Proxy transparent

darcs-hash:20060325133515-d1718-68bc8fb7056c86df69c7599ff7772088f3b8dd37.gz

gestion/gen_confs/firewall.py

@@ -207,7 +207,8 @@ class firewall_crans :
             for machine in self.__machines() :
                 self.__test_mac_ip(machine)
                 self.anim.cycle()
-            iptables("-t nat -P PREROUTING DROP")
+            iptables("-t nat -A TEST_MAC-IP -j DROP")
+            iptables("-t nat -P PREROUTING ACCEPT")
             self.anim.reinit()
             print OK
         
@@ -218,20 +219,15 @@ class firewall_crans :
         ip=machine.ip() 
         mac=machine.mac()
 
-        # FIXME: ceci est loin d'etre efficace
-        # fascisme: on met les machines du crans en premier
-        if machine.proprietaire().__class__ == crans:
         insert = '-I'
-        else:
-            insert = '-A'
         if isinstance(machine, MachineWifi):
             # Machine wifi, c'est la mac de Nectaris
             iptables("-t nat %s TEST_MAC-IP -s "%(insert)+\
-            "%s -m mac --mac-source %s -j ACCEPT"%(ip, self.mac_wifi))
+            "%s -m mac --mac-source %s -j RETURN"%(ip, self.mac_wifi))
         else:
             # Machine fixe
             iptables("-t nat %s TEST_MAC-IP -s "%(insert)+\
-            "%s -m mac --mac-source %s -j ACCEPT"%(ip,mac))    
+            "%s -m mac --mac-source %s -j RETURN"%(ip,mac))    
 
     def serveurs_maj(self):
         pass
@@ -467,8 +463,16 @@ class firewall_komaz(firewall_crans) :
         # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80 -s ! %s -j DNAT --to-destination 138.231.136.3:81" % (self.eth_int, self.zone_serveur) )
         # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
         iptables("-t nat -A PREROUTING -j TEST_MAC-IP")
-        iptables("-t nat -P PREROUTING DROP")
+        iptables("-t nat -P PREROUTING ACCEPT")
         iptables("-t nat -P OUTPUT ACCEPT")
+
+        # Proxy transparent
+        iptables("-t mangle -F PREROUTING")
+        iptables("-t mangle -A PREROUTING -s 138.231.136.10 -j RETURN") # Pas pour sila
+        iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " +
+                 "-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK --set-mark 2")
+        iptables("-t nat -A PREROUTING -p tcp -m mark --mark 2 -j DNAT " +
+                 "--to-destination 138.231.144.10:3128")
         print OK
  
     def filter_table_tweaks(self) :
@@ -487,6 +491,9 @@ class firewall_komaz(firewall_crans) :
         iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
         iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
         iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
+
+        # Proxy transparent
+        iptables("-I FORWARD -m mark --mark 2 -j ACCEPT")
         print OK
 
     def post_start_hook(self) :
@@ -774,8 +781,6 @@ class firewall_zamok(firewall_crans) :
         iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
         iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
         iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -m mac --mac-source %s -j ACCEPT"
-                 % (self.mac_komaz))
         iptables("-t filter -A OUTPUT -o lo -j ACCEPT")
 
         # pour une connection entrante venant du VLAN adm, il faut que le ACK
@@ -785,7 +790,7 @@ class firewall_zamok(firewall_crans) :
         iptables("-t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT")
         iptables("-t filter -A OUTPUT -o %s -j SERV_OUT_ADM" % self.eth_adm)
 
-        iptables("-t nat -P PREROUTING DROP") 
+        iptables("-t nat -P PREROUTING ACCEPT") 
         iptables("-t filter -P OUTPUT ACCEPT")
         print OK
 
@@ -831,10 +836,8 @@ class firewall_rouge(firewall_crans) :
         iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
         iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
         iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -m mac --mac-source %s -j ACCEPT"
-                 % (self.mac_komaz))
 
-        iptables("-t nat -P PREROUTING DROP")
+        iptables("-t nat -P PREROUTING ACCEPT")
         iptables("-t nat -P OUTPUT ACCEPT")
         print OK
 
@@ -875,10 +878,8 @@ class firewall_vert(firewall_crans) :
         iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
         iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
         iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -m mac --mac-source %s -j ACCEPT"
-                 % (self.mac_komaz))
 
-        iptables("-t nat -P PREROUTING DROP")
+        iptables("-t nat -P PREROUTING ACCEPT")
         iptables("-t nat -P OUTPUT ACCEPT")
         print OK
 
@@ -888,7 +889,18 @@ class firewall_vert(firewall_crans) :
         iptables("-P FORWARD DROP")
         print OK
 
-firewall_sila = firewall_rouge
+class firewall_sila(firewall_rouge):
+    """Comme pour rouge, avec le proxy transparent en plus"""
+
+    def nat_table(self):
+        firewall_rouge.nat_table(self)
+        # Pour le proxy transparent
+        iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark 2 -j ACCEPT")
+        iptables("-t mangle -F PREROUTING")
+        iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + 
+                 "--destination 138.231.144.10 " + 
+                 "-m mac --mac-source %s -j MARK --set-mark 2" % self.mac_komaz)
+    
 firewall_bleu = firewall_zamok
 
 if __name__ == '__main__' :