[ipt,firewall6] Ajout blacklist pour carte etudiant et chambre invalide, on accepte les icmp NDP en output/input pour pouvoir envoyer des REJECT

Ignore-this: 58ba4a92e7be972ba8db8a4819df9174 darcs-hash:20121104152928-3a55a-5f42ca802a7c0016e5931dcdc1281f60a860da2d.gz
2012-11-04 16:29:28 +01:00 · 2012-11-04 16:29:28 +01:00 · 327689a051
commit 327689a051
parent c71900a5ba
3 changed files with 16 additions and 6 deletions
--- a/gestion/config.py
+++ b/gestion/config.py
@ -517,7 +517,8 @@ prefix = {  'subnet' : [ '2a01:240:fe3d::/48' ],
            'fil' : [ '2a01:240:fe3d:4::/64' ],
            'adm' : [ '2a01:240:fe3d:c804::/64' ],
            'wifi' : [ '2a01:240:fe3d:f7::/64' ],
-            'sixxs2' : [ '2a01:240:fe00:68::/64' ]
+            'sixxs2' : [ '2a01:240:fe00:68::/64' ],
            'personnel-ens':['fe80:0:0:0::/64']
            }
 # Domaines dans lesquels les machines sont placées suivant leur type
@ -580,7 +581,7 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
              }
 blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p',
-        'autodisc_upload', 'bloq']
+        'autodisc_upload', 'bloq', 'carte_etudiant','chambre_invalide']
 adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis',
        'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ]
--- a/gestion/gen_confs/firewall6.py
+++ b/gestion/gen_confs/firewall6.py
@ -89,6 +89,12 @@ def basic_fw():
    # On rejete les ra.
    ip6tables.filter.input('-p icmpv6 -m icmp6 --icmpv6-type router-advertisement -j REJECT')
     # On accepte NDP sauf les RA, sinon, les REJECT ne fonctionnent pas
    for icmpv6 in ['neighbour-solicitation','neighbour-advertisement','redirect','router-solicitation']:
        ip6tables.filter.input('-p icmpv6 -m icmp6 --icmpv6-type %s -j ACCEPT' % icmpv6)
        ip6tables.filter.output('-p icmpv6 -m icmp6 --icmpv6-type %s -j ACCEPT' % icmpv6)
    # On ne vérifie rien sur les ip qui ne sont pas dans notre prefix
    ip6tables.filter.ieui64('! -s %s -j RETURN' % prefix['subnet'][0])
@ -138,7 +144,8 @@ def main_router():
    # Alternative : flusher la table conntrack des entrées concernant cette
    # machine.
    blacklist(ip6tables)
-    ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
+    ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans)
    #~ ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
    ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "info_hash=" -j ACCEPT')
--- a/gestion/ipt.py
+++ b/gestion/ipt.py
@ -54,7 +54,7 @@ Filter_policy_template = """
 """
 dprefix = { 'fil' : 'fil', 'fil-v6' : 'fil', 'adm' : 'adm', 'wifi' : 'wifi',
-        'wifi-v6' : 'wifi' }
+        'wifi-v6' : 'wifi','personnel-ens':'personnel-ens' }
 default_chains = [ 'PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING' ]
@ -159,10 +159,12 @@ ACCEPT' % (dev, proto, ip, port))
        for type_m in mid.keys():
            if ident in range(mid[type_m][0], mid[type_m][1]):
                ip = ipv6_addr(machine.mac(), type_m)
                mac=machine.mac()
                break
        if ip:
-            self.filter.blacklist_src('-s %s -j REJECT --reject-with \
+            self.filter.blacklist_src('-m mac --mac-source %s -j REJECT --reject-with icmp6-port-unreachable' % mac)
-icmp6-adm-prohibited' % ip)
+            #~ self.filter.blacklist_src('-s %s -j REJECT --reject-with \
 #~ icmp6-adm-prohibited' % ip)
            self.filter.blacklist_dst('-d %s -j REJECT --reject-with \
 icmp6-adm-prohibited' % ip)