[config,firewall] Routage de l'intranet et du wiki sur le vlan accueil

Ignore-this: 945ca164eeedf63ae960bc5a4321040 darcs-hash:20120901105646-3a55a-05e04aa63ffacc1fd37cbf064132d3414aaaf596.gz
2012-09-01 12:56:46 +02:00 · 2012-09-01 12:56:46 +02:00 · 2c92618905
commit 2c92618905
parent 9670b80322
2 changed files with 22 additions and 3 deletions
--- a/gestion/config.py
+++ b/gestion/config.py
@ -453,8 +453,8 @@ NETs = { 'serveurs' : [ '138.231.136.0/28' ],
                           '138.231.147.0/24', '138.231.149.0/24', '138.231.150.0/24', '138.231.151.0/24' ],
         'fil' : [ '138.231.136.0/21' ],
         'wifi': [ '138.231.144.0/21' ],
-         'gratuit': [ '10.42.0.0/21' ],
-	 'accueil': ['10.51.0.0/21' ],
+         'gratuit': [ '10.42.0.0/16' ],
+	 'accueil': ['10.51.0.0/16' ],
         'personnel-ens': ['10.2.9.0/24' ],
         'ens' : ['138.231.135.0/24'],
         'all' : [ '138.231.136.0/21', '138.231.148.0/21' ]
@ -574,6 +574,11 @@ open_ports = { 'tcp' : '22' }
 debit_max_radin = 1000000
 debit_max_gratuit = 1000000

+#######################
+##   Vlan accueil    ##
+#######################
+accueil_route = {'138.231.136.1':['80','443'],'138.231.136.67':['80','443']}
+

 #######################
 ## Mail de bienvenue ##
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@ -37,7 +37,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
 from affich_tools import *
 from commands import getstatusoutput
 from iptools import AddrInNet, NetSubnets, IpSubnet
-from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users
+from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route
 from ipset import IpsetError, Ipset
 from lc_ldap import lc_ldap
 syslog.openlog('firewall')
@ -1354,6 +1354,14 @@ class firewall_vert(firewall_crans) :
 class firewall_sable(firewall_redisdead):
    """Comme pour rouge, avec le proxy transparent en plus"""

+    def filter_table_tweaks(self) :
+        iptables("-P INPUT ACCEPT")
+        iptables("-P FORWARD DROP")
+        for ip in accueil_route.keys():
+          for port in accueil_route[ip]:
+           iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
+           iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
+
    def mangle_table(self):
        iptables("-t mangle -F PREROUTING")

@ -1375,6 +1383,12 @@ class firewall_sable(firewall_redisdead):
        if_accueil = "eth0.%d" % vlans["accueil"]
        if_isolement = "eth0.%d" % vlans["isolement"]

+	#intranet et wiki pour le vlan accueil
+        for ip in accueil_route.keys():
+          for port in accueil_route[ip]:
+            iptables("-t nat -A PREROUTING -i eth0.7 -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
+            iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port))
+
         # Proxy transparent pour le wifi
        iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut +
                 " -d ! 138.231.136.0/24 -j DNAT --to-destination" +