diff --git a/gestion/config/firewall.py b/gestion/config/firewall.py index 7912c773..7cb12f55 100644 --- a/gestion/config/firewall.py +++ b/gestion/config/firewall.py @@ -17,7 +17,14 @@ dev = { 'zamok': { 'fil' : 'crans', 'adm' : 'crans.2' - } + }, + 'routeur': { + 'fil' : 'eth0', + 'adm' : 'eth1', + 'accueil' : 'eth2', + 'isolement' : 'eth3', + 'app' : 'eth4' + }, } #: Pour marquer les paquets diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index 9053839b..4533246e 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -12,7 +12,7 @@ if os.getuid() != 0: sys.stderr.write(coul("Il faut être root pour utiliser le firewall\n", 'gras')) sys.exit(1) -from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users +from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users, accueil_route import pwd import config.firewall @@ -830,9 +830,6 @@ class firewall_zamok(firewall_base): self.use_tc.extend([]) - - - def raw_table(self): table = 'raw' @@ -913,10 +910,100 @@ class firewall_zamok(firewall_base): self.apply(table, chain) return chain +class firewall_routeur(firewall_base): + + def __init__(self): + super(self.__class__, self).__init__() + + self.reloadable.update({ + 'portail_captif_route' : self.portail_captif_route, + 'portail_captif' : self.portail_captif, + }) + + self.use_ipset.extend([]) + self.use_tc.extend([]) + + def raw_table(self): + table = 'raw' + super(self.__class__, self).raw_table() + return + + def mangle_table(self): + table = 'mangle' + super(self.__class__, self).mangle_table() + return + + def filter_table(self): + table = 'filter' + super(self.__class__, self).filter_table() + + chain = 'FORWARD' + self.flush(table, chain) + self.add(table, chain, '-j %s' % self.portail_captif_route(table)) + return + + def nat_table(self): + table = 'nat' + super(self.__class__, self).raw_table() + + chain = 'PREROUTING' + self.add(table, chain, '-j %s' % self.portail_captif(table)) + + chain = 'POSTROUTING' + self.add(table, chain, '-j %s' % self.portail_captif_route(table)) + return + + def portail_captif_route(self, table=None, apply=False): + chain = 'CAPTIF-ROUTE' + + if table == 'filter': + for ip in accueil_route.keys(): + for type in accueil_route[ip].keys(): + if type in ['udp', 'tcp']: + self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j ACCEPT' % (type, ip, ','.join(accueil_route[ip][type]))) + self.add(table, chain, '-p %s -s %s -m multiport --sports %s -j ACCEPT' % (type, ip, ','.join(accueil_route[ip][type]))) + self.add(table, chain, '-j REJECT') + + if table == 'nat': + #intranet et wiki pour le vlan accueil + for ip in accueil_route.keys(): + for type in accueil_route[ip].keys(): + if type in ['udp', 'tcp']: + self.add(table, chain, '-i %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (dev['accueil'], type, ip, ','.join(accueil_route[ip][type]))) + self.add(table, chain, '-i %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (dev['isolement'], type, ip, ','.join(accueil_route[ip][type]))) + for net in NETs['personnel-ens']: + self.add(table, chain, '-i %s -s %s -j MASQUERADE' % (dev['app'], net)) + + if apply: + self.apply(table, chain) + return chain + + def portail_captif(self, table=None, apply=False): + chain = 'PORTAIL-CAPTIF' + + if table == 'nat': + for ip in accueil_route.keys(): + for type in accueil_route[ip].keys(): + if type in ['udp', 'tcp']: + self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (type, ip, ','.join(accueil_route[ip][type]))) + + for net in NETs['isolement']: + self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.52.0.10' % net) + + for net in NETs['accueil']: + self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.51.0.10' % net) + self.add(table, chain, '-p udp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net) + self.add(table, chain, '-p tcp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net) + + if apply: + self.apply(table, chain) + return chain + if __name__ == '__main__' : firewall = { 'komaz' : firewall_komaz, 'zamok' : firewall_zamok, + 'routeur' : firewall_routeur, } # Chaînes pouvant être recontruites if hostname in firewall.keys(): @@ -928,6 +1015,8 @@ if __name__ == '__main__' : def __usage(txt=None) : if txt!=None : cprint(txt,'gras') + chaines.sort() + print """Usage: %(p)s start : Construction du firewall. %(p)s restart : Reconstruction du firewall. diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py index c89e36be..f33989ef 100755 --- a/gestion/gen_confs/generate.py +++ b/gestion/gen_confs/generate.py @@ -38,22 +38,23 @@ db = crans_ldap() make_lock('auto_generate', 'Big lock', nowait=1) class base_reconfigure: + __blacklist_servers = [ 'komaz-blacklist', 'zamok-blacklist', 'routeur-blacklist' ] __service_develop = { 'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip', 'routeur-macip' ], # 'droits': [ 'rouge-droits', 'ragnarok-droits' ], - 'bl_carte_etudiant': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'bl_chbre_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_mail_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_virus': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_warez': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_ipv6_ra': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_upload': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_autodisc_virus': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_autodisc_upload': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_autodisc_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist' ], + 'bl_carte_etudiant': __blacklist_servers, + 'bl_chbre_invalide': __blacklist_servers, + 'blacklist_mail_invalide': __blacklist_servers, + 'blacklist_virus': __blacklist_servers, + 'blacklist_warez': __blacklist_servers, + 'blacklist_ipv6_ra': __blacklist_servers, + 'blacklist_upload': __blacklist_servers, + 'blacklist_p2p': __blacklist_servers, + 'blacklist_autodisc_virus': __blacklist_servers, + 'blacklist_autodisc_upload': __blacklist_servers, + 'blacklist_autodisc_p2p': __blacklist_servers, + 'blacklist_bloq': __blacklist_servers, 'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ] } #Y R U Aliasing ! @@ -215,9 +216,19 @@ class zamok(base_reconfigure): from adherents import del_user self._do(del_user(args)) + def __fw(self): + if not hasattr(self, '__real_fw'): + from firewall4 import firewall_zamok + self.__real_fw = firewall_zamok() + return self.__real_fw + def blacklist(self, ips): - from firewall4 import firewall_zamok - firewall_zamok().blacklist_maj(ips) + cprint(u"Mise a jour des blacklists", 'gras') + self.__fw().blacklist_maj(ips) + + def macip(self, ips): + cprint(u"Mise a jour correspondance MAC-IP", 'gras') + self.__fw().mac_ip_maj(ips) class daath(base_reconfigure): def home(self, args): @@ -293,7 +304,19 @@ class charybde(base_reconfigure): pass class routeur(base_reconfigure): - pass + def __fw(self): + if not hasattr(self, '__real_fw'): + from firewall4 import firewall_routeur + self.__real_fw = firewall_routeur() + return self.__real_fw + + def blacklist(self, ips): + cprint(u"Mise a jour des blacklists", 'gras') + self.__fw().blacklist_maj(ips) + + def macip(self, ips): + cprint(u"Mise a jour correspondance MAC-IP", 'gras') + self.__fw().mac_ip_maj(ips) class gordon(base_reconfigure) : def dhcp(self):