From 50ab65b27fe7bf9dda65ae743346df1cad140e54 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Wed, 4 Jan 2012 13:53:44 +0100 Subject: [PATCH] [firewall6.py,ipt.py] Filtrage partiel des trackers bittorent en ipv6 darcs-hash:20120104125344-3a55a-3ad728a7016e6df7cbe4590f0a5ae80eb930e286.gz --- gestion/gen_confs/firewall6.py | 24 +++++++++++++++++++++++- gestion/ipt.py | 3 +++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index f23d3220..01e36e02 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -122,6 +122,11 @@ def main_router(): # dev_crans = iface6('fil') dev_ip6 = iface6('sixxs2') + + udp_torrent_tracker = { + 'tracker.ccc.de':[['2001:67c:20a0:7::2',80]], + 'tracker.istole.it':[['2a00:1a28:1151:6:230:48ff:fed4:ee8c',80]], + } # Les blacklistes # Si on les met après la règle conntrack, une connexion existante ne sera @@ -132,7 +137,24 @@ def main_router(): blacklist(ip6tables) ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6) ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6) - + + ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "info_hash=" -j ACCEPT') + ip6tables.filter.tracker_torrent('-m string --algo kmp --string "/scrape?" -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "') + ip6tables.filter.tracker_torrent('-m string --algo kmp --string "/scrape?" -j REJECT --reject-with icmp6-adm-prohibited') + ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "peer_id=" -j ACCEPT') + ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "port=" -j ACCEPT') + ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "uploaded=" -j ACCEPT') + ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "downloaded=" -j ACCEPT') + ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "left=" -j ACCEPT') + ip6tables.filter.tracker_torrent('-j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "') + ip6tables.filter.tracker_torrent('-j REJECT --reject-with icmp6-adm-prohibited') + ip6tables.filter.forward('-p tcp -m string --algo kmp --string "GET /" -j TRACKER_TORRENT') + ip6tables.filter.forward('-p tcp -m string --algo kmp --string "get /" -j TRACKER_TORRENT') + for tracker in udp_torrent_tracker.values(): + for dest in tracker: + ip6tables.filter.forward('-p udp -d %s --dport %s -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "' % (dest[0],dest[1])) + ip6tables.filter.forward('-p udp -d %s --dport %s -j REJECT --reject-with icmp6-adm-prohibited' % (dest[0],dest[1])) + ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT') # On filtre les réseaux non routable et aussi on accepte en entrée diff --git a/gestion/ipt.py b/gestion/ipt.py index 131cd9b8..a53c6e79 100755 --- a/gestion/ipt.py +++ b/gestion/ipt.py @@ -104,6 +104,7 @@ class Table(object): self.blacklist_dst = Chain() self.srv_out_adm = Chain() self.ingress_filtering = Chain() + self.tracker_torrent = Chain() class Ip6tables(object): ''' Classe pour ''' @@ -716,6 +717,7 @@ def mac_ip(ipt, machines, types_machines): ipt.filter.ieui64('-s fe80::/64 -m eui64 -j RETURN') ipt.filter.ieui64('-j DROP') + #ipt.filter.ieui64('-j REJECT') def macips(ipt, machines, types_machines): ''' Construit la chaîne MAC ''' @@ -727,6 +729,7 @@ def macips(ipt, machines, types_machines): for type_m in types_machines: type_mm = re.sub('-', '', type_m) eval('ipt.filter.mac' + type_mm)('-j DROP') + #eval('ipt.filter.mac' + type_mm)('-j REJECT') return 0 def ingress_filtering(ipt):