How do I specify multi-argument matches with python-iptables?
For example, the following iptables command:
-A INPUT -s 1.1.1.1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
If I create the following:
import iptc
rule = iptc.Rule()
rule.src = '1.1.1.1'
rule.protocol = 'tcp'
t = rule.create_target('DROP')
m = rule.create_match('tcp')
m.tcp_flags = 'FIN,SYN,RST,ACK SYN'
it will complain:
ValueError: invalid value FIN,SYN,RST,ACK SYN
PS: I know that for my particular example, I can simply use m.syn = '1', but I'm trying to generalize on how to specify multi-argument matches.
Are you using the latest version? See this issue.
Okay... someone tried to post an answer, but he/she deleted it when I was commenting on it.
The answer attempt was:
m.tcp_flags = ['FIN', 'SYN', 'RST', 'ACK SYN']
which gave the wrong result:
print m.parameters
{u'tcp_flags': u'FIN SYN'}
However, that inspired me to try the following:
m.tcp_flags = ['FIN,SYN,RST,ACK', 'SYN']
which gives:
>>> match.parameters
{u'tcp_flags': u'FIN,SYN,RST,ACK SYN'}
Committing that rule into the INPUT chain and running iptables-save shows that it properly returns the rule I want.
So, thank you!
Related
import netifaces as ni
ip = ni.ifaddresses("eth0")[ni.AF_INET]['addr']
error
ip = ni.ifaddresses("eth0")[ni.AF_INET]['addr']
ValueError: You must specify a valid interface name.
ip = ni.ifaddresses("en0")[ni.AF_INET]['addr']
error
ip = ni.ifaddresses("en0")[ni.AF_INET]['addr']
TypeError: list indices must be integers or slices, not str
Does anyone know why the mac is giving such errors?
The first error means that there is no interface named eth0. Indeed, this is a common interface name on Linux, but not on MacOS.
The second error means that you are trying to extract a field which doesn't exist. There is information about en0 but it is an array, not a dict. This is like saying "hello"["addr"], there is no way to access the "addr":th element of a sequence. You apparently mean something like
ip = ni.ifaddresses("en0")[ni.AF_INET][0]['addr']
though there is no way out of context to tell whether getting only one address is actually what you want. The array you get represents a number of bindings; perhaps you want all of them?
addrs = ni.ifaddresses('en0')
ips = [x['addr'] for x in addrs[ni.AF_INET]]
The netifaces documentation actually explains this in quite some detail.
So I'm using this filter for sniff :
myfilter = 'tcp and tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.flags.psh==0'
sniff(iface="myinter" , filter=myfilter , prn=mitm , count=1 )
and it gets packets without the specified flags as well :
i want only flags that are ACK=0, SYN=1 and PSH=0, but this is not working
i also tried not using == and just use tcp.flags.syn 1 and still didnt work
am i doing something wrong here?
UPDATE:
it looks like it gives syntax error to something as well:
tcpdump: syntax error
but when i just use tcp or TCP it doesn't give any syntax error, this error doesnt stop the program but it looks like it stops the filtering
even when i just used tcp.flags.syn==1 or tcp.flags.syn 1 it still gave this syntax error... my scapy is 2.4
The filter you are using is simply not a valid PCAP filter (hence the syntax error message). On a Unix system, you can have a look at the pcap-filter(7) and the tcpdump(1) manpages for more information about the syntax you can use.
Something like this should work:
myfilter="tcp[tcpflags] & (tcp-syn|tcp-ack|tcp-push) == tcp-syn"
sniff(iface="myinter" , filter=myfilter, prn=mitm , count=1)
I m using Python AWS-SDK BOTO. I m trying to retrieve all the security group details of my account.
secgrpList = ec2conn.get_all_security_groups()
ipRange = secgrpList[0].rules[1].ipRanges
print ipRange
print type(ipRange).__name__
But when i print the ipRange it shows nothing just two enter. When i check the type it is unicode. I even tried to conver to string str() but in vain.
What is the issue ? How can i retrieve the details ?
Please advice me.
To loop over all security groups and print its rules including protocol, ports and ip range, try this:
import boto.ec2
conn = boto.ec2.connect_to_region("eu-west-1")
groups = conn.get_all_security_groups()
for group in groups:
print group.name
for rule in group.rules:
print rule.ip_protocol, rule.from_port, rule.to_port, rule.grants
which may result:
default
tcp 22 22 [0.0.0.0/0]
tcp 80 80 [0.0.0.0/0]
You might find the AWS CLI as helpful in this case.
aws ec2 describe-security-groups --query 'SecurityGroups[*].IpPermissions[*].IpRanges' --output text
Or any other query string you need based on the reply structure: http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html
I want to ssh to another node on my network as part of a larger python script, I am using pexpect which works when I do something like this:
session=spawn('ssh root#172.16.210.254')
I want to replace the address with a variable so I can cycle through addresses in a list however when I try:
address = "172.16.210.253"
session=spawn('ssh root#'address)
It doesn't work as using address in this way is invalid syntax. What is the correct syntax for this?
session=spawn('ssh root#' + address) to concatenate the strings
How do I check for the presence of a particular layer in a scapy packet? For example, I need to check the src/dst fields of an IP header, how do I know that a particular packet actually has an IP header (as opposed to IPv6 for instance).
My problem is that when I go to check for an IP header field, I get an error saying that the IP layer doesn't exist. Instead of an IP header, this particular packet had IPv6.
pkt = Ether(packet_string)
if pkt[IP].dst == something:
# do this
My error occurs when I try to reference the IP layer. How do I check for that layers existence before attempting to manipulate it?
Thanks!
You should try the in operator. It returns True or False depending if the layer is present or not in the Packet.
root#u1010:~/scapy# scapy
Welcome to Scapy (2.2.0-dev)
>>> load_contrib("ospf")
>>> pkts=rdpcap("rogue_ospf_hello.pcap")
>>> p=pkts[0]
>>> IP in p
True
>>> UDP in p
False
>>>
root#u1010:~/scapy#
For completion I thought I would also mention the haslayer method.
>>> pkts=rdpcap("rogue_ospf_hello.pcap")
>>> p=pkts[0]
>>> p.haslayer(UDP)
0
>>> p.haslayer(IP)
1
Hope that helps as well.