我目前正在用python编写防火墙。 此防火墙必须能够从白名单中判断是否允许流通过
防火墙的目的是在正确的端口上请求它以获得请求的服务。 例如,如果您想访问此防火墙后面的web服务器,只需请求端口80或443上的防火墙,防火墙将根据白名单将数据包转发到正确的机器。对用户来说,一切都必须是透明的
目前,为了解决这个问题,我使用scapy嗅探数据包并传输它们。 但是对于一个简单的HTTP通信(在TCP中),没有任何东西可以工作,UDP和ICMP也是如此
我认为我的问题来自这样一个事实:我使用scapy嗅探数据包并重新传输它们,而我不使用线程。 我想知道是否有人已经做了类似的事情,如果你有任何建议,哪些模块使用
我将尽可能详细地介绍我的代码,让您了解它是如何工作的
首先是main(),此函数嗅探数据包并确定数据包是来自外部还是内部。 根据这些参数,它确定将要处理的数据包发送到哪个其他功能
def main():
test = 0
buffer = []
# INFINITE LOOPS FOR THE MOMENT #
while(test<1000):
# SNIFFING PACKET ON THE EXTERNAL AND INTERNAL INTERFACE #
packet = sniff(filter="ip",iface=["ens192","InternalInterface"],count=1)
if(packet):
PacketContent = packet[0]
IpDestination = PacketContent[IP].dst
IpDestination = str(IpDestination)
IPSource = PacketContent[IP].src
IPSource = str(IPSource)
# GETTING THE IP AND MASK OF THE INBOUND PACKET #
LocalIp = ipaddress.ip_network(IfIp+"/"+Mask,strict = False)
NetworkIp = ipaddress.ip_network(IpDestination+"/"+Mask,strict = False)
# GETTING THE IP AND MASK OF THE EXTERNAL NETWORK INTERFACE OF THE FIREWALL #
IfIp = ni.ifaddresses('ens192')[ni.AF_INET][0]['addr']
Mask = ni.ifaddresses('ens192')[ni.AF_INET][0]['netmask']
# GETTING THE IP AND MASK OF THE INTERNAL NETWORK INTERFACE OF THE FIREWALL #
IfIp2 = ni.ifaddresses('InternalInterface')[ni.AF_INET][0]['addr']
Mask2 = ni.ifaddresses('InternalInterface')[ni.AF_INET][0]['netmask']
# GETTING THE NETWORK IP OF PACKET AND OF INTERNAL INTERFACE #
LocalIp2 = ipaddress.ip_network(IfIp2+"/"+Mask2,strict = False)
IPSource = ipaddress.ip_network(IPSource+"/"+Mask,strict = False)
# IF A PACKET IS DESTINATED FOR THE ADDRESS OF THE EXTERNAL FIREWALL INTERFACES #
if(IfIp == IpDestination):
if(PacketContent[TCP].dport == 22):
main()
print("Forwarding "+ IpDestination + " to IN")
buffer = ForwardingPort(PacketContent,buffer)
# IF A PACKET IS DESTINATED FOR THE ADDRESS OF THE INTERNAL FIREWALL INTERFACES #
elif(IPSource == LocalIp2):
PacketContent.show()
print("Forwarding "+ str(IPSource) + " to OUT")
buffer = BufferPort(PacketContent,buffer)
然后,如果数据包来自函数ForwardingPort之外,则将调用该函数 此函数将接收的数据包以及包含客户端临时端口列表的数组作为参数
def ForwardingPort(Packet,buffer):
# IF THE PACKET TYPE IS 6 IT'S TCP #
elif(Packet[IP].proto == 6):
# GETTING THE ASKED SOCKET NUMBER #
Service = Packet[TCP].dport
Service = str(Service)
# OPENING THE FILES THAT CONTAINS SOCKET FORWARDING RULES #
f = open("/root/ProjetMarsan/Forwading.txt")
# READING EACH LINE TO FIND THE ASKED SOCKET #
for li in f.readlines() :
# IF THE PORT IS AUTHORIZED ON THE FILE #
if Service in li:
# GETTING DESTINATION SERVER IP ON THE INTERNAL NETWORK #
ipDestNat = li.split('=')[1]
ipDestNat = ipDestNat.replace(" ","")
ipDestNat = ipDestNat.replace("\n","")
# REPLACEMENT OF THE ORIGINAL IP WITH THE IP OF THE CORRECT MACHINE CONTAINED IN THE TEXT FILE #
Packet[IP].dst = ipDestNat
# BACKUP OF THE TEMPORARY PORT OPENED BY THE CLIENT TO INTEROGATE THE FIREWALL IN A TEXT FILE #
IpSrcBuff = str(Packet[IP].src)
SPortBuff = str(Packet[IP].sport)
buffer.append(SPortBuff + ":" + IpSrcBuff)
# RECALCULATION OF THE NEW CHECKSUM #
del Packet[IP].chksum
del Packet[TCP].chksum
Packet.show2()
# SENDING THE PACKET ON THE INTERNAL INTERFACES TO THE RIGHT SERVER #
sendp(Packet,iface="InternalInterface")
# RETURNING THE LIST OF THE TEMPORARY PORT OF CLIENT #
return(buffer)
现在,如果数据包来自防火墙内部,则将调用函数BufferPort
def BufferPort(Packet,buffer):
# GETTING THE PORT DESTINATION OF THE PACKET #
Dport = str(Packet[IP].dport)
# CHECKING IF THE TEMPORARY SOCKET IS ON THE BUFFER LIST #
for yo in buffer:
print("checking buffer")
lo = lo + 1
# IF THE TEMPORARY SOCKET IS IN, REPLACE IP BY THE EXTERNAL FIREWALL INTERFACE IP AND RECALCULATE PACKET CHECKSUM #
if(Dport in yo):
ipDestBuff = yo.split(":")[1]
ipDestBuff = ipDestBuff.replace(" ","")
ipDestBuff = ipDestBuff.replace("\n","")
Packet[IP].dst = ipDestBuff
Packet[IP].src = "192.168.1.81"
del Packet[IP].chksum
del Packet[TCP].chksum
Packet.show2()
sendp(Packet,iface="ens192")
buffer[lo] = ""
return buffer
多谢各位
目前没有回答
相关问题 更多 >
编程相关推荐