diff --git a/yunohost_firewall.py b/yunohost_firewall.py index 7e04a45a..d66f6aa8 100644 --- a/yunohost_firewall.py +++ b/yunohost_firewall.py @@ -2,7 +2,98 @@ import os import sys -import yaml +try: + import yaml +except ImportError: + sys.stderr.write('Error: Yunohost CLI Require yaml lib\n') + sys.stderr.write('apt-get install python-yaml\n') + sys.exit(1) -def firewall_allow(args): - pass +def firewall_allow(protocol=None,port=None,name=None): + if protocol == "Both": + chaineTCP="iptables -A INPUT -p tcp -i eth0 --dport "+ port +" -j ACCEPT" + chaineUDP="iptables -A INPUT -p udp -i eth0 --dport "+ port +" -j ACCEPT" + append_port(port,'tcp') + append_port(port,'udp') + os.system(chaineTCP) + os.system(chaineUDP) + + else: + chaine="iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ port +" -j ACCEPT" + append_port(port,protocol) + os.system(chaine) + +def firewall_disallow(protocol=None,port=None,name=None): + if protocol == "Both": + chaineTCP="iptables -A INPUT -p tcp -i eth0 --dport "+ port +" -j REJECT" + chaineUDP="iptables -A INPUT -p udp -i eth0 --dport "+ port +" -j REJECT" + remove_port(port,'tcp') + remove_port(port,'udp') + os.system(chaineTCP) + os.system(chaineUDP) + else: + chaine="iptables -A INPUT -p "+ protocol +" -i eth0 --dport "+ port +" -j REJECT" + os.system(chaine) + remove_port(port,protocol) + os.system(chaine) + +def firewall_list(): + ''' + Parse and display firwall.yml + ''' + with open ('firewall.yml') as f: + firewall = yaml.load(f) + print(firewall) + +def firewall_reload(): + ''' + Clear filter IPTABLE's table + Allow SSH + Parse firewall.yml extract the list of port allowed + Allow all port in the list + Prohibit the rest + ''' + os.system("iptables -P INPUT ACCEPT") + os.system ("iptables -F") + os.system ("iptables -X") + os.system ("iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT") + with open('firewall.yml','r') as f: + firewall = yaml.load(f) + listPortTCP=firewall['ipv4']["TCP"] + listPortUDP=firewall['ipv4']["UDP"] + for port in enumerate (listPortTCP): + os.system ("iptables -A INPUT -p tcp -i eth0 --dport "+ port +" -j ACCEPT") + for port in enumerate (listPortUDP): + os.system ("iptables -A INPUT -p udp -i eth0 --dport "+ port +" -j ACCEPT") + os.system ("iptables -P INPUT DROP") + +def append_port(port=None,protocol=None): + ''' + Append port in firewall.yml + ''' + with open('firewall.yml','r') as f: + firewall = yaml.load(f) + if port not in firewall['ipv4'][protocol]: + firewall['ipv4'][protocol].append(int(port)) + firewall['ipv4'][protocol].sort() + f.close + os.system("mv firewall.yml firewall.yml.old") + with open('firewall.yml','w') as f: + yaml.dump(firewall,f) + f.close + + +def remove_port(port=None,protocol=None): + ''' + Remove port from firewall.yml + ''' + with open('firewall.yml','r') as f: + firewall = yaml.load(f) + if port in firewall['ipv4'][protocol]: + firewall['ipv4'][protocol].remove(int(port)) + firewall['ipv4'][protocol].sort() + f.close + os.system("mv firewall.yml firewall.yml.old") + with open('firewall.yml','w') as f: + yaml.dump(firewall,f) + f.close