Typo dans firewall_crans et ajour du firewall de bleu

il n'y a que le filtre MAC-IP pour l'instant. darcs-hash:20050517150120-f163d-2d74fc818a1b1113ffb0a5c97a5d0ff1469829a0.gz
2005-05-17 17:01:20 +02:00 · 2005-05-17 17:01:20 +02:00 · 3b387dc162
commit 3b387dc162
parent 4904c6c3d3
2 changed files with 119 additions and 1 deletions
--- a/gestion/gen_confs/firewall_bleu.py
+++ b/gestion/gen_confs/firewall_bleu.py
@ -0,0 +1,118 @@
+#!/usr/bin/env python
+# -*- coding: iso-8859-1 -*- 
+# The authors of this code are 
+# Manuel Sabban <manu@feyd-rautha.org>
+# Frédéric Pauget <pauget@crans.ens-cachan.fr>
+#
+# Rewritten as an inherited class from firewallÃ_crans
+# by Mathieu Segaud <matt@minas-morgul.org>
+#
+# Copyright (c) 2004 Manuel Sabban, Frédéric Pauget
+# Copyright (c) 2005 Mathieu Segaud
+#
+# Permission to use, copy, and modify this software with or without fee
+# is hereby granted, provided that this entire notice is included in
+# all source code copies of any software which is or includes a copy or
+# modification of this software.
+#
+# THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+# IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+# REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+# MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+# PURPOSE.
+""" Firewall de Bleu """
+import sys
+sys.path.append('/usr/scripts/gestion')
+
+import syslog
+from firewall_crans import firewall_crans, IptablesError, iptables
+from  lock import *
+from ldap_crans import  crans_ldap, ann_scol, machine, crans, invite
+from affich_tools import *
+from commands import getstatusoutput
+from iptools import AddrInNet
+syslog.openlog('firewall')
+    
+class firewall_bleu(firewall_crans) :
+    """
+    Structure du firewall :
+        table nat :
+            rien pour l'instant
+        table filter :
+            FORWARD (policy par defaut : DROP)
+               rien ne passe pas la chaine FORWARD
+            INPUT (policy par defaut : ACCEPT pour l'instant)
+            
+    """
+ 
+    # interfaces physiques
+    eth_pub = "eth0"
+    eth_adm = "eth0.2"
+    
+    debug = 1
+
+    def nat_table_tweaks(self) :
+	self.anim = anim('    règles spécifiques à bleu')
+	iptables("-t nat -I PREROUTING 6 -d %s -j ACCEPT" % self.zone_serveur )
+	iptables("-t nat -I PREROUTING 7 -i %s -j ACCEPT" % self.eth_pub )
+	print OK
+
+    def filter_table_tweaks(self) :
+	self.anim = anim('    règles spécifiques à bleu')
+	iptables("-P INPUT ACCEPT")
+	iptables("-P FORWARD DROP")
+	print OK
+
+    def enable_route(self) :
+        return
+
+    def disable_route(self) :
+        return
+
+    def start_fw_funcs(self) :
+	self.exception_catcher(self.test_mac_ip)
+
+    def serveurs_maj_list_to_do(self) :
+    	return
+
+    def adh_maj_list_to_do(self) :
+    	return
+   
+    def serveurs_maj(self) :
+    	return
+
+
+
+
+if __name__ == '__main__' :
+    # Chaines pouvant être recontruites
+    global chaines
+    chaines = [ 'reseaux_non_routables', 'test_mac_ip' ]
+    
+    def __usage(txt=None) :
+        if txt!=None : cprint(txt,'gras')
+        
+        print """Usage:
+   %(p)s start   : Construction du firewall.
+   %(p)s restart : Reconstruction du firewall.
+   %(p)s stop    : Arrêt du firewall.
+   %(p)s chaine <noms de chaines> : reconstruit les chaines
+Les chaines pouvant être reconstruites sont :
+   %(chaines)s
+Pour reconfiguration d'IPs particulières, utiliser generate. """ % \
+{ 'p' : sys.argv[0].split('/')[-1] , 'chaines' : '\n   '.join(chaines) }
+        sys.exit(-1)
+        
+    # Bons arguments ?
+    if len(sys.argv) == 1 :
+        __usage()
+    for arg in sys.argv[1:] :
+        if arg in [ 'stop', 'restart', 'start' ] and len(sys.argv) != 2 :
+            __usage("L'argument %s ne peut être employé que seul." % arg)
+        
+        if arg not in [ 'stop', 'restart', 'start' ] + chaines :
+            __usage("L'argument %s est inconnu." % arg)
+
+    fw = firewall_bleu()
+    for arg in sys.argv[1:] :
+        eval('fw.%s()' % arg)
--- a/gestion/gen_confs/firewall_crans.py
+++ b/gestion/gen_confs/firewall_crans.py
@ -128,7 +128,7 @@ class firewall_crans :
 	for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] :
 	    iptables('-t nat -N %s' % chaine)
 	    
-	iptables("-t nat -P PREROUTING -j ACCEPT")
+	iptables("-t nat -P PREROUTING ACCEPT")
 	iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
 	iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
 	iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST")