crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

firewall: redirection portail-captif pour bl-hard

Browse source
This commit is contained in:
Daniel STAN 2015-08-09 19:17:45 +02:00
parent 22511a52a7
commit 0602ee1c5c
1 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
gestion/gen_confs/firewall4/komaz.py
View file

@ -129,6 +129,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-j %s' % self.ssh_on_https(table)) self.add(table, chain, '-j %s' % self.ssh_on_https(table))
self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.blacklist_soft(table)) self.add(table, chain, '-j %s' % self.blacklist_soft(table))
self.add(table, chain, '-j %s' % self.blacklist_hard(table))
chain = 'POSTROUTING' chain = 'POSTROUTING'
self.add(table, chain, '-j %s' % self.connexion_wififederez(table)) self.add(table, chain, '-j %s' % self.connexion_wififederez(table))
@ -367,6 +368,41 @@ class firewall(base.firewall_routeur):
self.apply(table, chain) self.apply(table, chain)
return chain return chain
def blacklist_hard(self, table=None, fill_ipset=False, apply=False):
"""Bloque tout, sauf le 80 pour afficher le portail captif"""
chain = 'BLACKLIST_HARD'
if fill_ipset:
# On récupère la liste de toutes les ips blacklistés hard
bl_hard_ips = self.blacklisted_ips(base.config.blacklist_sanctions, base.config.NETs['all'])
anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['hard'])
self.ipset['blacklist']['hard'].restore(bl_hard_ips)
print OK
if table == 'filter':
pretty_print(table, chain)
# Same as blacklist_soft: autorise le port 80 et 3128 vers soi-même
self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['hard'] )
self.add(table, chain, '-p tcp --sport 80 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['hard'] )
self.add(table, chain, '-p tcp -d 10.231.136.4 --dport 3128 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['hard'] )
self.add(table, chain, '-p tcp -s 10.231.136.4 --sport 3128 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['hard'] )
# Mais on continue en refusant le reste
self.add(table, chain, '-m set --match-set %s src -j REJECT' % self.ipset['blacklist']['hard'] )
self.add(table, chain, '-m set --match-set %s dst -j REJECT' % self.ipset['blacklist']['hard'] )
print OK
if table == 'nat':
pretty_print(table, chain)
for net in base.config.NETs['all']:
self.add(table, chain, '-d %s -j RETURN' % net)
self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j RETURN' % self.ipset['confirmation'] ) # Les gens qui ont cliqué -> fine !
self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j DNAT --to-destination 10.231.136.4:3128' % self.ipset['blacklist']['hard'] )
print OK
if apply:
self.apply(table, chain)
return chain
def blacklist_upload_maj(self, ip_list): def blacklist_upload_maj(self, ip_list):
self.blacklist_upload(fill_ipset=True) self.blacklist_upload(fill_ipset=True)
# for ip in ip_list: # for ip in ip_list: