[firewall_new.py] On filtre mieux lee P2P

darcs-hash:20120104125001-3a55a-4f8b01e69f67ce290b6a6cf40a25f1991acd1ec4.gz
2012-01-04 13:50:01 +01:00 · 2012-01-04 13:50:01 +01:00 · 3568566340
commit 3568566340
parent 337cffeaad
1 changed files with 38 additions and 20 deletions
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@ -454,6 +454,13 @@ class firewall_komaz(firewall_crans) :
    filtres_p2p_bloq = [
            ]
            
+    udp_torrent_tracker={
+        'tracker.openbittorrent.com':[['95.215.62.26',80],['95.215.62.5',80]],
+        'tracker.ccc.de':[['195.54.164.83',80]],
+        'tracker.istole.it':[['192.121.121.30',80]],
+        'tracker.publicbt.com':[['95.211.88.54',80],['95.211.88.49',80],['95.211.88.51',80]],
+        }
+

    ports_p2p = [ '412', '1214', '4662:4665' , '6346:6347', '6699', '6881:6889' ]

@ -629,7 +636,7 @@ class firewall_komaz(firewall_crans) :
        iptables("-A FORWARD -p icmp -j ACCEPT")
        iptables("-A FORWARD -i tun-ovh -j ACCEPT")
        iptables("-A FORWARD -d 224.0.0.0/4 -j DROP")
-        iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
+        #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
        for net in  NETs['fil'] + NETs['wifi']:
            iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
        for net in  NETs['adm']:
@ -653,8 +660,10 @@ class firewall_komaz(firewall_crans) :
        for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT',
                'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC',
                'BLACKLIST_DST' , 'FILTRE_P2P', 'INGRESS_FILTERING',
-                'TEST_VIRUS_FLOOD', 'LOG_VIRUS', 'LOG_FLOOD','LOG_TRACKER' ] :
+                'TEST_VIRUS_FLOOD', 'LOG_VIRUS', 'LOG_FLOOD','LOG_TRACKER','TRACKER_FILTER' ] :
            iptables('-N %s' % chaine)
+        iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
+        iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
        iptables("-A FORWARD -j INGRESS_FILTERING")
        # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
        for net in NETs['all']:
@ -672,33 +681,18 @@ class firewall_komaz(firewall_crans) :
        iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )
        iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
        iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
-        iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
        iptables("-A FORWARD -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
        iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
        iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
        iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
        iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )

-        # Proxy transparent
+        # Proxy transparent, pour les deconnexion soft
        iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
        
        iptables('-I FORWARD  -o ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "')
        iptables('-I FORWARD  -i ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "')
        
-        #On log les requetes a des trackers torrents pour tester
-        iptables("-N TRACKER_FILTER")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"info_hash=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp --string \"/scrape?\" -j LOG_TRACKER")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"peer_id=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"port=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"uploaded=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"downloaded=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"left=\" -j ACCEPT")
-        iptables("-A TRACKER_FILTER -j  LOG_TRACKER")
-        iptables("-I FORWARD -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER")
-        iptables("-I FORWARD -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER")
-        iptables("-I FORWARD  -p udp -m string --algo kmp --hex-string \"|4500002c00004000|\" -j  LOG_TRACKER")
-        iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
        print OK

    def classes_p2p_maj(self, ip_list):
@ -1054,6 +1048,7 @@ class firewall_komaz(firewall_crans) :
        """ Construit la chaînes de filtrage du p2p (FILTRE_P2P) """
        self.anim = anim("\tFiltrage p2p")
        iptables('-F FILTRE_P2P')
+        iptables('-F TRACKER_FILTER')

        # On ne filtre que ce qui passe sur l'interface externe
        iptables('-A FILTRE_P2P -i %s -o %s -j RETURN' % (self.eth_int, self.eth_int) )
@ -1072,7 +1067,30 @@ class firewall_komaz(firewall_crans) :
            iptables('-A FILTRE_P2P -m ipp2p -m limit --%s --limit=%d/hour -j RETURN' % (filtre[0], p2p.limite[filtre[1]]/2))
            iptables('-A FILTRE_P2P -m ipp2p --%s -j REJECT --reject-with icmp-admin-prohibited' % filtre[0])
            self.anim.cycle()
+        #on rejetes les trackeur udp les plus connus
+        for tracker in self.udp_torrent_tracker.values():
+            for dest in tracker:
+                iptables('-A FILTRE_P2P -p udp -d %s --dport %s -j REJECT --reject-with icmp-admin-prohibited' % (dest[0],dest[1]))
                 
+        #On log les requetes a des trackers torrents puis on les rejetes
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"info_hash=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp --string \"/scrape?\" -j LOG_TRACKER")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"peer_id=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"port=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"uploaded=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"downloaded=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"left=\" -j ACCEPT")
+        iptables("-A TRACKER_FILTER -j  LOG_TRACKER")
+        
+        #On analyse que les requetes http
+        iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER" % self.eth_int)
+        iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER" % self.eth_int)
+        
+        # fait bcp de faux positif, peux servir a detecter de nouveau trackers
+        iptables("-A FILTRE_P2P -i %s -p udp -m string --from 0 --to 65 --algo kmp --hex-string \"|4500002c00004000|\" -j LOG --log-level notice --log-prefix \"TRACKER_TORRENT: \"" % self.eth_int)
+        
+        iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
+        iptables('-A LOG_TRACKER -j REJECT --reject-with icmp-admin-prohibited')
        self.anim.reinit()
        print OK