[firewall_new,firewall,firewall-logrotate-script] On laisse acceuil et isolement sur squid, on met les blacklist softs vers squid, le reste passe en direct.
Ignore-this: a6e2c0a26fddbb7232360f64dc3cfec5 darcs-hash:20111118161604-3a55a-c88c1122b35bc897010fbf03d431d58175a3f1ac.gz
This commit is contained in:
Valentin Samir
parent
a27e3da685
commit
587860cd5d
3 changed files with 82 additions and 46 deletions
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/zsh
|
||||
#!/bin/bash
|
||||
|
||||
umask 0177
|
||||
|
||||
|
|
@ -18,8 +18,14 @@ fi
|
|||
while ( ls -tr "$logs_src" | grep -E 'logall\.log\.[0-9]+\..z2?' ); do
|
||||
dernier_fichier=$logs_src/$(ls -tr "$logs_src" | grep -E 'logall\.log\.[0-9]+\..z2?' | head -1)
|
||||
|
||||
timestamp=$(bzcat "$dernier_fichier" | head -1 | awk '{print $1}')
|
||||
date=$(date -d "1970-01-01 $timestamp sec" +"%Y-%m-%d")
|
||||
#timestamp=$(bzcat "$dernier_fichier" | head -1 | awk '{print $1}')
|
||||
#date=$(date -d "1970-01-01 $timestamp sec" +"%Y-%m-%d")
|
||||
Y=$(date | awk '{print $4}')
|
||||
Y=${Y:0:4}
|
||||
M=$(sudo bzcat "$dernier_fichier" | head -1 | awk '{print $1}')
|
||||
M=$(date -d "01-$M-01" +%m)
|
||||
D=$(sudo bzcat "$dernier_fichier" | head -1 | awk '{print $2}')
|
||||
date=$Y-$M-$D
|
||||
echo install -o root -g root -m 400 "$dernier_fichier" "$logs_dst/logall.log.$date.bz2"
|
||||
echo rm "$dernier_fichier"
|
||||
install -o root -g root -m 400 "$dernier_fichier" "$logs_dst/logall.log.$date.bz2"
|
||||
|
|
|
|||
|
|
@ -1362,11 +1362,11 @@ class firewall_gordon(firewall_crans) :
|
|||
|
||||
def mangle_table(self):
|
||||
self.anim = anim('\tRègles spécifiques à gordon')
|
||||
iptables("-t mangle -A PREROUTING " +
|
||||
"-d ! 138.231.136.0/21 " +
|
||||
("-i %s " % self.eth_wifi) +
|
||||
"-p tcp -m tcp --dport 80 " +
|
||||
"-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
|
||||
#~ iptables("-t mangle -A PREROUTING " +
|
||||
#~ "-d ! 138.231.136.0/21 " +
|
||||
#~ ("-i %s " % self.eth_wifi) +
|
||||
#~ "-p tcp -m tcp --dport 80 " +
|
||||
#~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
|
||||
print OK
|
||||
|
||||
def post_start_hook(self) :
|
||||
|
|
|
|||
|
|
@ -432,7 +432,7 @@ class firewall_komaz(firewall_crans) :
|
|||
|
||||
# Ports ouverts
|
||||
ports_default = { 'tcp_EXT_VERS_CRANS' : [ '22' ],
|
||||
'tcp_CRANS_VERS_EXT': [ ':24', '26:79', '81:134', '136', '140:444', '446:'],
|
||||
'tcp_CRANS_VERS_EXT': [ ':24', '26:79', '80:134', '136', '140:444', '446:'],
|
||||
'udp_EXT_VERS_CRANS' : [ ],
|
||||
'udp_CRANS_VERS_EXT': [ ':136','140:'] }
|
||||
|
||||
|
|
@ -480,11 +480,17 @@ class firewall_komaz(firewall_crans) :
|
|||
|
||||
# Proxy transparent
|
||||
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
|
||||
#~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
|
||||
#~ "-s %s -d ! %s -j MARK --set-mark %s" %
|
||||
#~ (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy']))
|
||||
#~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
|
||||
#~ conf_fw.mark['proxy'])
|
||||
iptables("-t mangle -N BLACKLIST_SOFT")
|
||||
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
|
||||
"-s %s -d ! %s -j MARK --set-mark %s" %
|
||||
(NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy']))
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
|
||||
conf_fw.mark['proxy'])
|
||||
"-s %s -d ! %s -j BLACKLIST_SOFT" %
|
||||
(NETs['fil'][0], NETs['wifi'][0]))
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
|
||||
|
||||
# Parametres pour iptables/tc
|
||||
mark = conf_fw.mark['bittorrent']
|
||||
|
|
@ -610,8 +616,8 @@ class firewall_komaz(firewall_crans) :
|
|||
# iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
|
||||
|
||||
# Proxy transparent
|
||||
#~ iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
|
||||
#~ "-j DNAT --to-destination 10.231.136.9:3128")
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
|
||||
"-j DNAT --to-destination 10.231.136.9:3128")
|
||||
print OK
|
||||
|
||||
def filter_table(self) :
|
||||
|
|
@ -889,18 +895,18 @@ class firewall_komaz(firewall_crans) :
|
|||
def admin_vlan(self) :
|
||||
""" Reconstruit la chaîne ADMIN_VLAN """
|
||||
iptables("-F ADMIN_VLAN")
|
||||
#nounou_machines = []
|
||||
#for adherent in db.search('droits=Nounou')['adherent'] :
|
||||
# for machine in adherent.machines() :
|
||||
# nounou_machines.append(machine.ip())
|
||||
#nounou_machines = []
|
||||
#for adherent in db.search('droits=Nounou')['adherent'] :
|
||||
# for machine in adherent.machines() :
|
||||
# nounou_machines.append(machine.ip())
|
||||
iptables("-A ADMIN_VLAN -j REJECT")
|
||||
#self.anim = anim('\tChaîne ADMIN_VLAN', len(nounou_machines))
|
||||
#for machine in nounou_machines :
|
||||
# self.anim.cycle()
|
||||
# iptables("-I ADMIN_VLAN -p tcp -s %s --dport ssh -j ACCEPT" % machine)
|
||||
# iptables("-I ADMIN_VLAN -p tcp -s %s --dport https -j ACCEPT" % machine)
|
||||
#self.anim.reinit()
|
||||
#print OK
|
||||
#self.anim = anim('\tChaîne ADMIN_VLAN', len(nounou_machines))
|
||||
#for machine in nounou_machines :
|
||||
# self.anim.cycle()
|
||||
# iptables("-I ADMIN_VLAN -p tcp -s %s --dport ssh -j ACCEPT" % machine)
|
||||
# iptables("-I ADMIN_VLAN -p tcp -s %s --dport https -j ACCEPT" % machine)
|
||||
#self.anim.reinit()
|
||||
#print OK
|
||||
|
||||
def __serveurs_vers_ext(self,machine):
|
||||
ip=machine.ip()
|
||||
|
|
@ -963,15 +969,20 @@ class firewall_komaz(firewall_crans) :
|
|||
""" Construit les chaînes de blackliste (BLACKLIST_{DST,SRC}) """
|
||||
iptables('-F BLACKLIST_DST')
|
||||
iptables('-F BLACKLIST_SRC')
|
||||
iptables('-t mangle -F BLACKLIST_SOFT')
|
||||
|
||||
# Peut-être à mettre dans config.py ?
|
||||
blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq')
|
||||
blacklist_sanctions_soft = ('autodisc_virus','ipv6_ra','mail_invalide','virus',
|
||||
'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq')
|
||||
|
||||
|
||||
blacklist = []
|
||||
blacklist_soft = []
|
||||
|
||||
# Recherche sur le champ ablacklist (clubs compris)
|
||||
search = db.search('ablacklist=*&paiement=ok')
|
||||
self.anim = anim("\tBlackliste adhérents+clubs", len(search['adherent']+search['club']))
|
||||
self.anim = anim("\tBlackliste adhérents+clubs", 2*len(search['adherent']+search['club']))
|
||||
for entite in search['adherent'] + search['club']:
|
||||
self.anim.cycle()
|
||||
sanctions = entite.blacklist_actif()
|
||||
|
|
@ -979,12 +990,19 @@ class firewall_komaz(firewall_crans) :
|
|||
if s in sanctions:
|
||||
blacklist.extend(entite.machines())
|
||||
break
|
||||
for entite in search['adherent'] + search['club']:
|
||||
self.anim.cycle()
|
||||
sanctions = entite.blacklist_actif()
|
||||
for s in blacklist_sanctions_soft:
|
||||
if s in sanctions:
|
||||
blacklist_soft.extend(entite.machines())
|
||||
break
|
||||
self.anim.reinit()
|
||||
print OK
|
||||
|
||||
# Recherche sur le champ mblacklist
|
||||
search = db.search('mblacklist=*&paiement=ok')
|
||||
self.anim = anim("\tBlackliste machines", len(search['machine']))
|
||||
self.anim = anim("\tBlackliste machines", 2*len(search['machine']))
|
||||
for entite in search['machine']:
|
||||
self.anim.cycle()
|
||||
sanctions = entite.blacklist_actif()
|
||||
|
|
@ -992,6 +1010,13 @@ class firewall_komaz(firewall_crans) :
|
|||
if s in sanctions:
|
||||
blacklist.append(entite)
|
||||
break
|
||||
for entite in search['machine']:
|
||||
self.anim.cycle()
|
||||
sanctions = entite.blacklist_actif()
|
||||
for s in blacklist_sanctions_soft:
|
||||
if s in sanctions:
|
||||
blacklist_soft.append(entite)
|
||||
break
|
||||
self.anim.reinit()
|
||||
print OK
|
||||
|
||||
|
|
@ -1001,6 +1026,11 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
|
||||
iptables("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
|
||||
self.anim.reinit()
|
||||
self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist))
|
||||
for machine in blacklist_soft:
|
||||
self.anim.cycle()
|
||||
iptables("-t mangle -I BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy']))
|
||||
self.anim.reinit()
|
||||
print OK
|
||||
|
||||
def filtre_p2p(self):
|
||||
|
|
@ -1231,17 +1261,17 @@ class firewall_sable(firewall_rouge):
|
|||
iptables("-t mangle -F PREROUTING")
|
||||
|
||||
# Pour le proxy transparent
|
||||
# iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
|
||||
#~ "--destination 10.231.136.9 " +
|
||||
#~ "-m mac --mac-source %s " % mac_komaz +
|
||||
#~ "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
|
||||
# iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
|
||||
"--destination 10.231.136.9 " +
|
||||
"-m mac --mac-source %s " % mac_komaz +
|
||||
"-j MARK --set-mark %s" % conf_fw.mark['proxy'])
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
|
||||
|
||||
def nat_table(self):
|
||||
firewall_rouge.nat_table(self)
|
||||
# Proxy transparent pour le filiaire
|
||||
# iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
|
||||
if_defaut = "eth0"
|
||||
if_radin = "eth0.%d" % vlans["radin"]
|
||||
|
|
@ -1249,15 +1279,15 @@ class firewall_sable(firewall_rouge):
|
|||
if_isolement = "eth0.%d" % vlans["isolement"]
|
||||
|
||||
# Proxy transparent pour le wifi
|
||||
# iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut +
|
||||
#~ " -d ! 138.231.136.0/24 -j DNAT --to-destination" +
|
||||
#~ " 138.231.136.9:3128")
|
||||
iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut +
|
||||
" -d ! 138.231.136.0/24 -j DNAT --to-destination" +
|
||||
" 138.231.136.9:3128")
|
||||
|
||||
# Proxy transparent pour les vlans radin et accueil
|
||||
#~ for interface in [if_accueil, if_isolement]:
|
||||
#~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface)
|
||||
#~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface)
|
||||
#~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
|
||||
for interface in [if_accueil, if_isolement]:
|
||||
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface)
|
||||
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface)
|
||||
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
|
||||
|
||||
def post_start_hook(self) :
|
||||
self.anim = anim("\tMise en place du routage")
|
||||
|
|
@ -1320,11 +1350,11 @@ class firewall_gordon(firewall_crans) :
|
|||
|
||||
def mangle_table(self):
|
||||
self.anim = anim('\tRègles spécifiques à gordon')
|
||||
iptables("-t mangle -A PREROUTING " +
|
||||
"-d ! 138.231.136.0/21 " +
|
||||
("-i %s " % self.eth_wifi) +
|
||||
"-p tcp -m tcp --dport 80 " +
|
||||
"-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
|
||||
#~ iptables("-t mangle -A PREROUTING " +
|
||||
#~ "-d ! 138.231.136.0/21 " +
|
||||
#~ ("-i %s " % self.eth_wifi) +
|
||||
#~ "-p tcp -m tcp --dport 80 " +
|
||||
#~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
|
||||
print OK
|
||||
|
||||
def post_start_hook(self) :
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue