*] $0: You must be root (or equivalent ", "UID 0 account) to effectively test fwknop"; unlink $logfile if -e $logfile; unlink $ipt_rules_file if -e $ipt_rules_file; if (-e $fw_cmd_bin and -x $fw_cmd_bin) { $use_fw_cmd = 1; } else { for my $bin ($iptables_bin, $ip6tables_bin) { die "[*] $bin does not exist" unless -e $bin; die "[*] $bin not executable" unless -x $bin; } } return; } sub write_rules() { my ($ipt_obj, $cmd) = @_; my $rv = 0; my $out_ar = (); my $err_ar = (); ### if the original iptables object skipped the iptables exec ### check, then acquire a new object to execute the command if ($ipt_obj->{'_skip_ipt_exec_check'}) { my %opts_cp = %ipt_opts; if ($use_fw_cmd) { $cmd =~ s|^$dummy_path|$fw_cmd_bin|; } else { if ($ipt_obj->{'use_ipv6'}) { %opts_cp = %ipt6_opts; $cmd =~ s|^$dummy_path|$ip6tables_bin|; } else { $cmd =~ s|^$dummy_path|$iptables_bin|; } } $opts_cp{'skip_ipt_exec_check'} = 0; my $obj = IPTables::Parse->new(%opts_cp); ($rv, $out_ar, $err_ar) = $obj->exec_iptables($cmd); } else { ($rv, $out_ar, $err_ar) = $ipt_obj->exec_iptables($cmd); } &write_rules_file($out_ar); return $out_ar; } sub write_rules_file() { my $lines_ar = shift; open F, "> $ipt_rules_file" or die $!; print F $_ for @$lines_ar; close F; return; } sub usage() { print "$0 [--debug] [--verbose] [-h]\n"; exit 0; }