[firewall_new.py] On filtre mieux lee P2P

darcs-hash:20120104125001-3a55a-4f8b01e69f67ce290b6a6cf40a25f1991acd1ec4.gz

gestion/gen_confs/firewall_new.py

@@ -454,6 +454,13 @@ class firewall_komaz(firewall_crans) :
     filtres_p2p_bloq = [
             ]
             
+    udp_torrent_tracker={
+        'tracker.openbittorrent.com':[['95.215.62.26',80],['95.215.62.5',80]],
+        'tracker.ccc.de':[['195.54.164.83',80]],
+        'tracker.istole.it':[['192.121.121.30',80]],
+        'tracker.publicbt.com':[['95.211.88.54',80],['95.211.88.49',80],['95.211.88.51',80]],
+        }
+
 
     ports_p2p = [ '412', '1214', '4662:4665' , '6346:6347', '6699', '6881:6889' ]
 
@@ -629,7 +636,7 @@ class firewall_komaz(firewall_crans) :
         iptables("-A FORWARD -p icmp -j ACCEPT")
         iptables("-A FORWARD -i tun-ovh -j ACCEPT")
         iptables("-A FORWARD -d 224.0.0.0/4 -j DROP")
-        iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
+        #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
         for net in  NETs['fil'] + NETs['wifi']:
             iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
         for net in  NETs['adm']:
@@ -653,8 +660,10 @@ class firewall_komaz(firewall_crans) :
         for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT',
                 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC',
                 'BLACKLIST_DST' , 'FILTRE_P2P', 'INGRESS_FILTERING',
-                'TEST_VIRUS_FLOOD', 'LOG_VIRUS', 'LOG_FLOOD','LOG_TRACKER' ] :
+                'TEST_VIRUS_FLOOD', 'LOG_VIRUS', 'LOG_FLOOD','LOG_TRACKER','TRACKER_FILTER' ] :
             iptables('-N %s' % chaine)
+        iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
+        iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
         iptables("-A FORWARD -j INGRESS_FILTERING")
         # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
         for net in NETs['all']:
@@ -672,33 +681,18 @@ class firewall_komaz(firewall_crans) :
         iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )
         iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
         iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
-        iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
         iptables("-A FORWARD -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
         iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
         iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
         iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
         iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
 
-        # Proxy transparent
+        # Proxy transparent, pour les deconnexion soft
         iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
         
         iptables('-I FORWARD  -o ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "')
         iptables('-I FORWARD  -i ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "')
         
-        #On log les requetes a des trackers torrents pour tester
-        iptables("-N TRACKER_FILTER")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"info_hash=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp --string \"/scrape?\" -j LOG_TRACKER")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"peer_id=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"port=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"uploaded=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"downloaded=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"left=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER -j  LOG_TRACKER")
-        iptables("-I FORWARD -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER")
-        iptables("-I FORWARD -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER")
-        iptables("-I FORWARD  -p udp -m string --algo kmp --hex-string \"|4500002c00004000|\" -j  LOG_TRACKER")
-        iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
         print OK
 
     def classes_p2p_maj(self, ip_list):
@@ -846,7 +840,7 @@ class firewall_komaz(firewall_crans) :
     def log_chaines(self) :
         """ Construction des chaînes de log (LOG_VIRUS et LOG_FLOOD) """
         self.anim = anim('\tCréation des chaînes de log')
-        for filtre in [ 'VIRUS', 'FLOOD' ] :
+        for filtre in [ 'VIRUS', 'FLOOD'] :
             # Vidage de la chaîne
             iptables('-F LOG_%s' % filtre)
             iptables('-A LOG_%s %s %s:' % (filtre, self.log_template, filtre.capitalize()) )
@@ -1054,6 +1048,7 @@ class firewall_komaz(firewall_crans) :
         """ Construit la chaînes de filtrage du p2p (FILTRE_P2P) """
         self.anim = anim("\tFiltrage p2p")
         iptables('-F FILTRE_P2P')
+        iptables('-F TRACKER_FILTER')
 
         # On ne filtre que ce qui passe sur l'interface externe
         iptables('-A FILTRE_P2P -i %s -o %s -j RETURN' % (self.eth_int, self.eth_int) )
@@ -1072,7 +1067,30 @@ class firewall_komaz(firewall_crans) :
             iptables('-A FILTRE_P2P -m ipp2p -m limit --%s --limit=%d/hour -j RETURN' % (filtre[0], p2p.limite[filtre[1]]/2))
             iptables('-A FILTRE_P2P -m ipp2p --%s -j REJECT --reject-with icmp-admin-prohibited' % filtre[0])
             self.anim.cycle()
+        #on rejetes les trackeur udp les plus connus
+        for tracker in self.udp_torrent_tracker.values():
+            for dest in tracker:
+                iptables('-A FILTRE_P2P -p udp -d %s --dport %s -j REJECT --reject-with icmp-admin-prohibited' % (dest[0],dest[1]))
                  
+        #On log les requetes a des trackers torrents puis on les rejetes
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"info_hash=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp --string \"/scrape?\" -j LOG_TRACKER")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"peer_id=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"port=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"uploaded=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"downloaded=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"left=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER -j  LOG_TRACKER")
+        
+        #On analyse que les requetes http
+        iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER" % self.eth_int)
+        iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER" % self.eth_int)
+        
+        # fait bcp de faux positif, peux servir a detecter de nouveau trackers
+        iptables("-A FILTRE_P2P -i %s -p udp -m string --from 0 --to 65 --algo kmp --hex-string \"|4500002c00004000|\" -j LOG --log-level notice --log-prefix \"TRACKER_TORRENT: \"" % self.eth_int)
+        
+        iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
+        iptables('-A LOG_TRACKER -j REJECT --reject-with icmp-admin-prohibited')
         self.anim.reinit()
         print OK