[firewall_new] Les appartements passent par komaz.
Ignore-this: 49627aac6bc73d557adfdb9bcd8d203e darcs-hash:20121016150119-3a55a-37a4a4c6309f23c382a83fb0a2bc50e1f6b56c84.gz
This commit is contained in:
Valentin Samir
parent
7bdb2ab0ed
commit
15c78a93a7
1 changed files with 32 additions and 27 deletions
|
|
@ -483,6 +483,8 @@ class firewall_komaz(firewall_crans) :
|
||||||
self.anim = anim('\tFiltrage ip non routables',len(self.liste_reseaux_non_routables))
|
self.anim = anim('\tFiltrage ip non routables',len(self.liste_reseaux_non_routables))
|
||||||
iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d 10.231.136.0/24 -j RETURN")
|
iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d 10.231.136.0/24 -j RETURN")
|
||||||
iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -d 10.231.136.0/24 -j RETURN")
|
iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -d 10.231.136.0/24 -j RETURN")
|
||||||
|
iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d %s -j RETURN" % NETs['personnel-ens'][0])
|
||||||
|
iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -s %s -j RETURN" % NETs['personnel-ens'][0])
|
||||||
for reseau in self.liste_reseaux_non_routables :
|
for reseau in self.liste_reseaux_non_routables :
|
||||||
iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d %s -j DROP" % reseau)
|
iptables("-t filter -A RESEAUX_NON_ROUTABLES_DST -d %s -j DROP" % reseau)
|
||||||
iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -s %s -j DROP" % reseau)
|
iptables("-t filter -A RESEAUX_NON_ROUTABLES_SRC -s %s -j DROP" % reseau)
|
||||||
|
|
@ -557,6 +559,13 @@ class firewall_komaz(firewall_crans) :
|
||||||
iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s "
|
iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s "
|
||||||
"-j CLASSIFY --set-class 1:9998" % locals())
|
"-j CLASSIFY --set-class 1:9998" % locals())
|
||||||
|
|
||||||
|
for net in NETs['personnel-ens']:
|
||||||
|
# pas de limitation en download
|
||||||
|
#iptables("-t mangle -A POSTROUTING -d %(net)s "
|
||||||
|
# "-j CLASSIFY --set-class 1:9998" % locals())
|
||||||
|
iptables("-t mangle -A POSTROUTING -s %(net)s "
|
||||||
|
"-j CLASSIFY --set-class 1:9998" % locals())
|
||||||
|
|
||||||
# On crée les chaînes de sous-réseaux
|
# On crée les chaînes de sous-réseaux
|
||||||
for net in NETs['all']:
|
for net in NETs['all']:
|
||||||
for mask in conf_fw.mask:
|
for mask in conf_fw.mask:
|
||||||
|
|
@ -604,6 +613,22 @@ class firewall_komaz(firewall_crans) :
|
||||||
"htb rate %(debit_max_semi)skbps ceil %(debit_max)skbps prio 1" % locals())
|
"htb rate %(debit_max_semi)skbps ceil %(debit_max)skbps prio 1" % locals())
|
||||||
tc("qdisc add dev %(interface)s parent 1:9998 "
|
tc("qdisc add dev %(interface)s parent 1:9998 "
|
||||||
"handle 9998: sfq perturb 10" % locals())
|
"handle 9998: sfq perturb 10" % locals())
|
||||||
|
|
||||||
|
for interface in ["crans.21"]:
|
||||||
|
# On vide les classes et qdisc
|
||||||
|
try:
|
||||||
|
tc("qdisc del dev %s root" % interface)
|
||||||
|
except TcError, c:
|
||||||
|
warn += str(c) + '\n'
|
||||||
|
# On construit les classes et qdisc de base
|
||||||
|
# La partie principale qui définit le comportement par défaut
|
||||||
|
tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
|
||||||
|
tc("class add dev %(interface)s parent 1: classid 1:1 "
|
||||||
|
"htb rate 128kbps ceil 128kbps" % locals())
|
||||||
|
tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
|
||||||
|
"htb rate 128kbps ceil 128kbps prio 1" % locals())
|
||||||
|
tc("qdisc add dev %(interface)s parent 1:9998 "
|
||||||
|
"handle 9998: sfq perturb 10" % locals())
|
||||||
print OK
|
print OK
|
||||||
|
|
||||||
def qos(self):
|
def qos(self):
|
||||||
|
|
@ -679,6 +704,10 @@ class firewall_komaz(firewall_crans) :
|
||||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
|
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
|
||||||
"-j DNAT --to-destination 10.231.136.9:3128")
|
"-j DNAT --to-destination 10.231.136.9:3128")
|
||||||
|
|
||||||
|
# Appartement ENS
|
||||||
|
iptables("-t nat -A POSTROUTING -o ens -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
|
||||||
|
iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
|
||||||
|
|
||||||
#Connection de secours
|
#Connection de secours
|
||||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
|
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
|
||||||
"-j DNAT --to-destination 10.231.136.9:3128")
|
"-j DNAT --to-destination 10.231.136.9:3128")
|
||||||
|
|
@ -703,6 +732,7 @@ class firewall_komaz(firewall_crans) :
|
||||||
iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST")
|
iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST")
|
||||||
iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
|
iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
|
||||||
|
|
||||||
|
|
||||||
# Proxy transparent, pour les deconnexion soft
|
# Proxy transparent, pour les deconnexion soft
|
||||||
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||||
|
|
||||||
|
|
@ -731,6 +761,8 @@ class firewall_komaz(firewall_crans) :
|
||||||
iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
|
iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
|
||||||
iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
|
iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
|
||||||
iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
|
iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
|
||||||
|
iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
|
||||||
|
iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
|
||||||
iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
|
iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
|
||||||
iptables("-A FORWARD -j INGRESS_FILTERING")
|
iptables("-A FORWARD -j INGRESS_FILTERING")
|
||||||
# on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
|
# on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
|
||||||
|
|
@ -1372,8 +1404,6 @@ class firewall_sable(firewall_redisdead):
|
||||||
for port in accueil_route[ip]:
|
for port in accueil_route[ip]:
|
||||||
iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
|
iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
|
||||||
iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
|
iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
|
||||||
iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
|
|
||||||
iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
|
|
||||||
|
|
||||||
def mangle_table(self):
|
def mangle_table(self):
|
||||||
iptables("-t mangle -F PREROUTING")
|
iptables("-t mangle -F PREROUTING")
|
||||||
|
|
@ -1384,37 +1414,12 @@ class firewall_sable(firewall_redisdead):
|
||||||
"-m mac --mac-source %s " % mac_komaz +
|
"-m mac --mac-source %s " % mac_komaz +
|
||||||
"-j MARK --set-mark %s" % conf_fw.mark['proxy'])
|
"-j MARK --set-mark %s" % conf_fw.mark['proxy'])
|
||||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||||
#classification des personnels ens
|
|
||||||
for net in NETs['personnel-ens']:
|
|
||||||
# pas de limitation en download
|
|
||||||
#iptables("-t mangle -A POSTROUTING -d %(net)s "
|
|
||||||
# "-j CLASSIFY --set-class 1:9998" % locals())
|
|
||||||
iptables("-t mangle -A POSTROUTING -s %(net)s "
|
|
||||||
"-j CLASSIFY --set-class 1:9998" % locals())
|
|
||||||
warn=''
|
|
||||||
for interface in ["eth0.21"]:
|
|
||||||
# On vide les classes et qdisc
|
|
||||||
try:
|
|
||||||
tc("qdisc del dev %s root" % interface)
|
|
||||||
except TcError, c:
|
|
||||||
warn += str(c) + '\n'
|
|
||||||
# On construit les classes et qdisc de base
|
|
||||||
# La partie principale qui définit le comportement par défaut
|
|
||||||
tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
|
|
||||||
tc("class add dev %(interface)s parent 1: classid 1:1 "
|
|
||||||
"htb rate 128kbps ceil 128kbps" % locals())
|
|
||||||
tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
|
|
||||||
"htb rate 128kbps ceil 128kbps prio 1" % locals())
|
|
||||||
tc("qdisc add dev %(interface)s parent 1:9998 "
|
|
||||||
"handle 9998: sfq perturb 10" % locals())
|
|
||||||
print warn
|
|
||||||
|
|
||||||
|
|
||||||
def nat_table(self):
|
def nat_table(self):
|
||||||
firewall_redisdead.nat_table(self)
|
firewall_redisdead.nat_table(self)
|
||||||
# Proxy transparent pour le filiaire
|
# Proxy transparent pour le filiaire
|
||||||
iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||||
iptables("-t nat -A POSTROUTING -s %s -j MASQUERADE" % NETs['personnel-ens'][0])
|
|
||||||
if_defaut = "eth0"
|
if_defaut = "eth0"
|
||||||
if_radin = "eth0.%d" % vlans["radin"]
|
if_radin = "eth0.%d" % vlans["radin"]
|
||||||
if_accueil = "eth0.%d" % vlans["accueil"]
|
if_accueil = "eth0.%d" % vlans["accueil"]
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue