Update dnsf.py
This commit is contained in:
34
dnsf.py
34
dnsf.py
@@ -75,7 +75,7 @@ int dns_matching(struct __sk_buff *skb) {
|
|||||||
'''
|
'''
|
||||||
|
|
||||||
default_rules = '''
|
default_rules = '''
|
||||||
iptables -F
|
iptables -X
|
||||||
ipset destroy whitelist_hosts
|
ipset destroy whitelist_hosts
|
||||||
ipset destroy static_hosts
|
ipset destroy static_hosts
|
||||||
ipset create whitelist_hosts hash:ip timeout 3600
|
ipset create whitelist_hosts hash:ip timeout 3600
|
||||||
@@ -90,6 +90,7 @@ iptables -A OUTPUT -j REJECT
|
|||||||
iptables -P INPUT DROP
|
iptables -P INPUT DROP
|
||||||
iptables -P FORWARD DROP
|
iptables -P FORWARD DROP
|
||||||
iptables -P OUTPUT DROP
|
iptables -P OUTPUT DROP
|
||||||
|
systemd-resolve --flush-caches
|
||||||
'''
|
'''
|
||||||
|
|
||||||
for c in default_rules.splitlines(False):
|
for c in default_rules.splitlines(False):
|
||||||
@@ -106,10 +107,9 @@ fcntl.fcntl(socket_fd, fcntl.F_SETFL, fl & ~os.O_NONBLOCK)
|
|||||||
|
|
||||||
rules = {}
|
rules = {}
|
||||||
cnames = {}
|
cnames = {}
|
||||||
|
blocked = []
|
||||||
|
|
||||||
def check_hostname(hostname,current_cnames,allow_list):
|
def check_hostname(hostname,current_cnames,allow_list):
|
||||||
import re
|
|
||||||
for wl in allow_list:
|
for wl in allow_list:
|
||||||
match = re.fullmatch(wl, hostname)
|
match = re.fullmatch(wl, hostname)
|
||||||
if match:
|
if match:
|
||||||
@@ -120,10 +120,10 @@ def check_hostname(hostname,current_cnames,allow_list):
|
|||||||
if hostname == current_cnames[c]["cname"] and current_cnames[c]["exp"] > datetime.now():
|
if hostname == current_cnames[c]["cname"] and current_cnames[c]["exp"] > datetime.now():
|
||||||
print('<check> hostname: '+str(hostname) + ' in cname')
|
print('<check> hostname: '+str(hostname) + ' in cname')
|
||||||
return True
|
return True
|
||||||
|
|
||||||
print('<check> hostname: '+str(hostname) + ' not permitted.')
|
print('<check> hostname: '+str(hostname) + ' not permitted.')
|
||||||
|
blocked.append(hostname)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
import socket
|
import socket
|
||||||
|
|
||||||
@@ -137,7 +137,6 @@ def valid_ip(address):
|
|||||||
dns_list = watch_file('dns_whitelist.conf')
|
dns_list = watch_file('dns_whitelist.conf')
|
||||||
host_list = watch_file('host_whitelist.conf')
|
host_list = watch_file('host_whitelist.conf')
|
||||||
|
|
||||||
import time
|
|
||||||
while True:
|
while True:
|
||||||
time.sleep(.05)
|
time.sleep(.05)
|
||||||
commands = []
|
commands = []
|
||||||
@@ -145,7 +144,14 @@ while True:
|
|||||||
dns_list.check_change()
|
dns_list.check_change()
|
||||||
if dns_list.contents:
|
if dns_list.contents:
|
||||||
dns_regex = dns_list.contents
|
dns_regex = dns_list.contents
|
||||||
|
for block in blocked:
|
||||||
|
add_rule = 'nslookup '+str(block)
|
||||||
|
commands.append(add_rule)
|
||||||
|
threaded(commands)
|
||||||
|
blocked = []
|
||||||
|
commands = []
|
||||||
|
|
||||||
|
|
||||||
host_list.check_change()
|
host_list.check_change()
|
||||||
if host_list.contents:
|
if host_list.contents:
|
||||||
threaded(['ipset flush static_hosts'])
|
threaded(['ipset flush static_hosts'])
|
||||||
@@ -153,7 +159,7 @@ while True:
|
|||||||
for host in hosts:
|
for host in hosts:
|
||||||
commands.append('ipset add static_hosts '+host)
|
commands.append('ipset add static_hosts '+host)
|
||||||
print(host)
|
print(host)
|
||||||
threaded(commands)
|
threaded(commands)
|
||||||
import select
|
import select
|
||||||
r, w, e = select.select([ socket_fd ], [], [], 0)
|
r, w, e = select.select([ socket_fd ], [], [], 0)
|
||||||
if socket_fd in r:
|
if socket_fd in r:
|
||||||
@@ -176,9 +182,8 @@ while True:
|
|||||||
payload_offset = ETH_HLEN + ip_header_length + UDP_HLEN
|
payload_offset = ETH_HLEN + ip_header_length + UDP_HLEN
|
||||||
payload = packet_bytearray[payload_offset:]
|
payload = packet_bytearray[payload_offset:]
|
||||||
dnsrec = dnslib.DNSRecord.parse(payload)
|
dnsrec = dnslib.DNSRecord.parse(payload)
|
||||||
|
|
||||||
if dnsrec.rr:
|
if dnsrec.rr:
|
||||||
if check_hostname(hostname=str(dnsrec.questions[0].qname),current_cnames=cnames,allow_list=dns_regex):
|
if True:
|
||||||
for i in range(0, len(dnsrec.rr)):
|
for i in range(0, len(dnsrec.rr)):
|
||||||
if str(dnsrec.rr[i].rtype) in ['5']:
|
if str(dnsrec.rr[i].rtype) in ['5']:
|
||||||
cnames[str(dnsrec.questions[0].qname)] = {"cname":str(dnsrec.rr[i].rdata),"exp":datetime.now() + timedelta(seconds=dnsrec.rr[i].ttl)}
|
cnames[str(dnsrec.questions[0].qname)] = {"cname":str(dnsrec.rr[i].rdata),"exp":datetime.now() + timedelta(seconds=dnsrec.rr[i].ttl)}
|
||||||
@@ -186,11 +191,10 @@ while True:
|
|||||||
if str(dnsrec.rr[i].rtype) in ['1']:
|
if str(dnsrec.rr[i].rtype) in ['1']:
|
||||||
#rtype 28 is v6
|
#rtype 28 is v6
|
||||||
#print(str(dnsrec.rr[i].rtype))
|
#print(str(dnsrec.rr[i].rtype))
|
||||||
add_rule = 'ipset -exist add whitelist_hosts '+str(dnsrec.rr[i].rdata)+' timeout '+str(int(dnsrec.rr[i].ttl)+360)
|
if check_hostname(hostname=str(dnsrec.questions[0].qname),current_cnames=cnames,allow_list=dns_regex):
|
||||||
del_rule = 'ipset del whitelist_hosts '+str(dnsrec.rr[i].rdata)
|
add_rule = 'ipset -exist add whitelist_hosts '+str(dnsrec.rr[i].rdata)+' timeout '+str(int(dnsrec.rr[i].ttl)+360)
|
||||||
print(add_rule)
|
print(add_rule)
|
||||||
commands.append(add_rule)
|
commands.append(add_rule)
|
||||||
|
|
||||||
threaded(commands)
|
threaded(commands)
|
||||||
else:
|
else:
|
||||||
pass
|
pass
|
||||||
|
|||||||
Reference in New Issue
Block a user