c_meyer/KasperskyLab-TinyCheck
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

switch from iptable to nftables

Browse Source
This commit is contained in:
Victor Chebyshev 2022-07-14 15:59:52 +03:00
parent c7e838385f
commit 87700adb4c
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
server/frontend/app/classes/network.py
View File

@ -298,13 +298,22 @@ class Network(object):
shell=True).wait() shell=True).wait()
# Enable forwarding. # Enable forwarding.
sp.Popen(["iptables", "-A", "POSTROUTING", "-t", "nat", "-o",
self.iface_out, "-j", "MASQUERADE"]).wait() sp.Popen("nft add table nat",shell=True).wait()
sp.Popen("nft 'add chain nat prerouting { type nat hook prerouting priority 100; }'",shell=True).wait()
sp.Popen("nft 'add chain nat postrouting { type nat hook postrouting priority 100; }'",shell=True).wait()
sp.Popen("nft add table ip filter",shell=True).wait()
sp.Popen("nft 'add chain ip filter INPUT { type filter hook input priority 0; }'",shell=True).wait()
sp.Popen(["nft","add","rule","ip","nat","postrouting","oifname",
self.iface_out,"counter","masquerade"]).wait()
# Prevent the device to reach the 80 and 443 of TinyCheck. # Prevent the device to reach the 80 and 443 of TinyCheck.
sp.Popen(["iptables", "-A", "INPUT", "-i", self.iface_in, "-d", sp.Popen(["nft","add","rule","ip","filter","INPUT","iifname",self.iface_in,"ip",
"192.168.100.1", "-p", "tcp", "--match", "multiport", "--dports", "80,443", "-j" "DROP"]).wait() "protocol","tcp","ip","daddr","192.168.100.1","tcp","dport","{ 80,443}","counter","drop"]).wait()
return True return True
except: except:
return False return False