{"id":404,"date":"2010-06-28T17:00:48","date_gmt":"2010-06-29T00:00:48","guid":{"rendered":"http:\/\/www.evardsson.com\/blog\/?p=404"},"modified":"2010-06-28T17:00:48","modified_gmt":"2010-06-29T00:00:48","slug":"fix-for-firehol-get-iana-script","status":"publish","type":"post","link":"https:\/\/www.evardsson.com\/blog\/2010\/06\/28\/fix-for-firehol-get-iana-script\/","title":{"rendered":"Fix for firehol get-iana script"},"content":{"rendered":"<p>I have <a href=\"http:\/\/www.evardsson.com\/blog\/2006\/01\/26\/simpler-iptables-firewalls-with-firehol\/\">talked before about using firehol to configure iptables<\/a>. I won&#8217;t go into all the details about how wonderful and awesome it is, but trust me, it makes configuring iptables a snap.<\/p>\n<p>Firehol includes a script, get-iana.sh, that downloads the IPv4 address space list from IANA and populates a file called RESERVED_IPS that firehol uses when configuring iptables. Basically, any traffic from outside coming from any reserved or unallocated IP block is dropped automatically. As you can imagine, keeping this file updated regularly is important, as previously unallocated blocks are allocated for use. To this end, whenever firehol starts it checks the age of the RESERVED_IPS file and if it is older than 90 days warns you to update it by running the supplied get-iana.sh.<\/p>\n<p>However, there has been a change recently in how the IANA reserved IPv4 address space file is formatted. There are lots of posts on plenty of forums with patches for get-iana.sh to accept and use the new format plain text file (while the default is now XML rather than plain text) and needless to say I tried every single one I could find. None of them worked, so what to do? How about a complete rewrite in Python? And while we&#8217;re at it, let&#8217;s use the XML format that IANA wants everyone to use.<\/p>\n<p>So, one lunch hour of hacking and here it is, working like a charm. You can copy this, but I recommend <a href=\"http:\/\/www.evardsson.com\/files\/get-iana.py\">downloading it<\/a> to avoid whitespace issues.<\/p>\n<pre class=\"brush: python\">\r\n#!\/usr\/bin\/python\r\n\r\n\"\"\"\r\nfile: get-iana.py\r\n\r\nReplacement for get-iana.sh that ships with firehol and no longer seems to work.\r\nThis is less code, less confusing, uses the preferred XML format from IANA and works.\r\n\r\nCopyright (c) 2010 Sjan Evardsson\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to deal\r\nin the Software without restriction, including without limitation the rights\r\nto use, copy, modify, merge, publish, distribute, sublicense, and\/or sell\r\ncopies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\nThe above copyright notice and this permission notice shall be included in\r\nall copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\r\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\r\nTHE SOFTWARE.\r\n\"\"\"\r\n\r\nimport urllib\r\nimport xml.dom.minidom\r\nimport os\r\nurllib.urlretrieve('http:\/\/www.iana.org\/assignments\/ipv4-address-space\/ipv4-address-space.xml','address-space.xml')\r\nresults = []\r\nx = xml.dom.minidom.parse('address-space.xml')\r\nfor i in x.childNodes:\r\n    if i.localName == 'registry':\r\n        for j in i.childNodes:\r\n            if j.localName == 'record':\r\n                for k in j.childNodes:\r\n                    if k.localName == 'prefix':\r\n                        prefix = k.firstChild.data\r\n                    if k.localName == 'status':\r\n                        status = k.firstChild.data\r\n                if status == 'RESERVED' or status == 'UNALLOCATED':\r\n                    results.append(prefix)\r\noutfile = open('iana-temp','w')\r\nfor r in results:\r\n    hi = int(r.split('\/')[0])\r\n    outfile.write(str(hi)+'.0.0.0\/8\\n')\r\noutfile.close()\r\nos.remove('address-space.xml')\r\nos.rename('\/etc\/firehol\/RESERVED_IPS','\/etc\/firehol\/RESERVED_IPS.old')\r\nos.rename('iana-temp','\/etc\/firehol\/RESERVED_IPS')\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>I have talked before about using firehol to configure iptables. I won&#8217;t go into all the details about how wonderful and awesome it is, but trust me, it makes configuring iptables a snap. Firehol includes &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[34,10],"tags":[109,171,147],"class_list":["post-404","post","type-post","status-publish","format-standard","hentry","category-python","category-security","tag-firehol","tag-python","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pxT7i-6w","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":1,"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"predecessor-version":[{"id":406,"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/posts\/404\/revisions\/406"}],"wp:attachment":[{"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.evardsson.com\/blog\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}