crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall4, generate, config] Ajout du firewall pour routeur, on ajoute une methode macip à zamok sur generate pour utiliser celle de firewall4

Browse source
This commit is contained in:
Valentin Samir 2013-04-07 18:20:53 +02:00
parent 24ff398376
commit 6f44de3e4d
3 changed files with 139 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

9
gestion/config/firewall.py
View file

@ -17,7 +17,14 @@ dev = {
'zamok': { 'zamok': {
'fil' : 'crans', 'fil' : 'crans',
'adm' : 'crans.2' 'adm' : 'crans.2'
} },
'routeur': {
'fil' : 'eth0',
'adm' : 'eth1',
'accueil' : 'eth2',
'isolement' : 'eth3',
'app' : 'eth4'
},
} }
#: Pour marquer les paquets #: Pour marquer les paquets

97
gestion/gen_confs/firewall4.py
View file

@ -12,7 +12,7 @@ if os.getuid() != 0:
sys.stderr.write(coul("Il faut être root pour utiliser le firewall\n", 'gras')) sys.stderr.write(coul("Il faut être root pour utiliser le firewall\n", 'gras'))
sys.exit(1) sys.exit(1)
from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users, accueil_route
import pwd import pwd
import config.firewall import config.firewall
@ -830,9 +830,6 @@ class firewall_zamok(firewall_base):
self.use_tc.extend([]) self.use_tc.extend([])
def raw_table(self): def raw_table(self):
table = 'raw' table = 'raw'
@ -913,10 +910,100 @@ class firewall_zamok(firewall_base):
self.apply(table, chain) self.apply(table, chain)
return chain return chain
class firewall_routeur(firewall_base):
def __init__(self):
super(self.__class__, self).__init__()
self.reloadable.update({
'portail_captif_route' : self.portail_captif_route,
'portail_captif' : self.portail_captif,
})
self.use_ipset.extend([])
self.use_tc.extend([])
def raw_table(self):
table = 'raw'
super(self.__class__, self).raw_table()
return
def mangle_table(self):
table = 'mangle'
super(self.__class__, self).mangle_table()
return
def filter_table(self):
table = 'filter'
super(self.__class__, self).filter_table()
chain = 'FORWARD'
self.flush(table, chain)
self.add(table, chain, '-j %s' % self.portail_captif_route(table))
return
def nat_table(self):
table = 'nat'
super(self.__class__, self).raw_table()
chain = 'PREROUTING'
self.add(table, chain, '-j %s' % self.portail_captif(table))
chain = 'POSTROUTING'
self.add(table, chain, '-j %s' % self.portail_captif_route(table))
return
def portail_captif_route(self, table=None, apply=False):
chain = 'CAPTIF-ROUTE'
if table == 'filter':
for ip in accueil_route.keys():
for type in accueil_route[ip].keys():
if type in ['udp', 'tcp']:
self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j ACCEPT' % (type, ip, ','.join(accueil_route[ip][type])))
self.add(table, chain, '-p %s -s %s -m multiport --sports %s -j ACCEPT' % (type, ip, ','.join(accueil_route[ip][type])))
self.add(table, chain, '-j REJECT')
if table == 'nat':
#intranet et wiki pour le vlan accueil
for ip in accueil_route.keys():
for type in accueil_route[ip].keys():
if type in ['udp', 'tcp']:
self.add(table, chain, '-i %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (dev['accueil'], type, ip, ','.join(accueil_route[ip][type])))
self.add(table, chain, '-i %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (dev['isolement'], type, ip, ','.join(accueil_route[ip][type])))
for net in NETs['personnel-ens']:
self.add(table, chain, '-i %s -s %s -j MASQUERADE' % (dev['app'], net))
if apply:
self.apply(table, chain)
return chain
def portail_captif(self, table=None, apply=False):
chain = 'PORTAIL-CAPTIF'
if table == 'nat':
for ip in accueil_route.keys():
for type in accueil_route[ip].keys():
if type in ['udp', 'tcp']:
self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (type, ip, ','.join(accueil_route[ip][type])))
for net in NETs['isolement']:
self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.52.0.10' % net)
for net in NETs['accueil']:
self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.51.0.10' % net)
self.add(table, chain, '-p udp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net)
self.add(table, chain, '-p tcp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net)
if apply:
self.apply(table, chain)
return chain
if __name__ == '__main__' : if __name__ == '__main__' :
firewall = { firewall = {
'komaz' : firewall_komaz, 'komaz' : firewall_komaz,
'zamok' : firewall_zamok, 'zamok' : firewall_zamok,
'routeur' : firewall_routeur,
} }
# Chaînes pouvant être recontruites # Chaînes pouvant être recontruites
if hostname in firewall.keys(): if hostname in firewall.keys():
@ -928,6 +1015,8 @@ if __name__ == '__main__' :
def __usage(txt=None) : def __usage(txt=None) :
if txt!=None : cprint(txt,'gras') if txt!=None : cprint(txt,'gras')
chaines.sort()
print """Usage: print """Usage:
%(p)s start : Construction du firewall. %(p)s start : Construction du firewall.
%(p)s restart : Reconstruction du firewall. %(p)s restart : Reconstruction du firewall.

53
gestion/gen_confs/generate.py
View file

@ -38,22 +38,23 @@ db = crans_ldap()
make_lock('auto_generate', 'Big lock', nowait=1) make_lock('auto_generate', 'Big lock', nowait=1)
class base_reconfigure: class base_reconfigure:
__blacklist_servers = [ 'komaz-blacklist', 'zamok-blacklist', 'routeur-blacklist' ]
__service_develop = { __service_develop = {
'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip', 'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip',
'routeur-macip' ], 'routeur-macip' ],
# 'droits': [ 'rouge-droits', 'ragnarok-droits' ], # 'droits': [ 'rouge-droits', 'ragnarok-droits' ],
'bl_carte_etudiant': [ 'komaz-blacklist', 'zamok-blacklist' ], 'bl_carte_etudiant': __blacklist_servers,
'bl_chbre_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ], 'bl_chbre_invalide': __blacklist_servers,
'blacklist_mail_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_mail_invalide': __blacklist_servers,
'blacklist_virus': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_virus': __blacklist_servers,
'blacklist_warez': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_warez': __blacklist_servers,
'blacklist_ipv6_ra': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_ipv6_ra': __blacklist_servers,
'blacklist_upload': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_upload': __blacklist_servers,
'blacklist_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_p2p': __blacklist_servers,
'blacklist_autodisc_virus': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_autodisc_virus': __blacklist_servers,
'blacklist_autodisc_upload': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_autodisc_upload': __blacklist_servers,
'blacklist_autodisc_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_autodisc_p2p': __blacklist_servers,
'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist' ], 'blacklist_bloq': __blacklist_servers,
'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ] 'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ]
} }
#Y R U Aliasing ! #Y R U Aliasing !
@ -215,9 +216,19 @@ class zamok(base_reconfigure):
from adherents import del_user from adherents import del_user
self._do(del_user(args)) self._do(del_user(args))
def blacklist(self, ips): def __fw(self):
if not hasattr(self, '__real_fw'):
from firewall4 import firewall_zamok from firewall4 import firewall_zamok
firewall_zamok().blacklist_maj(ips) self.__real_fw = firewall_zamok()
return self.__real_fw
def blacklist(self, ips):
cprint(u"Mise a jour des blacklists", 'gras')
self.__fw().blacklist_maj(ips)
def macip(self, ips):
cprint(u"Mise a jour correspondance MAC-IP", 'gras')
self.__fw().mac_ip_maj(ips)
class daath(base_reconfigure): class daath(base_reconfigure):
def home(self, args): def home(self, args):
@ -293,7 +304,19 @@ class charybde(base_reconfigure):
pass pass
class routeur(base_reconfigure): class routeur(base_reconfigure):
pass def __fw(self):
if not hasattr(self, '__real_fw'):
from firewall4 import firewall_routeur
self.__real_fw = firewall_routeur()
return self.__real_fw
def blacklist(self, ips):
cprint(u"Mise a jour des blacklists", 'gras')
self.__fw().blacklist_maj(ips)
def macip(self, ips):
cprint(u"Mise a jour correspondance MAC-IP", 'gras')
self.__fw().mac_ip_maj(ips)
class gordon(base_reconfigure) : class gordon(base_reconfigure) :
def dhcp(self): def dhcp(self):