[firewall6.py,ipt.py] Filtrage partiel des trackers bittorent en ipv6

darcs-hash:20120104125344-3a55a-3ad728a7016e6df7cbe4590f0a5ae80eb930e286.gz
2012-01-04 13:53:44 +01:00 · 2012-01-04 13:53:44 +01:00 · 50ab65b27f
commit 50ab65b27f
parent 81f9ae2c9e
2 changed files with 26 additions and 1 deletions
--- a/gestion/gen_confs/firewall6.py
+++ b/gestion/gen_confs/firewall6.py
@ -123,6 +123,11 @@ def main_router():
    dev_crans = iface6('fil')
    dev_ip6 = iface6('sixxs2')
    
+    udp_torrent_tracker = {
+        'tracker.ccc.de':[['2001:67c:20a0:7::2',80]],
+        'tracker.istole.it':[['2a00:1a28:1151:6:230:48ff:fed4:ee8c',80]],
+        }
+
    # Les blacklistes
    # Si on les met après la règle conntrack, une connexion existante ne sera
    # pas sevrée et dinc avec un tunnel ssh idoine, la blacklist aurait aucun
@ -133,6 +138,23 @@ def main_router():
    ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
    ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
    
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "info_hash=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp --string "/scrape?" -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp --string "/scrape?" -j REJECT --reject-with icmp6-adm-prohibited')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "peer_id=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "port=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "uploaded=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "downloaded=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-m string --algo kmp ! --string "left=" -j ACCEPT')
+    ip6tables.filter.tracker_torrent('-j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
+    ip6tables.filter.tracker_torrent('-j REJECT --reject-with icmp6-adm-prohibited')
+    ip6tables.filter.forward('-p tcp -m string --algo kmp --string "GET /" -j TRACKER_TORRENT')
+    ip6tables.filter.forward('-p tcp -m string --algo kmp --string "get /" -j TRACKER_TORRENT')
+    for tracker in udp_torrent_tracker.values():
+        for dest in tracker:
+            ip6tables.filter.forward('-p udp -d %s --dport %s -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "' % (dest[0],dest[1]))
+            ip6tables.filter.forward('-p udp -d %s --dport %s -j REJECT --reject-with icmp6-adm-prohibited' % (dest[0],dest[1]))
+    
    ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
    
    # On filtre les réseaux non routable et aussi on accepte en entrée
--- a/gestion/ipt.py
+++ b/gestion/ipt.py
@ -104,6 +104,7 @@ class Table(object):
        self.blacklist_dst = Chain()
        self.srv_out_adm = Chain()
        self.ingress_filtering = Chain()
+        self.tracker_torrent = Chain()

 class Ip6tables(object):
    ''' Classe pour '''
@ -716,6 +717,7 @@ def mac_ip(ipt, machines, types_machines):

    ipt.filter.ieui64('-s fe80::/64 -m eui64 -j RETURN')
    ipt.filter.ieui64('-j DROP')
+    #ipt.filter.ieui64('-j REJECT')

 def macips(ipt, machines, types_machines):
    ''' Construit la chaîne MAC '''
@ -727,6 +729,7 @@ def macips(ipt, machines, types_machines):
    for type_m in types_machines:
        type_mm = re.sub('-', '', type_m)
        eval('ipt.filter.mac' + type_mm)('-j DROP')
+        #eval('ipt.filter.mac' + type_mm)('-j REJECT')
    return 0

 def ingress_filtering(ipt):