From 6e27d6a09a700a8711ac3289005c06204090b877 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sun, 9 Dec 2012 18:34:07 +0100 Subject: [PATCH] =?UTF-8?q?[config,firewall=5Fnew,=20firewall6]=20On=20pou?= =?UTF-8?q?sse=20de=20la=20conf=20commune=20=C3=A0=20firewall=5Fnew=20et?= =?UTF-8?q?=20firewall6=20dans=20config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore-this: d132731f820f32809f1690716ccff1da darcs-hash:20121209173407-3a55a-73c9883fdebfe7aaf71f6bbb2a0fc83306f98fbc.gz --- gestion/config.py | 9 +++++++++ gestion/gen_confs/firewall6.py | 13 +++---------- gestion/gen_confs/firewall_new.py | 15 +++------------ 3 files changed, 15 insertions(+), 22 deletions(-) diff --git a/gestion/config.py b/gestion/config.py index 2f452ebe..6bdd3305 100644 --- a/gestion/config.py +++ b/gestion/config.py @@ -347,6 +347,15 @@ class virus: # Classe pour la détection du p2p # ################################### +udp_torrent_tracker=[ + 'tracker.openbittorrent.com', + 'tracker.ccc.de', + 'tracker.istole.it', + 'tracker.publicbt.com', + 'tracker.1337x.org', + 'fr33domtracker.h33t.com', + 'tracker.torrentbox.com', + ] class p2p : # Limite de débit pour l'ensemble du p2p classifié, en octets/s # identique en upload et download diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index 2c3dce63..978767f6 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -27,6 +27,7 @@ sys.path.append('/usr/scripts/gestion') from ldap_crans import hostname from config import conf_fw, mid, prefix, role, file_pickle, open_ports from config import authorized_icmpv6, mac_wifi, adm_only, adm_users +from config import udp_torrent_tracker from ipt import * # On invoque Ip6tables @@ -132,14 +133,6 @@ def main_router(): ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans) ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_ip6 ) - udp_torrent_tracker={ - 'tracker.openbittorrent.com':gethostbyname('tracker.openbittorrent.com')[1], - 'tracker.ccc.de':gethostbyname('tracker.ccc.de')[1], - 'tracker.istole.it':gethostbyname('tracker.istole.it')[1], - 'tracker.publicbt.com':gethostbyname('tracker.publicbt.com')[1], - 'tracker.1337x.org':gethostbyname('tracker.1337x.org')[1], - 'fr33domtracker.h33t.com':gethostbyname('fr33domtracker.h33t.com')[1], - } # Les blacklistes # Si on les met après la règle conntrack, une connexion existante ne sera @@ -164,8 +157,8 @@ def main_router(): ip6tables.filter.tracker_torrent('-j REJECT --reject-with icmp6-adm-prohibited') ip6tables.filter.forward('-p tcp -m string --algo kmp --string "GET /" -j TRACKER_TORRENT') ip6tables.filter.forward('-p tcp -m string --algo kmp --string "get /" -j TRACKER_TORRENT') - for tracker in udp_torrent_tracker.keys(): - for dest in udp_torrent_tracker[tracker]: + for tracker in udp_torrent_tracker: + for dest in gethostbyname(tracker)[1]: ip6tables.filter.forward('-p udp -d %s -j LOG --log-level notice --log-prefix "TRACKER:%s "' % (dest,(tracker[:20]) if len(tracker) > 20 else tracker)) ip6tables.filter.forward('-p udp -d %s -j REJECT --reject-with icmp6-adm-prohibited' % dest) diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 558a3e55..745a827b 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -37,7 +37,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet, NetSubnets, IpSubnet -from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire +from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire, udp_torrent_tracker from ipset import IpsetError, Ipset from lc_ldap import lc_ldap from ipt import gethostbyname @@ -474,15 +474,6 @@ class firewall_komaz(firewall_crans) : filtres_p2p_bloq = [ ] - udp_torrent_tracker={ - 'tracker.openbittorrent.com':gethostbyname('tracker.openbittorrent.com')[0], - 'tracker.ccc.de':gethostbyname('tracker.ccc.de')[0], - 'tracker.istole.it':gethostbyname('tracker.istole.it')[0], - 'tracker.publicbt.com':gethostbyname('tracker.publicbt.com')[0], - 'tracker.1337x.org':gethostbyname('tracker.1337x.org')[0], - 'fr33domtracker.h33t.com':gethostbyname('fr33domtracker.h33t.com')[0], - } - ports_p2p = [ '412', '1214', '4662:4665' , '6346:6347', '6699', '6881:6889' ] @@ -1192,8 +1183,8 @@ class firewall_komaz(firewall_crans) : iptables('-A FILTRE_P2P -m ipp2p --%s -j REJECT --reject-with icmp-admin-prohibited' % filtre[0]) self.anim.cycle() #on rejetes les trackeur udp les plus connus - for tracker in self.udp_torrent_tracker.keys(): - for dest in self.udp_torrent_tracker[tracker]: + for tracker in udp_torrent_tracker: + for dest in gethostbyname(tracker)[0]: iptables('-A FILTRE_P2P -p udp -d %s -j LOG --log-level notice --log-prefix "TRACKER:%s "' % (dest,(tracker[:20]) if len(tracker) > 20 else tracker)) iptables('-A FILTRE_P2P -p udp -d %s -j REJECT --reject-with icmp-admin-prohibited' % dest)