diff --git a/gestion/classe_firewall.py b/gestion/classe_firewall.py index 1e8d6697..1b278983 100755 --- a/gestion/classe_firewall.py +++ b/gestion/classe_firewall.py @@ -15,6 +15,7 @@ # MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR # PURPOSE. """ classe Firewall de Komaz """ +import commands,time import sys,os import iptools,config,fileinput from ldap_crans import * @@ -44,12 +45,17 @@ class ErrorMoreThanOneIp(ErrorIp): """ pass class ErrorIptables(Exception): - pass """ User defined exception Les erreurs d'iptables """ - + def __init__(self,cmd,err_code,output): + self.cmd=cmd + self.err_code=err_code + self.output=output + openlog(ident='syslog',logopt=0,facility=' LOG_USER') + syslog('LOG_ALERT',cmd,err,output) + class ErrorNoSuchIp(ErrorIp): """ User defined exception @@ -58,6 +64,18 @@ class ErrorNoSuchIp(ErrorIp): pass class firewall: + def __init__(self): + self.file_log=open("/var/log/fw.log","a") + + def __init__(self): + self.file_log.close() + + def iptables(self,cmd): + status,output=getstatusoutput(cmd) + if status: + raise IptablesError(cmd,status,output) + self.file_log.write(cmd) + def start(self): """ Construit le firewall @@ -76,9 +94,9 @@ class firewall: Pas d'arguments """ print "Arrêt du firewall" - os.system("iptables -F") - os.system("iptables -t nat -F") - os.system("iptables -X") + iptables("iptables -F") + iptables("iptables -t nat -F") + iptables("iptables -X") def create_defaults(self): """ @@ -87,11 +105,11 @@ class firewall: """ for proto in ["tcp","udp"]: for i in range(len(config.port_default["%s_input" % proto])): - os.system("iptables -A DEFAULT_INPUT -p %s --dport "%proto+\ + iptables("iptables -A DEFAULT_INPUT -p %s --dport "%proto+\ config.port_default["%s_input" % proto][i]+\ " -j ACCEPT") for i in range(len(config.port_default["%s_output" % proto])): - os.system("iptables -A DEFAULT_OUTPUT -p %s --sport "%proto+\ + iptables("iptables -A DEFAULT_OUTPUT -p %s --sport "%proto+\ config.port_default["%s_output" % proto][i]+\ " -j ACCEPT") @@ -118,7 +136,7 @@ class firewall: count=0 if ip in line: count=count-1 - test("iptables -D %s %i"%(chaine,count)) + iptables("iptables -D %s %i"%(chaine,count)) os.system("rm -f /tmp/firewall") try: os.system("iptables -t nat -L -n > /tmp/firewall") @@ -135,14 +153,14 @@ class firewall: count=0 if ip in line: count=count-1 - test("iptables -t nat -D %s %i"%(chaine,count)) + iptables("iptables -t nat -D %s %i"%(chaine,count)) os.system("rm -f /tmp/firewall") def paire_macip(self,ip,mac): """ Crée le filtrage pour une paire mac-ip """ - os.system("iptables -t nat -A PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"\ + iptables("iptables -t nat -A PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"\ %(ip,mac)) def filtrage_mac(self): @@ -166,34 +184,34 @@ class firewall: barre.reinit() print OK - os.system("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\ + iptables("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\ " 138.231.136.0/21 -j ACCEPT") - os.system("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\ + iptables("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\ " 138.231.148.0/22 -j ACCEPT") for i in reseaux_non_routables: - os.system("iptables -t nat -A PREROUTING -i %s -s %s"%(int_crans,i)+\ + iptables("iptables -t nat -A PREROUTING -i %s -s %s"%(int_crans,i)+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_macip)) - os.system("iptables -t nat -A PREROUTING -i %s -s %s -j DROP"%\ + iptables("iptables -t nat -A PREROUTING -i %s -s %s -j DROP"%\ (int_crans,i)) - os.system("iptables -t nat -A PREROUTING -i %s -d %s"%(int_crans,i)+\ + iptables("iptables -t nat -A PREROUTING -i %s -d %s"%(int_crans,i)+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_macip)) - os.system("iptables -t nat -A PREROUTING -i %s -d %s -j DROP"%\ + iptables("iptables -t nat -A PREROUTING -i %s -d %s -j DROP"%\ (int_crans,i)) - os.system("iptables -t nat -A PREROUTING -i %s -p tcp "%int_crans+\ + iptables("iptables -t nat -A PREROUTING -i %s -p tcp "%int_crans+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_macip)) - os.system("iptables -t nat -A PREROUTING -i %s -p tcp"%int_crans+\ + iptables("iptables -t nat -A PREROUTING -i %s -p tcp"%int_crans+\ " -j DROP") - os.system("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ + iptables("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_macip)) - os.system("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ + iptables("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ " -j DROP") def komaz(self): @@ -202,19 +220,19 @@ class firewall: """ ports=komaz_ports['portTCPin'] for i in ports.split(' '): - os.system("iptables -A INPUT -d 138.231.136.4 -p tcp --dport %s"%i+\ + iptables("iptables -A INPUT -d 138.231.136.4 -p tcp --dport %s"%i+\ " -j ACCEPT") ports=komaz_ports['portTCPout'] for i in ports.split(' '): - os.system("iptables -A OUTPUT -s 138.231.136.4 -p tcp --dport %s"%i+\ + iptables("iptables -A OUTPUT -s 138.231.136.4 -p tcp --dport %s"%i+\ " -j ACCEPT") ports=komaz_ports['portUDPin'] for i in ports.split(' '): - os.system("iptables -A INPUT -d 138.231.136.4 -p udp --dport %s"%i+\ + iptables("iptables -A INPUT -d 138.231.136.4 -p udp --dport %s"%i+\ " -j ACCEPT") ports=komaz_ports['portUDPout'] for i in ports.split(' '): - os.system("iptables -A OUTPUT -s 138.231.136.4 -p udp --dport %s"%i+\ + iptables("iptables -A OUTPUT -s 138.231.136.4 -p udp --dport %s"%i+\ " -j ACCEPT") def serveurs(self): @@ -228,22 +246,22 @@ class firewall: for serveur in serveurs_list: ports=serveurs_ports[serveur]['portTCPin'] for i in ports.split(' '): - os.system("iptables -A FORWARD -d %s"%\ + iptables("iptables -A FORWARD -d %s"%\ eval(fonction_utile(serveur))['ip']+\ " -p tcp --dport %s -j ACCEPT"%i) ports=serveurs_ports[serveur]['portTCPout'] for i in ports.split(' '): - os.system("iptables -A FORWARD -s %s"%\ + iptables("iptables -A FORWARD -s %s"%\ eval(fonction_utile(serveur))['ip']+\ " -p tcp --dport %s -j ACCEPT"%i) ports=serveurs_ports[serveur]['portUDPin'] for i in ports.split(' '): - os.system("iptables -A FORWARD -d %s"%\ + iptables("iptables -A FORWARD -d %s"%\ eval(fonction_utile(serveur))['ip']+\ " -p udp --dport %s -j ACCEPT"%i) ports=serveurs_ports[serveur]['portUDPout'] for i in ports.split(' '): - os.system("iptables -A FORWARD -s %s"%\ + iptables("iptables -A FORWARD -s %s"%\ eval(fonction_utile(serveur))['ip']+\ " -p udp --dport %s -j ACCEPT"%i) for serveur in serveurs_list: @@ -254,8 +272,8 @@ class firewall: """ Bloque les adhérents blacklistés """ - os.system("iptables -N DEFAULT_INPUT") - os.system("iptables -N DEFAULT_OUTPUT") + iptables("iptables -N DEFAULT_INPUT") + iptables("iptables -N DEFAULT_OUTPUT") db=crans_ldap() blacklist=[] @@ -268,90 +286,90 @@ class firewall: else: blacklist+=entite.machines() for instance_machine in blacklist: - os.system("iptables -A BLACKLIST_INPUT -d %s"%\ + iptables("iptables -A BLACKLIST_INPUT -d %s"%\ instance_machine.ip().encode("iso-8859-15")+\ "-m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix_macip %s"%\ (loglevel,logprefix_blacklist)) - os.system("iptables -A BLACKLIST_INPUT -d %s -j REJECT"%\ + iptables("iptables -A BLACKLIST_INPUT -d %s -j REJECT"%\ instance_machine.ip()) - os.system("iptables -A BLACKLIST_OUTPUT -s %s"%\ + iptables("iptables -A BLACKLIST_OUTPUT -s %s"%\ instance_machine.ip().encode("iso-8859-15")+\ "-m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix_macip %s"%\ (loglevel,logprefix_blacklist)) - os.system("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\ + iptables("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\ instance_machine.ip()) - os.system("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT") - os.system("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT") + iptables("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT") + iptables("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT") def create_forward(self): """ Différencie ce qui arrive et ce qui part dans la chaîne FORWARD """ - os.system("iptables -N BLACKLIST_INPUT") - os.system("iptables -N BLACKLIST_OUTPUT") - os.system("iptables -A FORWARD -s 138.231.136.0/21 -j BLACKLIST_OUTPUT") - os.system("iptables -A FORWARD -s 138.231.136.0/22 -j BLACKLIST_OUTPUT") - os.system("iptables -A FORWARD -d 138.231.148.0/21 -j BLACKLIST_INPUT") - os.system("iptables -A FORWARD -d 138.231.148.0/22 -j BLACKLIST_INPUT") + iptables("iptables -N BLACKLIST_INPUT") + iptables("iptables -N BLACKLIST_OUTPUT") + iptables("iptables -A FORWARD -s 138.231.136.0/21 -j BLACKLIST_OUTPUT") + iptables("iptables -A FORWARD -s 138.231.136.0/22 -j BLACKLIST_OUTPUT") + iptables("iptables -A FORWARD -d 138.231.148.0/21 -j BLACKLIST_INPUT") + iptables("iptables -A FORWARD -d 138.231.148.0/22 -j BLACKLIST_INPUT") def create_adherents(self): """ Crée toutes les règles relatives aux adhérents ayant des règles spéciales """ - os.system("iptables -N ADHERENTS_OUTPUT") - os.system("iptables -N ADHERENTS_INPUT") + iptables("iptables -N ADHERENTS_OUTPUT") + iptables("iptables -N ADHERENTS_INPUT") - os.system("iptables -A ADHERENTS_INPUT -m state --state "+\ + iptables("iptables -A ADHERENTS_INPUT -m state --state "+\ "RELATED -j ACCEPT") - os.system("iptables -A ADHERENTS_OUTPUT -m state --state "+\ + iptables("iptables -A ADHERENTS_OUTPUT -m state --state "+\ "RELATED -j ACCEPT") - os.system("iptables -A ADHERENTS_INPUT -m state --state "+\ + iptables("iptables -A ADHERENTS_INPUT -m state --state "+\ "ESTABLISHED -m limit --limit-burst "+\ "%s -j ACCEPT"%limite_connexion) - os.system("iptables -A ADHERENTS_OUTPUT -m state --state "+\ + iptables("iptables -A ADHERENTS_OUTPUT -m state --state "+\ "ESTABLISHED -m limit --limit-burst "+\ "%s -j ACCEPT"%limite_connexion) - os.system("iptables -A DEFAULT_INPUT -j ADHERENTS_INPUT") - os.system("iptables -A DEFAULT_OUTPUT -j ADHERENTS_OUTPUT") + iptables("iptables -A DEFAULT_INPUT -j ADHERENTS_INPUT") + iptables("iptables -A DEFAULT_OUTPUT -j ADHERENTS_OUTPUT") db=crans_ldap() search=db.search('host=*.crans.org & portTCPin=*')['machine'] for champ in search: ports=champ.portTCPin() for j in ports.split(' '): - os.system("iptables -A ADHERENTS_INPUT -d %s"%champ.ip()+\ + iptables("iptables -A ADHERENTS_INPUT -d %s"%champ.ip()+\ " -p tcp --dport %s -j ACCEPT"%j) search=db.search('host=*.crans.org & portTCPout=*')['machine'] for champ in search: ports=champ.portTCPout() for j in ports.split(' '): - os.system("iptables -A ADHERENTS_OUTPUT -d %s"%champ.ip()+\ + iptables("iptables -A ADHERENTS_OUTPUT -d %s"%champ.ip()+\ " -p tcp --dport %s -j ACCEPT"%j) search=db.search('host=*.crans.org & portUDPin=*')['machine'] for champ in search: ports=champ.portUDPin() for j in ports.split(' '): - os.system("iptables -A ADHERENTS_INPUT -d %s"%champ.ip()+\ + iptables("iptables -A ADHERENTS_INPUT -d %s"%champ.ip()+\ " -p udp --dport %s -j ACCEPT"%j) search=db.search('host=*.crans.org & portUDPin=*')['machine'] for champ in search: ports=champ.portUDPout() for j in ports.split(' '): - os.system("iptables -A ADHERENTS_OUTPUT -d %s"%champ.ip()+\ + iptables("iptables -A ADHERENTS_OUTPUT -d %s"%champ.ip()+\ " -p udp --dport %s -j ACCEPT"%j) - os.system("iptables -A ADHERENTS_INPUT"+\ + iptables("iptables -A ADHERENTS_INPUT"+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_adherents)) - os.system("iptables -A ADHERENTS_INPUT -j REJECT") - os.system("iptables -A ADHERENTS_OUTPUT"+\ + iptables("iptables -A ADHERENTS_INPUT -j REJECT") + iptables("iptables -A ADHERENTS_OUTPUT"+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_adherents)) - os.system("iptables -A ADHERENTS_OUTPUT -j REJECT") + iptables("iptables -A ADHERENTS_OUTPUT -j REJECT") def adherent(self,ip): """ @@ -368,31 +386,31 @@ class firewall: wifi=False while (i