Add 'ExclusionEnforcer.py'

2023-06-13 20:21:17 +00:00 · 2023-06-13 20:21:17 +00:00 · bb17b75966
parent 933e3a41a4
commit bb17b75966
1 changed files with 70 additions and 0 deletions
--- a/ExclusionEnforcer.py
+++ b/ExclusionEnforcer.py
@ -0,0 +1,70 @@
+import os
+import sys
+from ipaddress import ip_network, ip_address
+
+def expand_ip_ranges(ip_ranges):
+    for ip_range in ip_ranges:
+        if '-' in ip_range:  # If IP range is a hyphenated range
+            start_ip, end_ip = ip_range.split('-')
+            start_last_octet = start_ip.split('.')[-1]
+            end_last_octet = end_ip.split('.')[-1]
+            start_ip_prefix = start_ip.rsplit('.', 1)[0]
+            for i in range(int(start_last_octet), int(end_last_octet) + 1):
+                yield f"{start_ip_prefix}.{i}"
+        else:  # If IP range is a CIDR notation
+            for ip in ip_network(ip_range):
+                yield str(ip)
+
+def add_to_iptables(deny_list_ips, rule_name):
+    for ip in deny_list_ips:
+        os.system(f"iptables -A OUTPUT -d {ip} -j DROP -m comment --comment \"{rule_name}\"")
+    print(f"✅ Applied iptables rules to block outgoing traffic to deny list IPs.")
+
+def remove_from_iptables(rule_name):
+    os.system(f"iptables -S | grep '\"{rule_name}\"' | sed 's/-A/-D/' | while read -r line ; do iptables $line ; done")
+    print(f"❌ Removed iptables rules blocking outgoing traffic to deny list IPs.")
+
+def main(scope_file_path, deny_list_file_path, output_file_path=None, rule_name=None, remove=False):
+    with open(scope_file_path, 'r') as f:
+        scope_ips = set(line.strip() for line in f)  # Load scope IPs
+
+    with open(deny_list_file_path, 'r') as f:
+        deny_list_ips = set(expand_ip_ranges(line.strip() for line in f))  # Load and expand deny list IPs
+
+    valid_ips = scope_ips - deny_list_ips  # Compute valid IPs
+
+    if output_file_path:  # Write valid IPs to output file if provided
+        with open(output_file_path, 'w') as f:
+            for ip in valid_ips:
+                f.write(ip + '\n')
+        print(f"📝 Valid IP addresses have been written to {output_file_path}.")
+    else:  # Print valid IPs to console otherwise
+        for ip in valid_ips:
+            print(ip)
+        print("🖨️ Valid IP addresses have been printed to the console.")
+
+    if rule_name:  # Apply/remove iptables rules if rule name is provided
+        if remove:
+            remove_from_iptables(rule_name)
+        else:
+            add_to_iptables(deny_list_ips, rule_name)
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        print("Usage: python ExclusionEnforcer.py <scope_file> <deny_list_file> [output_file] [--iptables=<rule_name>] [--remove]")
+        print("\nArguments:")
+        print("  scope_file\t\tPath to the file containing the scope IPs")
+        print("  deny_list_file\tPath to the file containing the deny list IPs")
+        print("  output_file\t\t(Optional) Path to the output file")
+        print("  --iptables=<rule_name>\t(Optional) Apply iptables rules to block outgoing traffic to deny list IPs and tag them with a rule name")
+        print("  --remove\t\t(Optional) Remove iptables rules tagged with the rule name provided with --iptables")
+        sys.exit(1)
+
+    scope_file_path = sys.argv[1]
+    deny_list_file_path = sys.argv[```python
+2]
+    output_file_path = sys.argv[3] if len(sys.argv) > 3 and not sys.argv[3].startswith('--') else None
+    rule_name = sys.argv[sys.argv.index('--iptables')+1] if '--iptables' in sys.argv else None
+    remove = True if '--remove' in sys.argv else False
+
+    main(scope_file_path, deny_list_file_path, output_file_path, rule_name, remove)