crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall6] corrections sur le firewall IPv6 de zamok

Browse source 
Ignore-this: fd14c1fed392ba1365ca2bba1dded80e

darcs-hash:20120601170354-dd9a4-c025054653b274e47766da05abf90a2da321e2b9.gz
This commit is contained in:
Raphael Cauderlier 2012-06-01 19:03:54 +02:00
parent 0bbd71a69f
commit 4818e80c41
1 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
gestion/gen_confs/firewall6.py
View file

@ -26,7 +26,7 @@ sys.path.append('/usr/scripts/gestion')
from ldap_crans import hostname from ldap_crans import hostname
from config import conf_fw, mid, prefix, role, file_pickle, open_ports from config import conf_fw, mid, prefix, role, file_pickle, open_ports
from config import authorized_icmpv6, mac_wifi, adm_only from config import authorized_icmpv6, mac_wifi, adm_only, adm_users
from ipt import * from ipt import *
# On invoque Ip6tables # On invoque Ip6tables
@ -239,9 +239,9 @@ def adherents_server():
dev_adm = iface6('adm') dev_adm = iface6('adm')
# On fait attention à ce qui sort # On fait attention à ce qui sort
ip6tables.filter.output('-i lo -j ACCEPT') ip6tables.filter.output('-o lo -j ACCEPT')
ip6tables.filter.output('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT') ip6tables.filter.output('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
ip6tables.filter.output('-i %s -j SRV_OUT_ADM', dev_adm) ip6tables.filter.output('-o %s -j SRV_OUT_ADM' % dev_adm)
# Chaîne SRV_OUT_ADM # Chaîne SRV_OUT_ADM
# Seul certains users ont le droit de communiquer sur le vlan adm # Seul certains users ont le droit de communiquer sur le vlan adm
@ -249,7 +249,8 @@ def adherents_server():
try: try:
u_uid = pwd.getpwnam(user)[2] u_uid = pwd.getpwnam(user)[2]
except KeyError: except KeyError:
raise UnknowUserError(user) # raise UnknowUserError(user)
continue
ip6tables.filter.srv_out_adm('-m owner --uid-owner %d -j ACCEPT' % ip6tables.filter.srv_out_adm('-m owner --uid-owner %d -j ACCEPT' %
pwd.getpwnam(user)[2]) pwd.getpwnam(user)[2])
@ -258,12 +259,13 @@ def adherents_server():
ip6tables.filter.srv_out_adm('-p tcp --dport domain -j ACCEPT') ip6tables.filter.srv_out_adm('-p tcp --dport domain -j ACCEPT')
ip6tables.filter.srv_out_adm('-p udp --dport domain -j ACCEPT') ip6tables.filter.srv_out_adm('-p udp --dport domain -j ACCEPT')
# Pour le nfs (le paquet à laisser passer n'a pas d'owner) # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -m owner ! \ # ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -m owner ! \
--uid-owner 0 -j REJECT --reject-with icmp-net-prohibited') #--uid-owner 0 -j REJECT --reject-with icmp6-adm-prohibited')
ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -j ACCEPT') # ip6tables.filter.srv_out_adm('-d nfs.adm.crans.org -j ACCEPT')
## A corriger, le nfs a pas l'air de faire de l'ipv6 de toute façon.
# On arrête tout # On arrête tout
ip6tables.filter.srv_out_adm('-j REJECT --reject-with icmp-net-prohibited') ip6tables.filter.srv_out_adm('-j REJECT --reject-with icmp6-adm-prohibited')
def start(): def start():
''' Démarre le firewall sur la machine considérée ''' ''' Démarre le firewall sur la machine considérée '''