Proxy transparent

darcs-hash:20060325133515-d1718-68bc8fb7056c86df69c7599ff7772088f3b8dd37.gz
2006-03-25 14:35:15 +01:00 · 2006-03-25 14:35:15 +01:00 · 25eb59cc09
commit 25eb59cc09
parent 61abd3afa5
1 changed files with 32 additions and 20 deletions
--- a/gestion/gen_confs/firewall.py
+++ b/gestion/gen_confs/firewall.py
@ -207,7 +207,8 @@ class firewall_crans :
            for machine in self.__machines() :
                self.__test_mac_ip(machine)
                self.anim.cycle()
-            iptables("-t nat -P PREROUTING DROP")
+            iptables("-t nat -A TEST_MAC-IP -j DROP")
+            iptables("-t nat -P PREROUTING ACCEPT")
            self.anim.reinit()
            print OK
        
@ -218,20 +219,15 @@ class firewall_crans :
        ip=machine.ip() 
        mac=machine.mac()

-        # FIXME: ceci est loin d'etre efficace
-        # fascisme: on met les machines du crans en premier
-        if machine.proprietaire().__class__ == crans:
-            insert = '-I'
-        else:
-            insert = '-A'
+        insert = '-I'
        if isinstance(machine, MachineWifi):
            # Machine wifi, c'est la mac de Nectaris
            iptables("-t nat %s TEST_MAC-IP -s "%(insert)+\
-            "%s -m mac --mac-source %s -j ACCEPT"%(ip, self.mac_wifi))
+            "%s -m mac --mac-source %s -j RETURN"%(ip, self.mac_wifi))
        else:
            # Machine fixe
            iptables("-t nat %s TEST_MAC-IP -s "%(insert)+\
-            "%s -m mac --mac-source %s -j ACCEPT"%(ip,mac))    
+            "%s -m mac --mac-source %s -j RETURN"%(ip,mac))    

    def serveurs_maj(self):
        pass
@ -467,8 +463,16 @@ class firewall_komaz(firewall_crans) :
        # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80 -s ! %s -j DNAT --to-destination 138.231.136.3:81" % (self.eth_int, self.zone_serveur) )
        # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
        iptables("-t nat -A PREROUTING -j TEST_MAC-IP")
-        iptables("-t nat -P PREROUTING DROP")
+        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -P OUTPUT ACCEPT")
+
+        # Proxy transparent
+        iptables("-t mangle -F PREROUTING")
+        iptables("-t mangle -A PREROUTING -s 138.231.136.10 -j RETURN") # Pas pour sila
+        iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " +
+                 "-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK --set-mark 2")
+        iptables("-t nat -A PREROUTING -p tcp -m mark --mark 2 -j DNAT " +
+                 "--to-destination 138.231.144.10:3128")
        print OK
 
    def filter_table_tweaks(self) :
@ -487,6 +491,9 @@ class firewall_komaz(firewall_crans) :
        iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
        iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
        iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
+
+        # Proxy transparent
+        iptables("-I FORWARD -m mark --mark 2 -j ACCEPT")
        print OK

    def post_start_hook(self) :
@ -774,8 +781,6 @@ class firewall_zamok(firewall_crans) :
        iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
        iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
        iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -m mac --mac-source %s -j ACCEPT"
-                 % (self.mac_komaz))
        iptables("-t filter -A OUTPUT -o lo -j ACCEPT")

        # pour une connection entrante venant du VLAN adm, il faut que le ACK
@ -785,7 +790,7 @@ class firewall_zamok(firewall_crans) :
        iptables("-t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT")
        iptables("-t filter -A OUTPUT -o %s -j SERV_OUT_ADM" % self.eth_adm)

-        iptables("-t nat -P PREROUTING DROP") 
+        iptables("-t nat -P PREROUTING ACCEPT") 
        iptables("-t filter -P OUTPUT ACCEPT")
        print OK

@ -831,10 +836,8 @@ class firewall_rouge(firewall_crans) :
        iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
        iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
        iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -m mac --mac-source %s -j ACCEPT"
-                 % (self.mac_komaz))

-        iptables("-t nat -P PREROUTING DROP")
+        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -P OUTPUT ACCEPT")
        print OK

@ -875,10 +878,8 @@ class firewall_vert(firewall_crans) :
        iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
        iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
        iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -m mac --mac-source %s -j ACCEPT"
-                 % (self.mac_komaz))

-        iptables("-t nat -P PREROUTING DROP")
+        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -P OUTPUT ACCEPT")
        print OK

@ -888,7 +889,18 @@ class firewall_vert(firewall_crans) :
        iptables("-P FORWARD DROP")
        print OK

-firewall_sila = firewall_rouge
+class firewall_sila(firewall_rouge):
+    """Comme pour rouge, avec le proxy transparent en plus"""
+
+    def nat_table(self):
+        firewall_rouge.nat_table(self)
+        # Pour le proxy transparent
+        iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark 2 -j ACCEPT")
+        iptables("-t mangle -F PREROUTING")
+        iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + 
+                 "--destination 138.231.144.10 " + 
+                 "-m mac --mac-source %s -j MARK --set-mark 2" % self.mac_komaz)
+    
 firewall_bleu = firewall_zamok

 if __name__ == '__main__' :