From 43627558985c37918d63c555b6a13d7c5db184fa Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sun, 7 Apr 2013 16:07:26 +0200
Subject: [PATCH] [firewall4, generale, config] Un nouveau pare-feu sur zamok

---
 gestion/config/firewall.py     |   4 ++
 gestion/gen_confs/firewall4.py | 108 ++++++++++++++++++++++++++++++++-
 gestion/gen_confs/generate.py  |  30 ++++-----
 3 files changed, 126 insertions(+), 16 deletions(-)

diff --git a/gestion/config/firewall.py b/gestion/config/firewall.py
index e99a3ea9..7912c773 100644
--- a/gestion/config/firewall.py
+++ b/gestion/config/firewall.py
@@ -14,6 +14,10 @@ dev = {
         'adm' : 'crans.2',
         'tun-ovh' : 'tun-ovh'
     },
+    'zamok': {
+        'fil' : 'crans',
+        'adm' : 'crans.2'
+    }
 }
 
 #: Pour marquer les paquets
diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py
index da1784fa..f3ed60ce 100755
--- a/gestion/gen_confs/firewall4.py
+++ b/gestion/gen_confs/firewall4.py
@@ -12,8 +12,9 @@ if os.getuid() != 0:
     sys.stderr.write(coul("Il faut être root pour utiliser le firewall\n", 'gras'))
     sys.exit(1)
 
-from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic
+from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users
 
+import pwd
 import config.firewall
 import lc_ldap
 import socket
@@ -91,6 +92,12 @@ class firewall_base(object) :
                 print >> sys.stderr, 'Objet %s inconnu blacklisté' %  a.__class__.__name__
         return self._blacklisted_machines
 
+    def blacklisted_adherents(self):
+        if self._blacklisted_adherents:
+            return self._blacklisted_adherents
+        self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(), self.adherents())
+        return self._blacklisted_adherents
+
     def add(self, table, chain, rule):
         if not chain in self.chain_list[table]:
             self.chain_list[table].append(chain)
@@ -172,6 +179,7 @@ class firewall_base(object) :
         self._machines = None
         self._adherents = None
         self._blacklisted_machines = None
+        self._blacklisted_adherents = None
 
         self.chain_list={
             'raw':['OUTPUT', 'PREROUTING'],
@@ -808,9 +816,107 @@ class firewall_komaz(firewall_base):
         return chain
 
 
+class firewall_zamok(firewall_base):
+
+    def __init__(self):
+        super(self.__class__, self).__init__()
+
+        self.reloadable.update({
+            'admin_vlan' : self.admin_vlan,
+            'blacklist_output' : self.blacklist_output,
+        })
+
+        self.use_ipset.extend([])
+        self.use_tc.extend([])
+
+
+
+
+
+    def raw_table(self):
+        table = 'raw'
+
+        super(self.__class__, self).raw_table()
+
+        return
+
+    def mangle_table(self):
+        table = 'mangle'
+
+        super(self.__class__, self).mangle_table()
+
+        return
+
+    def filter_table(self):
+        table = 'filter'
+
+        super(self.__class__, self).filter_table()
+
+        chain = 'OUTPUT'
+        self.add(table, chain , '-d 224.0.0.0/4 -j DROP')
+        admin_vlan_chain = self.admin_vlan(table)
+        for net in NETs['adm']:
+            self.add(table, chain, '-d %s -j %s' % (net, admin_vlan_chain))
+        self.add(table, chain, '-o lo -j ACCEPT')
+        self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
+        self.add(table, chain, '-j %s' % self.blacklist_output(table))
+
+        return
+
+    def nat_table(self):
+        table = 'nat'
+
+        super(self.__class__, self).raw_table()
+        return
+
+    def admin_vlan(self, table=None, apply=False):
+        chain='ADMIN-VLAN'
+
+        if table == 'filter':
+            for user in adm_users:
+                try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
+                except KeyError: print "Utilisateur %s inconnu" % user
+
+            # ldap et dns toujours joinable
+            self.add(table, chain, '-p tcp --dport ldap -j ACCEPT')
+            self.add(table, chain, '-p tcp --dport domain -j ACCEPT')
+            self.add(table, chain, '-p udp --dport domain -j ACCEPT')
+
+            # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
+            self.add(table, chain, '-d daath.adm.crans.org -j ACCEPT')
+
+            # Rien d'autre ne passe
+            self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited')
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
+    def blacklist_maj(self, ips):
+        anim('\tMise à jour des blacklists')
+        self.blacklist_output('filter', apply=True)
+        self.blacklist_hard_maj(ips)
+        print OK
+
+    def blacklist_output(self, table=None, apply=False):
+        chain='BLACKLIST'
+
+        if table == 'filter':
+            self.add(table, chain, '-d 127.0.0.1/8 -j ACCEPT')
+            for net in NETs['all']:
+                        self.add(table, chain, '-d %s -j ACCEPT' % net)
+            for adh in self.blacklisted_adherents():
+                if 'uidNumber' in adh.attrs.keys():
+                    self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
 if __name__ == '__main__' :
     firewall = {
         'komaz' : firewall_komaz,
+        'zamok' : firewall_zamok,
     }
     # Chaînes pouvant être recontruites
     if hostname in firewall.keys():
diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py
index abe5577d..c89e36be 100755
--- a/gestion/gen_confs/generate.py
+++ b/gestion/gen_confs/generate.py
@@ -42,18 +42,18 @@ class base_reconfigure:
         'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip',
             'routeur-macip' ],
 #        'droits': [ 'rouge-droits', 'ragnarok-droits' ],
-        'bl_carte_etudiant':['komaz-blacklist'],
-        'bl_chbre_invalide':['komaz-blacklist'],
-        'blacklist_mail_invalide':['komaz-blacklist'],
-        'blacklist_virus':['komaz-blacklist'],
-        'blacklist_warez':['komaz-blacklist'],
-        'blacklist_ipv6_ra':['komaz-blacklist'],
-        'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ],
-        'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ],
-        'blacklist_autodisc_virus':['komaz-blacklist'],
-        'blacklist_autodisc_upload': ['komaz-blacklist', 'zamok-blacklist'],
-        'blacklist_autodisc_p2p': ['komaz-blacklist', 'zamok-blacklist'],
-        'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ],
+        'bl_carte_etudiant': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'bl_chbre_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_mail_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_virus': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_warez': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_ipv6_ra': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_upload': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_autodisc_virus': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_autodisc_upload': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_autodisc_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist' ],
         'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ]
         }
     #Y R U Aliasing !
@@ -215,9 +215,9 @@ class zamok(base_reconfigure):
         from adherents import del_user
         self._do(del_user(args))
 
-    def blacklist(self):
-        from firewall import firewall_zamok
-        firewall_zamok().blacklist()
+    def blacklist(self, ips):
+        from firewall4 import firewall_zamok
+        firewall_zamok().blacklist_maj(ips)
 
 class daath(base_reconfigure):
     def home(self, args):