易于管理iptables防火墙的Python工具/服务
pyrewall的Python项目详细描述
普列克斯耐热墙
一个用Python编写的iptables防火墙管理系统。在
警告:仍在施工中
+===================================================+
| © 2019 Privex Inc. |
| https://www.privex.io |
+===================================================+
| |
| PyreWall - Python iptables firewall tool |
| License: X11/MIT |
| |
| Core Developer(s): |
| |
| (+) Chris (@someguy123) [Privex] |
| |
+===================================================+
PyreWall - A Python tool / service for managing iptables firewalls with ease
Copyright (c) 2019 Privex Inc. ( https://www.privex.io )
安装
使用标准的pip3
包管理器,可以很容易地从PyPi安装Pyrewall。在
建议您创建/etc/pyrewall
和一个“主规则文件”rules.pyre
。在
sudo mkdir /etc/pyrewall sudo touch /etc/pyrewall/rules.pyre
注意:如果您不喜欢名称rules.pyre
,您的主规则文件可以命名为以下任意一个
(按顺序排列这些名称):
- 规则.pyre在
- 主柴堆在
- 主柴堆在
- 基柴堆在
- 防火墙.pyre在
警告:例如,如果您同时拥有rules.pyre
和{rules.pyre
将优先,
除非您在调用pyre
时手动指定它,否则不会使用firewall.pyre
。在
如果你想让Pyrewall在启动时自动加载防火墙规则,这里有一个systemd服务文件,
使用内置在pyre
中的自动安装命令
sudo pyre install_service
使用
一旦安装了Pyrewall,包括服务,就可以开始向/etc/pyrewall/rules.pyre
添加Pyre规则
(或您决定的另一个主文件名)。在
要从主文件加载规则,只需运行pyre load
。除非指定-n
,否则它将使用“dead-mans开关”
规则加载后提示确认,要求您确认您仍然可以访问服务器,但还没有
把自己关在外面。在
pyre load
如果您在15秒内没有响应(可以用--timeout
进行调整),Pyrewall将恢复
运行pyre load
之前的IPv4+IPv6规则
也可以从单个文件加载规则(它们将替换现有规则):
pyre load somefile.pyre
如果不希望Pyrewall为您应用规则,可以使用parse
命令来解析Pyre文件和输出
IPv4/IPv6 iptables规则,供您使用iptables-restore
/ip6tables-restore
或自动加载来手动应用
系统,如netfilter-persistent
:
pyre parse --output4 /etc/iptables/rules.v4 --output6 /etc/iptables/rules.v6 my_rules.pyre # Alternatively, you can use UNIX stdin and stdout for reading in Pyre files, and outputting the generated iptables# rules through pipes and redirects. pyre parse -i 4 my_rules.pyre > rules.v4 pyre parse -i 6 my_rules.pyre > rules.v6 cat my_rules.pyre | pyre parse -i 4| sudo tee /etc/iptables/rules.v4
基本柴堆文件
下面是一个示例Pyre规则文件,显示了常见规则语法和特殊解释器
诸如@chain
、@table
和{
# This line isn't needed, it's just here to show the syntax. The default table is 'filter' anyway. @table filter # By default, INPUT, FORWARD, and OUTPUT are set to ACCEPT, just like standard iptables. # Using @chain we can change them to DROP or REJECT. @chain INPUT DROP @chain FORWARD DROP # We recommend using the included 'sane.pyre' template, which handles things you'd usually copy/paste, such as # allowing related/established connections, accepting ICMPv4 and certain ICMPv6 types, allowing loopback # (localhost) traffic etc. @import templates/sane.pyre # You can specify multiple chains on one line, and also mix/match IPv4 and IPv6 addresses + subnets. allow chain input,forward state new from 1.2.3.4,2a07:e02:123::/64 # This is equivalent to 3 ACCEPT rules (INPUT,FORWARD,OUTPUT) for each of the below subnets. # You can put the IPs on the same line, comma separated, or put them on a separate line if you prefer. allow all from 185.130.44.0/27 allow all from 2a07:e00::/32 # This allows port 80, 443, and 8000 to 9000 incoming - for both TCP and UDP. allow port 80,443,8000-9000 # You can import additional .pyre files, along with standard iptables .v4 and .v6 files # They'll be searched for within (in order): # (current_work_dir) /etc/pyrewall /usr/local/etc/pyrewall ~/.pyrewall # (root_of_project) (root_of_package) @import example/other.pyre # Reject INPUT, FORWARD and OUTPUT from this IPv4 address reject from 12.34.56.78 rem By using 'rem', we can also write comments that will be converted into standard '#' comments rem when the Pyre file is exported to ip(6)tables-save format. drop forward from 3.4.5.6,2001:def::/64 # Allow port 9090 + 1010 via TCP and UDP from the specified IPv4 and IPv6 address allow port 9090,1010 both from 10.0.0.1,2a07:e01::/32 # This is equivalent to: # -A INPUT -p tcp -m multiport --dports 99,88 -m multiport --sports 10,20 -j ACCEPT allow port 99,88 sport 10,20 # Allow UDP traffic where the source port is between 1000 and 2000 allow sport 1000-2000 udp
使用REPL
(注意:上面的GIF动画演示约为110MB,可能需要一段时间才能加载,具体取决于您的互联网。 您也可以查看原始速度,全质量 演示on our YouTube video)
Pyrewall附带一个REPL(Read Eval Print Loop),这是一个交互式的实验提示 使用Pyre语言。它具有箭头键支持(您可以按向上/向下键访问历史记录,以及 制表符补全)、带语法建议的制表符补全,以及键入时的实时语法高亮显示。在
这类似于Python(python3 -i
)和PHP(php -i
)等编程语言的交互式解释器。在
一旦安装了Pyrewall,只需输入pyre repl
,您将被放入REPL中。在
pyre repl
您可以输入\?
或help
来显示使用REPL的特性和一些可以尝试的Pyre示例行的帮助。在
您还可以使用.pyre
文件加载REPL,允许您打印带有语法高亮显示的文件,并向其添加新行,
并将其编译为IPv4/IPv6 iptables规则:
# Load the REPL with the included templates/sane.pyre pre-loaded into the REPL history
pyre repl templates/sane.pyre
(如果在当前CLI中指定了要打印的文件,则包括这些文件):
# Show the Pyre rules entered during this session, with syntax highlighting
\show
# Compile the IPv4 Pyre rules into IPv4 iptables format and print them
\show ip4
# Compile the IPv6 Pyre rules into IPv6 iptables format and print them
\show ip6
# Print both IPv4 + IPv6 iptables rules
\show both
# Print Pyre rules, as well as IPv4 + IPv6 rules
\show all
要将REPL会话中的规则输出到文件中,请执行以下操作:
# Output the Pyre rules into a Pyre file
\output pyre my_rules.pyre
# Convert the Pyre rules into IPv4 iptables format and output them into a file for use with iptables-restore
\output ip4 ipt_rules.v4
# Convert the Pyre rules into IPv6 iptables format and output them into a file for use with ip6tables-restore
\output ip6 ipt_rules.v6
- 项目
标签: