afonso/core-extra
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #199 from coreemu/feature/nat-service

Browse source 
add a source NAT service using iptables masquerade
This commit is contained in:
bharnden 2018-10-10 14:55:08 -07:00 committed by GitHub
commit 7232ac5a5d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 57 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
daemon/core/services/security.py
View file

@ -11,8 +11,8 @@ from core.service import CoreService
class VPNClient(CoreService): class VPNClient(CoreService):
name = "VPNClient" name = "VPNClient"
group = "Security" group = "Security"
configs = ('vpnclient.sh',) configs = ("vpnclient.sh",)
startup = ('sh vpnclient.sh',) startup = ("sh vpnclient.sh",)
shutdown = ("killall openvpn",) shutdown = ("killall openvpn",)
validate = ("pidof openvpn",) validate = ("pidof openvpn",)
custom_needed = True custom_needed = True
@ -37,8 +37,8 @@ class VPNClient(CoreService):
class VPNServer(CoreService): class VPNServer(CoreService):
name = "VPNServer" name = "VPNServer"
group = "Security" group = "Security"
configs = ('vpnserver.sh',) configs = ("vpnserver.sh",)
startup = ('sh vpnserver.sh',) startup = ("sh vpnserver.sh",)
shutdown = ("killall openvpn",) shutdown = ("killall openvpn",)
validate = ("pidof openvpn",) validate = ("pidof openvpn",)
custom_needed = True custom_needed = True
@ -64,8 +64,8 @@ class VPNServer(CoreService):
class IPsec(CoreService): class IPsec(CoreService):
name = "IPsec" name = "IPsec"
group = "Security" group = "Security"
configs = ('ipsec.sh',) configs = ("ipsec.sh",)
startup = ('sh ipsec.sh',) startup = ("sh ipsec.sh",)
shutdown = ("killall racoon",) shutdown = ("killall racoon",)
custom_needed = True custom_needed = True
@ -91,8 +91,8 @@ class IPsec(CoreService):
class Firewall(CoreService): class Firewall(CoreService):
name = "Firewall" name = "Firewall"
group = "Security" group = "Security"
configs = ('firewall.sh',) configs = ("firewall.sh",)
startup = ('sh firewall.sh',) startup = ("sh firewall.sh",)
custom_needed = True custom_needed = True
@classmethod @classmethod
@ -110,3 +110,52 @@ class Firewall(CoreService):
logger.exception("Error opening Firewall configuration template (%s)", fname) logger.exception("Error opening Firewall configuration template (%s)", fname)
return cfg return cfg
class Nat(CoreService):
"""
IPv4 source NAT service.
"""
name = "NAT"
executables = ("iptables",)
group = "Security"
configs = ("nat.sh", )
startup = ("sh nat.sh",)
custom_needed = False
@classmethod
def generateifcnatrule(cls, ifc, line_prefix=""):
"""
Generate a NAT line for one interface.
"""
cfg = line_prefix + "iptables -t nat -A POSTROUTING -o "
cfg +=ifc.name + " -j MASQUERADE\n"
cfg += line_prefix + "iptables -A FORWARD -i " + ifc.name
cfg += " -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
cfg += line_prefix + "iptables -A FORWARD -i "
cfg += ifc.name + " -j DROP\n"
return cfg
@classmethod
def generate_config(cls, node, filename):
"""
NAT out the first interface
"""
cfg = "#!/bin/sh\n"
cfg += "# generated by security.py\n"
cfg += "# NAT out the first interface by default\n"
have_nat = False
for ifc in node.netifs():
if hasattr(ifc, 'control') and ifc.control == True:
continue
if have_nat:
cfg += cls.generateifcnatrule(ifc, line_prefix="#")
else:
have_nat = True
cfg += "# NAT out the " + ifc.name + " interface\n"
cfg += cls.generateifcnatrule(ifc)
cfg += "\n"
return cfg