CentOS 8.1 reveals that nftables is the firewalld default backend. Fedora Server 31 does not have this option present, however nftables is still the firewalld backend out-of-the-box.
The following lines deal with iptables:
core.py
336: subprocess.Popen(
337: "iptables -I ARTILLERY 1 -s %s -j DROP" % ip, shell=True).wait()
339: if iptables_logprefix != "":
340: subprocess.Popen("iptables -I ARTILLERY 1 -s %s -j LOG --log-prefix \"%s\"" % (ip, iptables_logprefix), shell=True).wait()
642: execOScmd("iptables -D INPUT -j ARTILLERY", "Deleting ARTILLERY IPTables Chain")
645: execOScmd("iptables -N ARTILLERY -w 3")
646: execOScmd("iptables -F ARTILLERY -w 3")
647: execOScmd("iptables -I INPUT -j ARTILLERY -w 3")
718: massloadcmd = "iptables -I ARTILLERY -s %s -j DROP -w 3" % ips_to_block
722: massloadcmd = "iptables -I ARTILLERY -s %s -j LOG --log-prefix \"%s\" -w 3" % (ips_to_block, iptables_logprefix)
746: proc = subprocess.Popen("iptables -L ARTILLERY -n --line-numbers",
747: stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
1067: subprocess.Popen("iptables -D INPUT -j ARTILLERY",
1068: stdout=subprocess.PIP, stderr=subprocess.PIPE, shell=True)
1069: subprocess.Popen("iptables -X ARTILLERY",
1070: stdout=subprocess.PIP, stderr=subprocess.PIPE, shell=True)
remove_ban.py
21: proc = subprocess.Popen("iptables -L ARTILLERY -n -v --line-numbers | grep %s" % (
22: ipaddress), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
33: subprocess.Popen("iptables -D ARTILLERY %s" % (line),
34: stderr=subprocess.PIPE, stdout=subprocess.PIPE, shell=True)
honeypot.py
106: cmd = "iptables -D ARTILLERY -p %s --dport %s -j ACCEPT -w 3" % (porttype, port)
107: execOScmd(cmd)
108: cmd = "iptables -A ARTILLERY -p %s --dport %s -j ACCEPT -w 3" % (porttype, port)
109: execOScmd(cmd)
anti_dos.py
17: subprocess.Popen("iptables -A ARTILLERY -p tcp --dport %s -m limit --limit %s/minute --limit-burst %s -j ACCEPT" %
18: (ports, anti_dos_throttle, anti_dos_burst), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True).wait()
Recommendation: Look for firewalld as an active service at the beginning of the program (or have it as a sysarg[2]
option). Set a variable and use if
statements to decide whether to use the iptables version or the nftables version.