From 587860cd5d9ebbfd55a0704508f0a193e478104a Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Fri, 18 Nov 2011 17:16:04 +0100 Subject: [PATCH] [firewall_new,firewall,firewall-logrotate-script] On laisse acceuil et isolement sur squid, on met les blacklist softs vers squid, le reste passe en direct. Ignore-this: a6e2c0a26fddbb7232360f64dc3cfec5 darcs-hash:20111118161604-3a55a-c88c1122b35bc897010fbf03d431d58175a3f1ac.gz --- firewall/firewall-logrotate-script.sh | 12 ++- gestion/gen_confs/firewall.py | 10 +-- gestion/gen_confs/firewall_new.py | 106 +++++++++++++++++--------- 3 files changed, 82 insertions(+), 46 deletions(-) diff --git a/firewall/firewall-logrotate-script.sh b/firewall/firewall-logrotate-script.sh index b6a1e518..8eda7b76 100755 --- a/firewall/firewall-logrotate-script.sh +++ b/firewall/firewall-logrotate-script.sh @@ -1,4 +1,4 @@ -#!/bin/zsh +#!/bin/bash umask 0177 @@ -18,8 +18,14 @@ fi while ( ls -tr "$logs_src" | grep -E 'logall\.log\.[0-9]+\..z2?' ); do dernier_fichier=$logs_src/$(ls -tr "$logs_src" | grep -E 'logall\.log\.[0-9]+\..z2?' | head -1) -timestamp=$(bzcat "$dernier_fichier" | head -1 | awk '{print $1}') -date=$(date -d "1970-01-01 $timestamp sec" +"%Y-%m-%d") +#timestamp=$(bzcat "$dernier_fichier" | head -1 | awk '{print $1}') +#date=$(date -d "1970-01-01 $timestamp sec" +"%Y-%m-%d") +Y=$(date | awk '{print $4}') +Y=${Y:0:4} +M=$(sudo bzcat "$dernier_fichier" | head -1 | awk '{print $1}') +M=$(date -d "01-$M-01" +%m) +D=$(sudo bzcat "$dernier_fichier" | head -1 | awk '{print $2}') +date=$Y-$M-$D echo install -o root -g root -m 400 "$dernier_fichier" "$logs_dst/logall.log.$date.bz2" echo rm "$dernier_fichier" install -o root -g root -m 400 "$dernier_fichier" "$logs_dst/logall.log.$date.bz2" diff --git a/gestion/gen_confs/firewall.py b/gestion/gen_confs/firewall.py index 5fa914db..330c1206 100644 --- a/gestion/gen_confs/firewall.py +++ b/gestion/gen_confs/firewall.py @@ -1362,11 +1362,11 @@ class firewall_gordon(firewall_crans) : def mangle_table(self): self.anim = anim('\tRègles spécifiques à gordon') - iptables("-t mangle -A PREROUTING " + - "-d ! 138.231.136.0/21 " + - ("-i %s " % self.eth_wifi) + - "-p tcp -m tcp --dport 80 " + - "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) + #~ iptables("-t mangle -A PREROUTING " + + #~ "-d ! 138.231.136.0/21 " + + #~ ("-i %s " % self.eth_wifi) + + #~ "-p tcp -m tcp --dport 80 " + + #~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) print OK def post_start_hook(self) : diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index e7c8edb4..5260033c 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -432,7 +432,7 @@ class firewall_komaz(firewall_crans) : # Ports ouverts ports_default = { 'tcp_EXT_VERS_CRANS' : [ '22' ], - 'tcp_CRANS_VERS_EXT': [ ':24', '26:79', '81:134', '136', '140:444', '446:'], + 'tcp_CRANS_VERS_EXT': [ ':24', '26:79', '80:134', '136', '140:444', '446:'], 'udp_EXT_VERS_CRANS' : [ ], 'udp_CRANS_VERS_EXT': [ ':136','140:'] } @@ -480,11 +480,17 @@ class firewall_komaz(firewall_crans) : # Proxy transparent iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) + #~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " + #~ "-s %s -d ! %s -j MARK --set-mark %s" % + #~ (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) + #~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % + #~ conf_fw.mark['proxy']) + iptables("-t mangle -N BLACKLIST_SOFT") iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " - "-s %s -d ! %s -j MARK --set-mark %s" % - (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) - iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % - conf_fw.mark['proxy']) + "-s %s -d ! %s -j BLACKLIST_SOFT" % + (NETs['fil'][0], NETs['wifi'][0])) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + # Parametres pour iptables/tc mark = conf_fw.mark['bittorrent'] @@ -610,8 +616,8 @@ class firewall_komaz(firewall_crans) : # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) # Proxy transparent - #~ iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + - #~ "-j DNAT --to-destination 10.231.136.9:3128") + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + + "-j DNAT --to-destination 10.231.136.9:3128") print OK def filter_table(self) : @@ -889,18 +895,18 @@ class firewall_komaz(firewall_crans) : def admin_vlan(self) : """ Reconstruit la chaîne ADMIN_VLAN """ iptables("-F ADMIN_VLAN") - #nounou_machines = [] - #for adherent in db.search('droits=Nounou')['adherent'] : - # for machine in adherent.machines() : - # nounou_machines.append(machine.ip()) + #nounou_machines = [] + #for adherent in db.search('droits=Nounou')['adherent'] : + # for machine in adherent.machines() : + # nounou_machines.append(machine.ip()) iptables("-A ADMIN_VLAN -j REJECT") - #self.anim = anim('\tChaîne ADMIN_VLAN', len(nounou_machines)) - #for machine in nounou_machines : - # self.anim.cycle() - # iptables("-I ADMIN_VLAN -p tcp -s %s --dport ssh -j ACCEPT" % machine) - # iptables("-I ADMIN_VLAN -p tcp -s %s --dport https -j ACCEPT" % machine) - #self.anim.reinit() - #print OK + #self.anim = anim('\tChaîne ADMIN_VLAN', len(nounou_machines)) + #for machine in nounou_machines : + # self.anim.cycle() + # iptables("-I ADMIN_VLAN -p tcp -s %s --dport ssh -j ACCEPT" % machine) + # iptables("-I ADMIN_VLAN -p tcp -s %s --dport https -j ACCEPT" % machine) + #self.anim.reinit() + #print OK def __serveurs_vers_ext(self,machine): ip=machine.ip() @@ -963,15 +969,20 @@ class firewall_komaz(firewall_crans) : """ Construit les chaînes de blackliste (BLACKLIST_{DST,SRC}) """ iptables('-F BLACKLIST_DST') iptables('-F BLACKLIST_SRC') + iptables('-t mangle -F BLACKLIST_SOFT') # Peut-être à mettre dans config.py ? blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq') + blacklist_sanctions_soft = ('autodisc_virus','ipv6_ra','mail_invalide','virus', + 'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq') + blacklist = [] + blacklist_soft = [] # Recherche sur le champ ablacklist (clubs compris) search = db.search('ablacklist=*&paiement=ok') - self.anim = anim("\tBlackliste adhérents+clubs", len(search['adherent']+search['club'])) + self.anim = anim("\tBlackliste adhérents+clubs", 2*len(search['adherent']+search['club'])) for entite in search['adherent'] + search['club']: self.anim.cycle() sanctions = entite.blacklist_actif() @@ -979,12 +990,19 @@ class firewall_komaz(firewall_crans) : if s in sanctions: blacklist.extend(entite.machines()) break + for entite in search['adherent'] + search['club']: + self.anim.cycle() + sanctions = entite.blacklist_actif() + for s in blacklist_sanctions_soft: + if s in sanctions: + blacklist_soft.extend(entite.machines()) + break self.anim.reinit() print OK # Recherche sur le champ mblacklist search = db.search('mblacklist=*&paiement=ok') - self.anim = anim("\tBlackliste machines", len(search['machine'])) + self.anim = anim("\tBlackliste machines", 2*len(search['machine'])) for entite in search['machine']: self.anim.cycle() sanctions = entite.blacklist_actif() @@ -992,6 +1010,13 @@ class firewall_komaz(firewall_crans) : if s in sanctions: blacklist.append(entite) break + for entite in search['machine']: + self.anim.cycle() + sanctions = entite.blacklist_actif() + for s in blacklist_sanctions_soft: + if s in sanctions: + blacklist_soft.append(entite) + break self.anim.reinit() print OK @@ -1001,6 +1026,11 @@ class firewall_komaz(firewall_crans) : iptables("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) iptables("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) self.anim.reinit() + self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist)) + for machine in blacklist_soft: + self.anim.cycle() + iptables("-t mangle -I BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) + self.anim.reinit() print OK def filtre_p2p(self): @@ -1231,17 +1261,17 @@ class firewall_sable(firewall_rouge): iptables("-t mangle -F PREROUTING") # Pour le proxy transparent - # iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + - #~ "--destination 10.231.136.9 " + - #~ "-m mac --mac-source %s " % mac_komaz + - #~ "-j MARK --set-mark %s" % conf_fw.mark['proxy']) - # iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + + "--destination 10.231.136.9 " + + "-m mac --mac-source %s " % mac_komaz + + "-j MARK --set-mark %s" % conf_fw.mark['proxy']) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) def nat_table(self): firewall_rouge.nat_table(self) # Proxy transparent pour le filiaire - # iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) if_defaut = "eth0" if_radin = "eth0.%d" % vlans["radin"] @@ -1249,15 +1279,15 @@ class firewall_sable(firewall_rouge): if_isolement = "eth0.%d" % vlans["isolement"] # Proxy transparent pour le wifi - # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut + - #~ " -d ! 138.231.136.0/24 -j DNAT --to-destination" + - #~ " 138.231.136.9:3128") + iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut + + " -d ! 138.231.136.0/24 -j DNAT --to-destination" + + " 138.231.136.9:3128") # Proxy transparent pour les vlans radin et accueil - #~ for interface in [if_accueil, if_isolement]: - #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface) - #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface) - #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) + for interface in [if_accueil, if_isolement]: + iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface) + iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface) + iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) def post_start_hook(self) : self.anim = anim("\tMise en place du routage") @@ -1320,11 +1350,11 @@ class firewall_gordon(firewall_crans) : def mangle_table(self): self.anim = anim('\tRègles spécifiques à gordon') - iptables("-t mangle -A PREROUTING " + - "-d ! 138.231.136.0/21 " + - ("-i %s " % self.eth_wifi) + - "-p tcp -m tcp --dport 80 " + - "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) + #~ iptables("-t mangle -A PREROUTING " + + #~ "-d ! 138.231.136.0/21 " + + #~ ("-i %s " % self.eth_wifi) + + #~ "-p tcp -m tcp --dport 80 " + + #~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) print OK def post_start_hook(self) :