Privex Pyrewall

Python中的iptables防火墙管理系统。

警告：仍在建设中

+===================================================+
|                 © 2019 Privex Inc.                |
|               https://www.privex.io               |
+===================================================+
|                                                   |
|        PyreWall - Python iptables firewall tool   |
|        License: X11/MIT                           |
|                                                   |
|        Core Developer(s):                         |
|                                                   |
|          (+)  Chris (@someguy123) [Privex]        |
|                                                   |
+===================================================+

PyreWall - A Python tool / service for managing iptables firewalls with ease
Copyright (c) 2019    Privex Inc. ( https://www.privex.io )

安装

Pyrewall可以从PyPi轻松安装，使用标准的pip3包管理器。

# Install/Upgrade Pyrewall using pip3 as root
sudo -H pip3 install -U pyrewall

建议您创建/etc/pyrewall，并附带一个“主规则文件”rules.pyre。

sudo mkdir /etc/pyrewall
sudo touch /etc/pyrewall/rules.pyre

注意：如果您不喜欢rules.pyre的名称，您的主规则文件可以命名为以下名称之一（这些名称将按顺序尝试）

• rules.pyre
• main.pyre
• master.pyre
• base.pyre
• firewall.pyre

警告：如果您同时有rules.pyre和firewall.pyre等，则rules.pyre将具有优先级，并且除非您在调用pyre时手动指定，否则将不会使用firewall.pyre。

如果您希望Pyrewall在启动时自动加载防火墙规则，系统服务文件包含一个自动安装命令，已内置到pyre中

sudo pyre install_service

用法

安装Pyrewall（包括服务）后，您可以将Pyre规则添加到/etc/pyrewall/rules.pyre（或您决定的替代主文件名）。

要从主文件加载规则，您可以简单地运行pyre load。除非您指定-n，否则在规则加载后使用“死男人的开关”确认提示，询问您是否可以继续访问服务器且没有将自己锁在外面。

pyre load

如果您在15秒内（可以用--timeout调整）没有回应，Pyrewall将恢复运行pyre load之前的IPv4 + IPv6规则

您还可以从单个文件中加载规则（它们将替换您现有的规则）

pyre load somefile.pyre

如果您不希望Pyrewall为您应用规则，您可以使用parse命令解析Pyre文件，并输出IPv4 / IPv6 iptables规则，您可以使用iptables-restore / ip6tables-restore手动应用，或者使用像netfilter-persistent这样的自动加载系统

pyre parse --output4 /etc/iptables/rules.v4 --output6 /etc/iptables/rules.v6 my_rules.pyre
# Alternatively, you can use UNIX stdin and stdout for reading in Pyre files, and outputting the generated iptables
# rules through pipes and redirects.
pyre parse -i 4 my_rules.pyre > rules.v4
pyre parse -i 6 my_rules.pyre > rules.v6

cat my_rules.pyre | pyre parse -i 4 | sudo tee /etc/iptables/rules.v4

基本Pyre文件

以下是示例Pyre规则文件，展示了常见的规则语法，以及特殊的解释器功能，如@chain、@table和@import

# This line isn't needed, it's just here to show the syntax. The default table is 'filter' anyway.
@table filter
# By default, INPUT, FORWARD, and OUTPUT are set to ACCEPT, just like standard iptables.
# Using @chain we can change them to DROP or REJECT.
@chain INPUT DROP
@chain FORWARD DROP

# We recommend using the included 'sane.pyre' template, which handles things you'd usually copy/paste, such as
# allowing related/established connections, accepting ICMPv4 and certain ICMPv6 types, allowing loopback 
# (localhost) traffic etc.
@import templates/sane.pyre

# You can specify multiple chains on one line, and also mix/match IPv4 and IPv6 addresses + subnets.
allow chain input,forward state new from 1.2.3.4,2a07:e02:123::/64

# This is equivalent to 3 ACCEPT rules (INPUT,FORWARD,OUTPUT) for each of the below subnets.
# You can put the IPs on the same line, comma separated, or put them on a separate line if you prefer.
allow all from 185.130.44.0/27
allow all from 2a07:e00::/32

# This allows port 80, 443, and 8000 to 9000 incoming - for both TCP and UDP.
allow port 80,443,8000-9000

# You can import additional .pyre files, along with standard iptables .v4 and .v6 files
# They'll be searched for within (in order):
# (current_work_dir)    /etc/pyrewall         /usr/local/etc/pyrewall     ~/.pyrewall
# (root_of_project)     (root_of_package)
@import example/other.pyre

# Reject INPUT, FORWARD and OUTPUT from this IPv4 address
reject from 12.34.56.78

rem By using 'rem', we can also write comments that will be converted into standard '#' comments
rem when the Pyre file is exported to ip(6)tables-save format.
drop forward from 3.4.5.6,2001:def::/64

# Allow port 9090 + 1010 via TCP and UDP from the specified IPv4 and IPv6 address
allow port 9090,1010 both from 10.0.0.1,2a07:e01::/32

# This is equivalent to:
# -A INPUT -p tcp -m multiport --dports 99,88 -m multiport --sports 10,20 -j ACCEPT
allow port 99,88 sport 10,20

# Allow UDP traffic where the source port is between 1000 and 2000
allow sport 1000-2000 udp

使用REPL

（注意：上面的动画GIF演示大约为110MB，根据您的互联网速度可能需要一段时间才能加载。您也可以在我们的YouTube视频中查看原始速度、全质量演示）

Pyrewall附带一个REPL（读取评估打印循环），这是一个用于实验Pyre语言的交互式提示。它支持箭头键（您可以按上/下键访问历史记录，并使用自动补全），具有语法建议的自动补全，以及您在键入时实时语法高亮显示

这与Python（python3 -i）和PHP（php -i）等编程语言的交互式解释器类似。

安装Pyrewall后，只需键入pyre repl，您就会进入REPL。

pyre repl

您可以键入\?或help来显示REPL功能的使用帮助以及您可以尝试的一些Pyre示例行。

您还可以使用.pyre文件加载REPL，允许您以语法高亮显示打印文件，向其中追加新行，并将其编译为IPv4 / IPv6 iptables规则

# Load the REPL with the included templates/sane.pyre pre-loaded into the REPL history
pyre repl templates/sane.pyre

打印当前会话期间输入的规则（包括在CLI上指定文件时加载的规则）

# Show the Pyre rules entered during this session, with syntax highlighting
\show
# Compile the IPv4 Pyre rules into IPv4 iptables format and print them
\show ip4
# Compile the IPv6 Pyre rules into IPv6 iptables format and print them
\show ip6
# Print both IPv4 + IPv6 iptables rules
\show both
# Print Pyre rules, as well as IPv4 + IPv6 rules
\show all

将REPL会话中的规则输出到文件

# Output the Pyre rules into a Pyre file
\output pyre my_rules.pyre

# Convert the Pyre rules into IPv4 iptables format and output them into a file for use with iptables-restore
\output ip4 ipt_rules.v4

# Convert the Pyre rules into IPv6 iptables format and output them into a file for use with ip6tables-restore
\output ip6 ipt_rules.v6