[config,firewall_new] On bloque quand on est deconnecté pour virus, on route quelques ip crans depuis le vlan isolement (par exemple, le PXE)

Ignore-this: 1a6f7b2339214b76f71968a0096f5e73

darcs-hash:20121122171458-3a55a-6bd681316cd5496c71f6811f4c5a6eff64f6432b.gz

gestion/config.py

@@ -481,6 +481,7 @@ NETs = { 'serveurs' : [ '138.231.136.0/28' ],
          'wifi': [ '138.231.144.0/21' ],
          'gratuit': [ '10.42.0.0/16' ],
 	 'accueil': ['10.51.0.0/16' ],
+	 'isolement': ['10.52.0.0/16' ],
          'personnel-ens': ['10.2.9.0/24' ],
          'ens' : ['138.231.135.0/24'],
          'all' : [ '138.231.136.0/21', '138.231.148.0/21' ]
@@ -589,7 +590,7 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
                 6 : '/tmp/ip6t_pickle'
               }
 
-blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq']
+blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus','autodisc_upload', 'bloq']
 blacklist_sanctions_soft  = ['autodisc_virus','ipv6_ra','mail_invalide','virus',
         'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide']
 
@@ -602,14 +603,14 @@ open_ports = { 'tcp' : '22' }
 debit_max_radin = 1000000
 debit_max_gratuit = 1000000
 
-#######################
-##   Vlan accueil    ##
-#######################
+###############################
+## Vlan accueil et isolement ##
+###############################
 accueil_route = {
-	'138.231.136.1':['80','443'],
-	'138.231.136.67':['80','443'],
-	'138.231.136.98':['20','21','80'],
-	'138.231.136.130':['80','443']
+	'138.231.136.1':{'tcp':['80','443']},
+	'138.231.136.67':{'tcp':['80','443']},
+	'138.231.136.98':{'tcp':['20','21','80','111','1024:65535'],'udp':['69','1024:65535']},
+	'138.231.136.130':{'tcp':['80','443']}
 }
 
 

gestion/gen_confs/firewall_new.py

@@ -1141,8 +1141,8 @@ class firewall_komaz(firewall_crans) :
         self.anim = anim("\tChaînes BLACKLIST", len(blacklist))
         for machine in blacklist:
             self.anim.cycle()
-            rules.append("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
-            rules.append("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
+            rules.append("-A BLACKLIST_DST -d %s -j REJECT" % machine.ip())
+            rules.append("-A BLACKLIST_SRC -s %s -j REJECT" % machine.ip())
         self.anim.reinit()
         print OK
         rules.append('COMMIT')
@@ -1431,10 +1431,6 @@ class firewall_sable(firewall_redisdead):
     def filter_table_tweaks(self) :
         iptables("-P INPUT ACCEPT")
         iptables("-P FORWARD DROP")
-        for ip in accueil_route.keys():
-          for port in accueil_route[ip]:
-           iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
-           iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
 
     def mangle_table(self):
         iptables("-t mangle -F PREROUTING")
@@ -1456,12 +1452,6 @@ class firewall_sable(firewall_redisdead):
         if_accueil = "eth0.%d" % vlans["accueil"]
         if_isolement = "eth0.%d" % vlans["isolement"]
 
-	#intranet et wiki pour le vlan accueil
-        for ip in accueil_route.keys():
-          for port in accueil_route[ip]:
-            iptables("-t nat -A PREROUTING -i eth0.7 -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
-            iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port))
-
          # Proxy transparent pour le wifi
         iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut +
                  " -d ! 138.231.136.0/24 -j DNAT --to-destination" +
@@ -1585,9 +1575,10 @@ class firewall_routeur(firewall_crans):
         iptables("-P INPUT ACCEPT")
         iptables("-P FORWARD DROP")
         for ip in accueil_route.keys():
-          for port in accueil_route[ip]:
-           iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
-           iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
+            for type in accueil_route[ip].keys():
+                for port in accueil_route[ip][type]:
+                    iptables("-A FORWARD -p %s -d %s --dport %s -j ACCEPT" % (type,ip,port))
+                    iptables("-A FORWARD -p %s -s %s --sport %s -j ACCEPT" % (type,ip,port))
 
     def mangle_table(self):
         iptables("-t mangle -F PREROUTING")
@@ -1596,9 +1587,14 @@ class firewall_routeur(firewall_crans):
     def nat_table(self):
         #intranet et wiki pour le vlan accueil
         for ip in accueil_route.keys():
-          for port in accueil_route[ip]:
-            iptables("-t nat -A PREROUTING -i %s -p tcp -d %s --dport %s -j ACCEPT" % (self.eth_accueil ,ip,port))
-            iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port))
+            for type in accueil_route[ip].keys():
+                for port in accueil_route[ip][type]:
+                    iptables("-t nat -A PREROUTING -i %s -p %s -d %s --dport %s -j ACCEPT" % (self.eth_accueil ,type,ip,port))
+                    iptables("-t nat -A PREROUTING -i %s -p %s -d %s --dport %s -j ACCEPT" % (self.eth_isolement ,type,ip,port))
+                    iptables("-t nat -A PREROUTING -i %s -p %s -d %s --dport %s -j ACCEPT" % (self.eth_appart ,type,ip,port))
+                    iptables("-t nat -A POSTROUTING -p %s -s %s -d %s --dport %s -j MASQUERADE" % (type,NETs['accueil'][0],ip,port))
+                    iptables("-t nat -A POSTROUTING -p %s -s %s -d %s --dport %s -j MASQUERADE" % (type,NETs['isolement'][0],ip,port))
+                    iptables("-t nat -A POSTROUTING -p %s -s %s -d %s --dport %s -j MASQUERADE" % (type,NETs['personnel-ens'][0],ip,port))
 
         # Proxy transparent pour les vlans isolement et accueil
         i=1