From 15c78a93a7ac8418e9ba3cc44898968015742fee Mon Sep 17 00:00:00 2001
From: Valentin Samir <samir@crans.org>
Date: Tue, 16 Oct 2012 17:01:19 +0200
Subject: [PATCH] [firewall_new] Les appartements passent par komaz.

Ignore-this: 49627aac6bc73d557adfdb9bcd8d203e

darcs-hash:20121016150119-3a55a-37a4a4c6309f23c382a83fb0a2bc50e1f6b56c84.gz
---
 gestion/gen_confs/firewall_new.py | 59 +++++++++++++++++--------------
 1 file changed, 32 insertions(+), 27 deletions(-)

diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py
index 817a8c0b..604336a2 100755
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@@ -483,6 +483,8 @@ class firewall_komaz(firewall_crans) :
         self.anim = anim('\tFiltrage ip non routables',len(self.liste_reseaux_non_routables))
         iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d 10.231.136.0/24 -j RETURN")
         iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -d 10.231.136.0/24 -j RETURN")
+        iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d %s -j RETURN" % NETs['personnel-ens'][0])
+        iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -s %s -j RETURN" % NETs['personnel-ens'][0])
         for reseau in self.liste_reseaux_non_routables :
             iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d %s -j DROP" % reseau)
             iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -s %s -j DROP" % reseau)
@@ -556,6 +558,13 @@ class firewall_komaz(firewall_crans) :
                      "-j CLASSIFY --set-class 1:9998" % locals())
             iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s "
                      "-j CLASSIFY --set-class 1:9998" % locals())
+                     
+        for net in NETs['personnel-ens']:
+            # pas de limitation en download
+            #iptables("-t mangle -A POSTROUTING -d %(net)s "
+            #        "-j CLASSIFY --set-class 1:9998" % locals())
+            iptables("-t mangle -A POSTROUTING -s %(net)s "
+                     "-j CLASSIFY --set-class 1:9998" % locals())
 
         # On crée les chaînes de sous-réseaux
         for net in NETs['all']:
@@ -604,6 +613,22 @@ class firewall_komaz(firewall_crans) :
                    "htb rate %(debit_max_semi)skbps ceil %(debit_max)skbps prio 1" % locals())
             tc("qdisc add dev %(interface)s parent 1:9998 "
                    "handle 9998: sfq perturb 10" % locals())
+  
+        for interface in ["crans.21"]:
+            # On vide les classes et qdisc
+            try:
+                tc("qdisc del dev %s root" % interface)
+            except TcError, c:
+                warn += str(c) + '\n'
+            # On construit les classes et qdisc de base
+            # La partie principale qui définit le comportement par défaut
+            tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
+            tc("class add dev %(interface)s parent 1: classid 1:1 "
+               "htb rate 128kbps ceil 128kbps" % locals())
+            tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
+                   "htb rate 128kbps ceil 128kbps prio 1" % locals())
+            tc("qdisc add dev %(interface)s parent 1:9998 "
+                   "handle 9998: sfq perturb 10" % locals())
         print OK
                    
     def qos(self):
@@ -679,6 +704,10 @@ class firewall_komaz(firewall_crans) :
         iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
                  "-j DNAT --to-destination 10.231.136.9:3128")
                  
+        # Appartement ENS
+        iptables("-t nat -A POSTROUTING -o ens -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
+        iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
+                 
         #Connection de secours
         iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
                  "-j DNAT --to-destination 10.231.136.9:3128")
@@ -702,6 +731,7 @@ class firewall_komaz(firewall_crans) :
 
         iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST")
         iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
+	
         
         # Proxy transparent, pour les deconnexion soft
         iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
@@ -731,6 +761,8 @@ class firewall_komaz(firewall_crans) :
         iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
         iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
         iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
+        iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
+        iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
         iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
         iptables("-A FORWARD -j INGRESS_FILTERING")
         # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
@@ -1372,8 +1404,6 @@ class firewall_sable(firewall_redisdead):
           for port in accueil_route[ip]:
            iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
            iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
-        iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
-        iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
 
     def mangle_table(self):
         iptables("-t mangle -F PREROUTING")
@@ -1384,37 +1414,12 @@ class firewall_sable(firewall_redisdead):
                  "-m mac --mac-source %s " % mac_komaz +
                  "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
         iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
-        #classification des personnels ens
-        for net in NETs['personnel-ens']:
-            # pas de limitation en download
-            #iptables("-t mangle -A POSTROUTING -d %(net)s "
-            #        "-j CLASSIFY --set-class 1:9998" % locals())
-            iptables("-t mangle -A POSTROUTING -s %(net)s "
-                     "-j CLASSIFY --set-class 1:9998" % locals())
-        warn=''
-        for interface in ["eth0.21"]:
-            # On vide les classes et qdisc
-            try:
-                tc("qdisc del dev %s root" % interface)
-            except TcError, c:
-                warn += str(c) + '\n'
-            # On construit les classes et qdisc de base
-            # La partie principale qui définit le comportement par défaut
-            tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
-            tc("class add dev %(interface)s parent 1: classid 1:1 "
-               "htb rate 128kbps ceil 128kbps" % locals())
-            tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
-                   "htb rate 128kbps ceil 128kbps prio 1" % locals())
-            tc("qdisc add dev %(interface)s parent 1:9998 "
-                   "handle 9998: sfq perturb 10" % locals())
-        print warn
 
 
     def nat_table(self):
         firewall_redisdead.nat_table(self)
         # Proxy transparent pour le filiaire
         iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
-        iptables("-t nat -A POSTROUTING -s %s -j MASQUERADE" % NETs['personnel-ens'][0])
         if_defaut = "eth0"
         if_radin = "eth0.%d" % vlans["radin"]
         if_accueil = "eth0.%d" % vlans["accueil"]