From 5e83e9aebd199d486fa52f7031fc91b84fae374f Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Thu, 22 Nov 2012 18:14:58 +0100 Subject: [PATCH] =?UTF-8?q?[config,firewall=5Fnew]=20On=20bloque=20quand?= =?UTF-8?q?=20on=20est=20deconnect=C3=A9=20pour=20virus,=20on=20route=20qu?= =?UTF-8?q?elques=20ip=20crans=20depuis=20le=20vlan=20isolement=20(par=20e?= =?UTF-8?q?xemple,=20le=20PXE)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore-this: 1a6f7b2339214b76f71968a0096f5e73 darcs-hash:20121122171458-3a55a-6bd681316cd5496c71f6811f4c5a6eff64f6432b.gz --- gestion/config.py | 17 ++++++++-------- gestion/gen_confs/firewall_new.py | 32 ++++++++++++++----------------- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/gestion/config.py b/gestion/config.py index 6459abb2..1d59261b 100644 --- a/gestion/config.py +++ b/gestion/config.py @@ -481,6 +481,7 @@ NETs = { 'serveurs' : [ '138.231.136.0/28' ], 'wifi': [ '138.231.144.0/21' ], 'gratuit': [ '10.42.0.0/16' ], 'accueil': ['10.51.0.0/16' ], + 'isolement': ['10.52.0.0/16' ], 'personnel-ens': ['10.2.9.0/24' ], 'ens' : ['138.231.135.0/24'], 'all' : [ '138.231.136.0/21', '138.231.148.0/21' ] @@ -589,7 +590,7 @@ file_pickle = { 4 : '/tmp/ipt_pickle', 6 : '/tmp/ip6t_pickle' } -blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq'] +blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus','autodisc_upload', 'bloq'] blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', 'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide'] @@ -602,14 +603,14 @@ open_ports = { 'tcp' : '22' } debit_max_radin = 1000000 debit_max_gratuit = 1000000 -####################### -## Vlan accueil ## -####################### +############################### +## Vlan accueil et isolement ## +############################### accueil_route = { - '138.231.136.1':['80','443'], - '138.231.136.67':['80','443'], - '138.231.136.98':['20','21','80'], - '138.231.136.130':['80','443'] + '138.231.136.1':{'tcp':['80','443']}, + '138.231.136.67':{'tcp':['80','443']}, + '138.231.136.98':{'tcp':['20','21','80','111','1024:65535'],'udp':['69','1024:65535']}, + '138.231.136.130':{'tcp':['80','443']} } diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index d46b919a..e780b375 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -1141,8 +1141,8 @@ class firewall_komaz(firewall_crans) : self.anim = anim("\tChaƮnes BLACKLIST", len(blacklist)) for machine in blacklist: self.anim.cycle() - rules.append("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) - rules.append("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) + rules.append("-A BLACKLIST_DST -d %s -j REJECT" % machine.ip()) + rules.append("-A BLACKLIST_SRC -s %s -j REJECT" % machine.ip()) self.anim.reinit() print OK rules.append('COMMIT') @@ -1431,10 +1431,6 @@ class firewall_sable(firewall_redisdead): def filter_table_tweaks(self) : iptables("-P INPUT ACCEPT") iptables("-P FORWARD DROP") - for ip in accueil_route.keys(): - for port in accueil_route[ip]: - iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port)) - iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port)) def mangle_table(self): iptables("-t mangle -F PREROUTING") @@ -1456,12 +1452,6 @@ class firewall_sable(firewall_redisdead): if_accueil = "eth0.%d" % vlans["accueil"] if_isolement = "eth0.%d" % vlans["isolement"] - #intranet et wiki pour le vlan accueil - for ip in accueil_route.keys(): - for port in accueil_route[ip]: - iptables("-t nat -A PREROUTING -i eth0.7 -p tcp -d %s --dport %s -j ACCEPT" % (ip,port)) - iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port)) - # Proxy transparent pour le wifi iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut + " -d ! 138.231.136.0/24 -j DNAT --to-destination" + @@ -1585,9 +1575,10 @@ class firewall_routeur(firewall_crans): iptables("-P INPUT ACCEPT") iptables("-P FORWARD DROP") for ip in accueil_route.keys(): - for port in accueil_route[ip]: - iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port)) - iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port)) + for type in accueil_route[ip].keys(): + for port in accueil_route[ip][type]: + iptables("-A FORWARD -p %s -d %s --dport %s -j ACCEPT" % (type,ip,port)) + iptables("-A FORWARD -p %s -s %s --sport %s -j ACCEPT" % (type,ip,port)) def mangle_table(self): iptables("-t mangle -F PREROUTING") @@ -1596,9 +1587,14 @@ class firewall_routeur(firewall_crans): def nat_table(self): #intranet et wiki pour le vlan accueil for ip in accueil_route.keys(): - for port in accueil_route[ip]: - iptables("-t nat -A PREROUTING -i %s -p tcp -d %s --dport %s -j ACCEPT" % (self.eth_accueil ,ip,port)) - iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port)) + for type in accueil_route[ip].keys(): + for port in accueil_route[ip][type]: + iptables("-t nat -A PREROUTING -i %s -p %s -d %s --dport %s -j ACCEPT" % (self.eth_accueil ,type,ip,port)) + iptables("-t nat -A PREROUTING -i %s -p %s -d %s --dport %s -j ACCEPT" % (self.eth_isolement ,type,ip,port)) + iptables("-t nat -A PREROUTING -i %s -p %s -d %s --dport %s -j ACCEPT" % (self.eth_appart ,type,ip,port)) + iptables("-t nat -A POSTROUTING -p %s -s %s -d %s --dport %s -j MASQUERADE" % (type,NETs['accueil'][0],ip,port)) + iptables("-t nat -A POSTROUTING -p %s -s %s -d %s --dport %s -j MASQUERADE" % (type,NETs['isolement'][0],ip,port)) + iptables("-t nat -A POSTROUTING -p %s -s %s -d %s --dport %s -j MASQUERADE" % (type,NETs['personnel-ens'][0],ip,port)) # Proxy transparent pour les vlans isolement et accueil i=1