#!/www/server/panel/pyenv/bin/python3.7 # coding: utf-8 # ------------------------------------------------------------------- # yakpanel # ------------------------------------------------------------------- # Copyright (c) 2014-2099 yakpanel(http://www.yakpanel.com) All rights reserved. # ------------------------------------------------------------------- # Author: wzz # ------------------------------------------------------------------- # ------------------------------ # 系统防火墙模型 - ufw封装库 # ------------------------------ import subprocess import os import sys if "/www/server/panel/class" not in sys.path: sys.path.insert(0, "/www/server/panel/class") import public # import re from firewallModel.app.appBase import Base class Ufw(Base): def __init__(self): self.cmd_str = self._set_cmd_str() def _set_cmd_str(self): return "ufw" # 2024/3/19 下午 5:00 获取系统防火墙的运行状态 def status(self): ''' @name 获取系统防火墙的运行状态 @author wzz <2024/3/19 下午 5:00> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run([self.cmd_str, "status"], capture_output=True, text=True, check=True) if "Status: active" in result.stdout: return "running" elif "状态: 激活" in result.stdout: return "running" else: return "not running" except subprocess.CalledProcessError: return "not running" except Exception as e: return "not running" # 2024/3/19 下午 5:00 获取系统防火墙的版本号 def version(self): ''' @name 获取系统防火墙的版本号 @author wzz <2024/3/19 下午 5:00> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run([self.cmd_str, "version"], capture_output=True, text=True, check=True) info = result.stdout.replace("\n", "") return info.replace("ufw ", "") except Exception as e: return "未知版本" # 2024/3/19 下午 5:00 启动防火墙 def start(self): ''' @name 启动防火墙 @author wzz <2024/3/19 下午 5:00> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: stdout, stderr = public.ExecShell("echo y | {} enable".format(self.cmd_str)) if stderr: return self._result(False, "启动防火墙失败:{}".format(stderr)) return self._result(True, "启动防火墙成功") except Exception as e: return self._result(False, "启动防火墙失败:{}".format(str(e))) # 2024/3/19 下午 5:00 停止防火墙 def stop(self): ''' @name 停止防火墙 @author wzz <2024/3/19 下午 5:00> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: stdout, stderr = public.ExecShell("{} disable".format(self.cmd_str)) if stderr: return self._result(False, "停止防火墙失败:{}".format(stderr)) return self._result(True, "停止防火墙成功") except Exception as e: return self._result(False, "停止防火墙失败:{}".format(str(e))) # 2024/3/19 下午 4:59 重启防火墙 def restart(self): ''' @name 重启防火墙 @author wzz <2024/3/19 下午 4:59> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: self.stop() self.start() except Exception as e: return self._result(False, "重启防火墙失败:{}".format(str(e))) # 2024/3/19 下午 4:59 重载防火墙 def reload(self): ''' @name 重载防火墙 @author wzz <2024/3/19 下午 4:59> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: subprocess.run([self.cmd_str, "reload"], check=True, stdout=subprocess.PIPE) except Exception as e: return self._result(False, "重载防火墙失败:{}".format(str(e))) # 2024/3/19 上午 10:39 列出防火墙中所有端口规则 def list_port(self): ''' @name 列出防火墙中所有端口规则 @author wzz <2024/3/19 上午 10:39> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run( [self.cmd_str, "status", "verbose"], capture_output=True, text=True, check=True ) port_infos = result.stdout.split("\n") datas = [] is_start = False for line in port_infos: if line.startswith("-"): is_start = True continue if not is_start: continue item_fire = self._load_info(line, "port") if item_fire.get("Port") and item_fire["Port"] != "Anywhere" and "." not in item_fire["Port"]: item_fire["Port"] = item_fire["Port"].replace(":", "-") item_fire["Address"] = "all" if item_fire["Address"] == "Anywhere" else item_fire["Address"] datas.append(item_fire) return datas except Exception as e: return [] # 2024/3/19 上午 10:39 列出防火墙中所有input端口规则 def list_input_port(self): ''' @name 列出防火墙中所有input端口规则 @author wzz <2024/3/19 上午 10:39> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run( [self.cmd_str, "status", "verbose"], capture_output=True, text=True, check=True ) port_infos = result.stdout.split("\n") datas = [] is_start = False for line in port_infos: if line.startswith("-"): is_start = True continue if not is_start: continue item_fire = self._load_info(line, "port") if item_fire.get("Port") and item_fire["Port"] != "Anywhere" and "." not in item_fire["Port"]: item_fire["Port"] = item_fire["Port"].replace(":", "-") if item_fire["Chain"] == "INPUT": datas.append(item_fire) return datas except Exception as e: return [] # 2024/3/19 上午 10:39 列出防火墙中所有output端口规则 def list_output_port(self): ''' @name 列出防火墙中所有output端口规则 @author wzz <2024/3/19 上午 10:39> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run( [self.cmd_str, "status", "verbose"], capture_output=True, text=True, check=True ) port_infos = result.stdout.split("\n") datas = [] is_start = False for line in port_infos: if line.startswith("-"): is_start = True continue if not is_start: continue item_fire = self._load_info(line, "port") if item_fire.get("Port") and item_fire["Port"] != "Anywhere" and "." not in item_fire["Port"]: item_fire["Port"] = item_fire["Port"].replace(":", "-") if item_fire["Chain"] == "OUTPUT": datas.append(item_fire) return datas except Exception as e: return [] # 2024/3/19 上午 10:39 列出防火墙中所有的ip规则 def list_address(self): ''' @name 列出防火墙中所有的ip规则 @author wzz <2024/3/19 上午 10:39> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run( [self.cmd_str, "status", "verbose"], capture_output=True, text=True, check=True ) port_infos = result.stdout.split("\n") datas = [] is_start = False for line in port_infos: if line.startswith("-"): is_start = True continue if not is_start: continue item_fire = self._load_info(line, "address") if "Port" in item_fire: continue if item_fire.get("Address"): datas.append(item_fire) return datas except Exception as e: return [] # 2024/3/19 上午 10:39 列出防火墙中所有input的ip规则 def list_input_address(self): ''' @name 列出防火墙中所有input的ip规则 @author wzz <2024/3/19 上午 10:39> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run( [self.cmd_str, "status", "verbose"], capture_output=True, text=True, check=True ) port_infos = result.stdout.split("\n") datas = [] is_start = False for line in port_infos: if line.startswith("-"): is_start = True continue if not is_start: continue if " IN" not in line: continue item_fire = self._load_info(line, "address") if "Port" in item_fire: continue if item_fire.get("Address"): datas.append(item_fire) return datas except Exception as e: return [] # 2024/3/19 上午 10:39 列出防火墙中所有output的ip规则 def list_output_address(self): ''' @name 列出防火墙中所有output的ip规则 @author wzz <2024/3/19 上午 10:39> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: result = subprocess.run( [self.cmd_str, "status", "verbose"], capture_output=True, text=True, check=True ) port_infos = result.stdout.split("\n") datas = [] is_start = False for line in port_infos: if line.startswith("-"): is_start = True continue if not is_start: continue if " OUT" not in line: continue item_fire = self._load_info(line, "address") if "Port" in item_fire: continue if item_fire.get("Address"): datas.append(item_fire) return datas except Exception as e: return [] # 2024/3/19 下午 4:59 添加端口规则 def input_port(self, info, operation): ''' @name 添加端口规则 @author wzz <2024/3/19 下午 4:59> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: if info["Strategy"] == "accept": info["Strategy"] = "allow" elif info["Strategy"] == "drop": info["Strategy"] = "deny" if info["Port"].find('-') != -1: info["Port"] = info["Port"].replace('-', ':') if operation == "add": if info['Protocol'].find("/") != -1: rich_rule = self.cmd_str + " insert 1 {} {}".format(info['Strategy'], info['Port']) stdout, stderr = public.ExecShell(rich_rule) elif info['Protocol'] == "tcp/udp": stdout, stderr = public.ExecShell(self.cmd_str + " allow " + info['Port']) else: stdout, stderr = public.ExecShell(self.cmd_str + " allow " + info['Port'] + "/" + info['Protocol']) else: if info['Protocol'].find("/") != -1: rich_rule = "{} delete {} {}".format(self.cmd_str, info['Strategy'], info['Port']) stdout, stderr = public.ExecShell(rich_rule) elif info['Protocol'] == "tcp/udp": stdout, stderr = public.ExecShell(self.cmd_str + " delete allow " + info['Port']) else: stdout, stderr = public.ExecShell(self.cmd_str + " delete allow " + info['Port'] + "/" + info['Protocol']) if stderr: if "setlocale" in stderr: return self._result(True, "设置端口规则成功") return self._result(False, "设置端口规则失败:{}".format(stderr)) return self._result(True, "设置端口规则成功") except Exception as e: if "setlocale" in str(e): return self._result(True, "设置端口规则成功") return self._result(False, "设置端口规则失败:{}".format(str(e))) # 2024/3/24 下午 11:28 设置output端口策略 def output_port(self, info, operation): ''' @name 设置output端口策略 @param info: 端口号 @param operation: 操作 @return None ''' try: if info["Strategy"] == "accept": info["Strategy"] = "allow" elif info["Strategy"] == "drop": info["Strategy"] = "deny" if operation == "add": if info['Protocol'].find('/') != -1: cmd = "{} {} out {}".format(self.cmd_str, info['Strategy'], info['Port']) else: cmd = "{} {} out {}/{}".format(self.cmd_str, info['Strategy'], info['Port'], info['Protocol']) else: if info['Protocol'].find('/') != -1: cmd = "{} delete {} out {}".format(self.cmd_str, info['Strategy'], info['Port']) else: cmd = "{} delete {} out {}/{}".format(self.cmd_str, info['Strategy'], info['Port'], info['Protocol']) stdout, stderr = public.ExecShell(cmd) if stderr: if "setlocale" in stderr: return self._result(True, "设置端口规则成功") return self._result(False, "设置output端口规则失败:{}".format(stderr)) return self._result(True, "设置output端口规则成功") except Exception as e: if "setlocale" in str(e): return self._result(True, "设置output端口规则成功") return self._result(False, "设置output端口规则失败:{}".format(str(e))) # 2024/3/19 下午 4:58 复杂一些的规则管理 def rich_rules(self, info, operation): ''' @name 复杂一些的规则管理 @author wzz <2024/3/19 下午 4:58> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' try: if info["Strategy"] == "accept": info["Strategy"] = "allow" elif info["Strategy"] == "drop": info["Strategy"] = "deny" else: return self._result(False, "未知的策略参数:{}".format(info["Strategy"])) rule_str = "{} insert 1 {} ".format(self.cmd_str, info["Strategy"]) if "Address" in info and public.is_ipv6(info['Address']): rule_str = "{} {} ".format(self.cmd_str, info["Strategy"]) if operation == "remove": rule_str = "{} delete {} ".format(self.cmd_str, info["Strategy"]) if "Address" in info and info['Address'] != "all": rule_str += "from {} ".format(info['Address']) if len(info.get("Protocol", "")) != 0 and "/" not in info['Protocol']: rule_str += "proto {} ".format(info['Protocol']) if len(info.get("Port", "")) != 0: rule_str += "to any port {} ".format(info['Port']) stdout, stderr = public.ExecShell(rule_str) if stderr: if "Rule added" in stdout or "Rule deleted" in stdout or "Rule updated" in stdout or "Rule inserted" in stdout or "Skipping adding existing rule" in stdout: return self._result(True, "设置规则成功") if "setlocale" in stderr: return self._result(True, "设置规则成功") return self._result(False, "规则设置失败:{}".format(stderr)) return self._result(True, "设置规则成功") except Exception as e: if "setlocale" in str(e): return self._result(True, "设置规则成功") return self._result(False, "规则设置失败:{}".format(e)) # 2024/3/24 下午 11:29 设置output rich_rules def output_rich_rules(self, info, operation): ''' @name 设置output rich_rules @param info: 规则 @param operation: 操作 @return None ''' try: if info["Strategy"] == "accept": info["Strategy"] = "allow" elif info["Strategy"] == "drop": info["Strategy"] = "deny" else: return self._result(False, "未知的策略: {}".format(info["Strategy"])) rule_str = "{} insert 1 {} ".format(self.cmd_str, info["Strategy"]) if "Address" in info and public.is_ipv6(info['Address']): rule_str = "{} {} ".format(self.cmd_str, info["Strategy"]) if operation == "remove": rule_str = "{} delete {} ".format(self.cmd_str, info["Strategy"]) if len(info.get("Address", "")) != 0: rule_str += "out from {} ".format(info['Address']) if len(info.get("Protocol", "")) != 0: rule_str += "proto {} ".format(info['Protocol']) if len(info.get("Port", "")) != 0: rule_str += "to any port {} ".format(info['Port']) stdout, stderr = public.ExecShell(rule_str) if stderr: if "Rule added" in stdout or "Rule deleted" in stdout or "Rule updated" in stdout or "Rule inserted" in stdout or "Skipping adding existing rule" in stdout: return self._result(True, "设置output规则成功") if "setlocale" in stderr: return self._result(True, "设置规则成功") return self._result(False, "outpu规则设置失败:{}".format(stderr)) return self._result(True, "设置output规则成功") except Exception as e: if "setlocale" in str(e): return self._result(True, "设置output规则成功") return self._result(False, "outpu规则设置失败:{}".format(e)) # 2024/3/19 下午 5:01 解析防火墙规则信息,返回字典格式数据,用于添加或删除防火墙规则 def _load_info(self, line, fire_type): ''' @name 解析防火墙规则信息,返回字典格式数据,用于添加或删除防火墙规则 @author wzz <2024/3/19 上午 10:38> @param "data":{"参数名":""} <数据类型> 参数描述 @return dict{"status":True/False,"msg":"提示信息"} ''' fields = line.split() item_info = {} if "LIMIT" in line or "ALLOW FWD" in line: return item_info if len(fields) < 4: return item_info if fields[0] == "Anywhere" and fire_type != "port": item_info["Strategy"] = "drop" if fields[1] != "(v6)": if fields[1] == "ALLOW": item_info["Strategy"] = "accept" if fields[2] == "IN": item_info["Chain"] = "INPUT" elif fields[2] == "OUT": item_info["Chain"] = "OUTPUT" item_info["Address"] = fields[3] item_info["Family"] = "ipv4" else: if fields[2] == "ALLOW": item_info["Strategy"] = "accept" if fields[3] == "IN": item_info["Chain"] = "INPUT" elif fields[3] == "OUT": item_info["Chain"] = "OUTPUT" item_info["Address"] = fields[4] item_info["Family"] = "ipv6" return item_info if "/" in fields[0]: item_info["Port"] = fields[0].split("/")[0] item_info["Protocol"] = fields[0].split("/")[1] else: item_info["Port"] = fields[0] item_info["Protocol"] = "tcp/udp" if "v6" in fields[1]: item_info["Family"] = "ipv6" if fields[2] == "ALLOW": item_info["Strategy"] = "accept" else: item_info["Strategy"] = "drop" if fields[3] == "IN": item_info["Chain"] = "INPUT" elif fields[3] == "OUT": item_info["Chain"] = "OUTPUT" item_info["Address"] = fields[4] else: item_info["Family"] = "ipv4" if ":" not in fields[3] else "ipv6" if fields[1] == "ALLOW": item_info["Strategy"] = "accept" else: item_info["Strategy"] = "drop" if fields[2] == "IN": item_info["Chain"] = "INPUT" elif fields[2] == "OUT": item_info["Chain"] = "OUTPUT" item_info["Address"] = fields[3] return item_info # 2024/3/25 下午 2:29 设置端口转发 def port_forward(self, info, operation): ''' @name 设置端口转发 @param port: 端口号 @param ip: ip地址 @param operation: 操作 @return None ''' from firewallModel.app.iptables import Iptables self.firewall = Iptables() return self.firewall.port_forward(info, operation) # 2024/3/25 下午 2:34 获取所有端口转发列表 def list_port_forward(self): ''' @name 获取所有端口转发列表 @return None ''' from firewallModel.app.iptables import Iptables self.firewall = Iptables() return self.firewall.get_nat_prerouting_rules() if __name__ == '__main__': args = sys.argv firewall = Ufw() ufw_status = firewall.status() if len(args) < 2: print("Welcome to the UFW (Uncomplicated Firewall) command-line interface!") print("Firewall status is :", ufw_status) print("Firewall version: ", firewall.version()) if ufw_status == "not running": print("ufw未启动,请启动ufw后再执行命令!") print("启动命令: start") print() sys.exit(1) print() print("Available options:") print("1. Check Firewall Status: status") print("2. Check Firewall Version: version") print("3. Start Firewall: start") print("4. Stop Firewall: stop") print("5. Restart Firewall: restart") print("6. Reload Firewall: reload") print("7. List All Ports: list_port") print("8. List All IP Addresses: list_address") print("9. Add Port: add_port ") print("10. Remove Port: remove_port ") print("11. Add Port Rule: add_port_rule
") print("12. Remove Port Rule: remove_port_rule
") print("13. Add IP Rule: add_ip_rule
") print("14. Remove IP Rule: remove_ip_rule
") print() sys.exit(1) if args[1] == "status": print(firewall.status()) elif args[1] == "version": print(firewall.version()) elif args[1] == "start": error = firewall.start() if error: print(f"Error: {error}") else: print("Firewall started successfully.") elif args[1] == "stop": error = firewall.stop() if error: print(f"Error: {error}") else: print("Firewall stopped successfully.") elif args[1] == "restart": error = firewall.restart() if error: print(f"Error: {error}") else: print("Firewall restarted successfully.") elif args[1] == "reload": error = firewall.reload() if error: print(f"Error: {error}") else: print("Firewall reloaded successfully.") elif args[1] == "list_input_port": ports = firewall.list_input_port() for p in ports: print(p) elif args[1] == "list_output_port": ports = firewall.list_output_port() for p in ports: print(p) elif args[1] == "list_input_address": addresses = firewall.list_input_address() for a in addresses: print(a) elif args[1] == "list_output_address": addresses = firewall.list_output_address() for a in addresses: print(a) elif args[1] == "add_port": port = args[2] protocol = args[3] error = firewall.input_port(f"{port}/{protocol}", "allow") if error: print(f"Error: {error}") else: print(f"Port {port}/{protocol} added successfully.") elif args[1] == "remove_port": port = args[2] protocol = args[3] error = firewall.input_port(f"{port}/{protocol}", "remove") if error: print(f"Error: {error}") else: print(f"Port {port}/{protocol} removed successfully.") elif args[1] == "add_port_rule": address = args[2] port = args[3] protocol = args[4] strategy = args[5] operation = args[6] error = firewall.rich_rules( {"Address": address, "Port": port, "Protocol": protocol, "Strategy": strategy}, operation) if error: print(f"Error: {error}") else: print("Rich rule added successfully.") elif args[1] == "remove_port_rule": address = args[2] port = args[3] protocol = args[4] strategy = args[5] operation = args[6] error = firewall.rich_rules( {"Address": address, "Port": port, "Protocol": protocol, "Strategy": strategy}, operation) if error: print(f"Error: {error}") else: print("Rich rule removed successfully.") elif args[1] == "add_ip_rule": address = args[2] strategy = args[3] operation = args[4] error = firewall.rich_rules( {"Address": address, "Strategy": strategy}, operation) if error: print(f"Error: {error}") else: print("Rich rule added successfully.") elif args[1] == "remove_ip_rule": address = args[2] strategy = args[3] operation = args[4] error = firewall.rich_rules( {"Address": address, "Strategy": strategy}, operation) if error: print(f"Error: {error}") else: print("Rich rule removed successfully.") elif args[1] == "output_port": port = args[2] operation = args[3] error = firewall.output_port(port, operation) if error: print(f"Error: {error}") else: print(f"Output port {port} {operation} successfully.") elif args[1] == "output_rich_rules": address = args[2] port = args[3] protocol = args[4] strategy = args[5] operation = args[6] error = firewall.output_rich_rules( {"Address": address, "Port": port, "Protocol": protocol, "Strategy": strategy}, operation) if error: print(f"Error: {error}") else: print("Output rich rule added successfully.") else: print("Invalid args") sys.exit(1)