[firewall4, generate, config] Ajout du firewall pour routeur, on ajoute une methode macip à zamok sur generate pour utiliser celle de firewall4

2013-04-07 18:20:53 +02:00 · 2013-04-07 18:20:53 +02:00 · 6f44de3e4d
commit 6f44de3e4d
parent 24ff398376
3 changed files with 139 additions and 20 deletions
--- a/gestion/gen_confs/firewall4.py
+++ b/gestion/gen_confs/firewall4.py
@ -12,7 +12,7 @@ if os.getuid() != 0:
    sys.stderr.write(coul("Il faut être root pour utiliser le firewall\n", 'gras'))
    sys.exit(1)

-from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users
+from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users, accueil_route

 import pwd
 import config.firewall
@ -830,9 +830,6 @@ class firewall_zamok(firewall_base):
        self.use_tc.extend([])


-
-
-
    def raw_table(self):
        table = 'raw'

@ -913,10 +910,100 @@ class firewall_zamok(firewall_base):
            self.apply(table, chain)
        return chain

+class firewall_routeur(firewall_base):
+
+    def __init__(self):
+        super(self.__class__, self).__init__()
+
+        self.reloadable.update({
+            'portail_captif_route' : self.portail_captif_route,
+            'portail_captif' : self.portail_captif,
+        })
+
+        self.use_ipset.extend([])
+        self.use_tc.extend([])
+
+    def raw_table(self):
+        table = 'raw'
+        super(self.__class__, self).raw_table()
+        return
+
+    def mangle_table(self):
+        table = 'mangle'
+        super(self.__class__, self).mangle_table()
+        return
+
+    def filter_table(self):
+        table = 'filter'
+        super(self.__class__, self).filter_table()
+
+        chain = 'FORWARD'
+        self.flush(table, chain)
+        self.add(table, chain, '-j %s' % self.portail_captif_route(table))
+        return
+
+    def nat_table(self):
+        table = 'nat'
+        super(self.__class__, self).raw_table()
+
+        chain = 'PREROUTING'
+        self.add(table, chain, '-j %s' % self.portail_captif(table))
+
+        chain = 'POSTROUTING'
+        self.add(table, chain, '-j %s' % self.portail_captif_route(table))
+        return
+
+    def portail_captif_route(self, table=None, apply=False):
+        chain = 'CAPTIF-ROUTE'
+
+        if table == 'filter':
+            for ip in accueil_route.keys():
+                for type in accueil_route[ip].keys():
+                    if type in ['udp', 'tcp']:
+                        self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j ACCEPT' % (type, ip, ','.join(accueil_route[ip][type])))
+                        self.add(table, chain, '-p %s -s %s -m multiport --sports %s -j ACCEPT' % (type, ip, ','.join(accueil_route[ip][type])))
+            self.add(table, chain, '-j REJECT')
+
+        if table == 'nat':
+            #intranet et wiki pour le vlan accueil
+            for ip in accueil_route.keys():
+                for type in accueil_route[ip].keys():
+                    if type in ['udp', 'tcp']:
+                        self.add(table, chain, '-i %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (dev['accueil'], type, ip, ','.join(accueil_route[ip][type])))
+                        self.add(table, chain, '-i %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (dev['isolement'], type, ip, ','.join(accueil_route[ip][type])))
+            for net in NETs['personnel-ens']:
+                self.add(table, chain, '-i %s -s %s -j MASQUERADE' % (dev['app'], net))
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
+    def portail_captif(self, table=None, apply=False):
+        chain = 'PORTAIL-CAPTIF'
+
+        if table == 'nat':
+            for ip in accueil_route.keys():
+                for type in accueil_route[ip].keys():
+                    if type in ['udp', 'tcp']:
+                        self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (type, ip, ','.join(accueil_route[ip][type])))
+
+            for net in NETs['isolement']:
+                self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.52.0.10' % net)
+
+            for net in NETs['accueil']:
+                self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.51.0.10' % net)
+                self.add(table, chain, '-p udp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net)
+                self.add(table, chain, '-p tcp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net)
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
 if __name__ == '__main__' :
    firewall = {
        'komaz' : firewall_komaz,
        'zamok' : firewall_zamok,
+        'routeur' : firewall_routeur,
    }
    # Chaînes pouvant être recontruites
    if hostname in firewall.keys():
@ -928,6 +1015,8 @@ if __name__ == '__main__' :
    def __usage(txt=None) :
        if txt!=None : cprint(txt,'gras')

+        chaines.sort()
+
        print """Usage:
   %(p)s start   : Construction du firewall.
   %(p)s restart : Reconstruction du firewall.