[firewall6.py,ipt.py] Filtrage partiel des trackers bittorent en ipv6

darcs-hash:20120104125344-3a55a-3ad728a7016e6df7cbe4590f0a5ae80eb930e286.gz

gestion/gen_confs/firewall6.py

@@ -122,6 +122,11 @@ def main_router():
 #
     dev_crans = iface6('fil')
     dev_ip6 = iface6('sixxs2')
+    
+    udp_torrent_tracker = {
+        'tracker.ccc.de':[['2001:67c:20a0:7::2',80]],
+        'tracker.istole.it':[['2a00:1a28:1151:6:230:48ff:fed4:ee8c',80]],
+        }
 
     # Les blacklistes
     # Si on les met après la règle conntrack, une connexion existante ne sera
@@ -132,7 +137,24 @@ def main_router():
     blacklist(ip6tables)
     ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
     ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
-
+    
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "info_hash=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp --string "/scrape?" -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp --string "/scrape?" -j REJECT --reject-with icmp6-adm-prohibited')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "peer_id=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "port=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "uploaded=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "downloaded=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "left=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
+    ip6tables.filter.tracker_torrent('-j REJECT --reject-with icmp6-adm-prohibited')
+    ip6tables.filter.forward('-p tcp -m string --algo kmp --string "GET /" -j TRACKER_TORRENT')
+    ip6tables.filter.forward('-p tcp -m string --algo kmp --string "get /" -j TRACKER_TORRENT')
+    for tracker in udp_torrent_tracker.values():
+        for dest in tracker:
+            ip6tables.filter.forward('-p udp -d %s --dport %s -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "' % (dest[0],dest[1]))
+            ip6tables.filter.forward('-p udp -d %s --dport %s -j REJECT --reject-with icmp6-adm-prohibited' % (dest[0],dest[1]))
+    
     ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
     
     # On filtre les réseaux non routable et aussi on accepte en entrée

gestion/ipt.py

@@ -104,6 +104,7 @@ class Table(object):
         self.blacklist_dst = Chain()
         self.srv_out_adm = Chain()
         self.ingress_filtering = Chain()
+        self.tracker_torrent = Chain()
 
 class Ip6tables(object):
     ''' Classe pour '''
@@ -716,6 +717,7 @@ def mac_ip(ipt, machines, types_machines):
 
     ipt.filter.ieui64('-s fe80::/64 -m eui64 -j RETURN')
     ipt.filter.ieui64('-j DROP')
+    #ipt.filter.ieui64('-j REJECT')
 
 def macips(ipt, machines, types_machines):
     ''' Construit la chaîne MAC '''
@@ -727,6 +729,7 @@ def macips(ipt, machines, types_machines):
     for type_m in types_machines:
         type_mm = re.sub('-', '', type_m)
         eval('ipt.filter.mac' + type_mm)('-j DROP')
+        #eval('ipt.filter.mac' + type_mm)('-j REJECT')
     return 0
 
 def ingress_filtering(ipt):