[firewall6, ipt] Routage du wifi via komaz, ajout d'une zone serveur distincte des machines filaires, clamp-mss-to-pmtu

gestion/gen_confs/firewall6.py

@@ -43,13 +43,14 @@ Usage:
 """ % { 'script' : sys.argv[0].split('/')[-1] }
 
 
-def ports(dev_ip6, dev_crans):
+def ports(dev_ip6, dev_list):
     ''' Ouvre les ports '''
     for machine in machines :
-        for type_machine in ['fil', 'fil-v6', 'wifi', 'wifi-v6']:
+        for type_machine in ['fil', 'fil-v6', 'wifi', 'wifi-v6', 'serveurs']:
             if int(machine.rid()) in range(rid[type_machine][0],
             rid[type_machine][1]):
-                ports_io(ip6tables, machine, type_machine, dev_ip6, dev_crans)
+                for dev in dev_list:
+                    ports_io(ip6tables, machine, type_machine, dev_ip6, dev)
 
     #Protection contre les attaques brute-force
     # XXX FIXIT !!!
@@ -72,12 +73,13 @@ def ports(dev_ip6, dev_crans):
         eval('ip6tables.filter.ext' + re.sub('-', '', type_machine))('-j REJECT --reject-with icmp6-port-unreachable')
  
     # Port ouvert CRANS->EXT
-    ip6tables.filter.forward('-i %s -p udp -m multiport --dports 0:136,140:65535 -j ACCEPT' % dev_crans)
-    # FIXME: proxy transparent -> port 80
-    ip6tables.filter.forward('-i %s -p tcp -m multiport --dports 0:24,26:79,80,81:134,136,140:444,446:65535 -j ACCEPT' % dev_crans)
+    for dev in dev_list:
+        ip6tables.filter.forward('-i %s -p udp -m multiport --dports 0:136,140:65535 -j ACCEPT' % dev)
+        # FIXME: proxy transparent -> port 80
+        ip6tables.filter.forward('-i %s -p tcp -m multiport --dports 0:24,26:79,80,81:134,136,140:444,446:65535 -j ACCEPT' % dev)
 
     for type_machine in ['fil', 'fil-v6', 'wifi', 'wifi-v6']:
-        ip6tables.filter.forward('-i %s -s %s -j %s' % (dev_crans,
+        ip6tables.filter.forward('-i %s -s %s -j %s' % (iface6(type_machine),
             prefix[dprefix[type_machine]][0], 'CRANS' + re.sub('-', '',
                 type_machine.upper())))
         eval('ip6tables.filter.crans' + re.sub('-', '', type_machine))('-j REJECT --reject-with icmp6-port-unreachable')
@@ -101,12 +103,12 @@ def basic_fw():
 
     # XXX Code spécifique pour le wifi, peut être pas la manière la plus
     # élégante, mais peut être la plus pratique
-    if hostname in role.keys() and ('wifi-router' not in role[hostname]):
-        ip6tables.filter.ieui64('-i %s -s %s -m mac --mac-source %s -j RETURN'
-                % (iface6('fil'), prefix['wifi'][0], mac_wifi))
+    #if hostname in role.keys() and ('wifi-router' not in role[hostname]):
+    #    ip6tables.filter.ieui64('-i %s -s %s -m mac --mac-source %s -j RETURN'
+    #            % (iface6('fil'), prefix['wifi'][0], mac_wifi))
     
     # Correspondance MAC-IP
-    mac_ip(ip6tables, machines, ['fil', 'fil-v6', 'adm'])
+    mac_ip(ip6tables, machines, ['fil', 'fil-v6', 'adm', 'wifi', 'wifi-v6', 'serveurs'])
 
 #wifi ?
 
@@ -127,10 +129,19 @@ def main_router():
 #    ip6tables.mangle.prerouting("-p tcp -d ! %s --dport 80 -j MARK --set-mark\
 #    %s" % (prefix['fil'][0], conf_fw.mark['proxy']))
 #
+
     dev_crans = iface6('fil')
+    dev_wifi = iface6('wifi')
     dev_ip6 = iface6('sixxs2')
     
+    ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6)
+    ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi)
+    ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_crans)
+
+    ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_MAC_IP "' % dev_crans)
+    ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_MAC_IP "' % dev_wifi)
     ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans)
+    ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_wifi)
     ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' %  dev_ip6 )
     
 
@@ -142,6 +153,7 @@ def main_router():
     # machine.
     blacklist(ip6tables)
     ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans)
+    ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_wifi)
     #~ ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
     ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
     
@@ -171,15 +183,16 @@ def main_router():
     ip6tables.filter.forward('-j INGRESS_FILTERING')
 
     # Pour les autres connections
-    for type_m in [i for i in ['fil', 'fil-v6'] if not 'v6' in i]:
+    for type_m in [i for i in ['fil', 'fil-v6', 'wifi', 'wifi-v6'] if not 'v6' in i]:
         ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
             type_m.upper()))
     ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
-    ip6tables.filter.forward('-i %s -j FEUI64' % dev_crans)
-    ip6tables.filter.feui64('-s %s -m mac --mac-source %s -j RETURN' %
-            (prefix['wifi'][0], mac_wifi))
-    ip6tables.filter.feui64('-s %s -m eui64 -j RETURN' % prefix['fil'][0])
-    ip6tables.filter.feui64('-j REJECT')
+    ip6tables.filter.forward('-i %s -j MAC' % dev_wifi)
+    #ip6tables.filter.forward('-i %s -j FEUI64' % dev_crans)
+    #ip6tables.filter.feui64('-s %s -m mac --mac-source %s -j RETURN' %
+    #        (prefix['wifi'][0], mac_wifi))
+    #ip6tables.filter.feui64('-s %s -m eui64 -j RETURN' % prefix['fil'][0])
+    #ip6tables.filter.feui64('-j REJECT')
 
     # Rien ne passe vers adm
     # est ce que du local est gêné par le règle ?
@@ -194,7 +207,7 @@ def main_router():
     ip6tables.filter.forward('-m rt --rt-type 0 -j REJECT')
 
     # Ouverture des ports
-    ports(dev_ip6, dev_crans)
+    ports(dev_ip6, [dev_crans, dev_wifi])
  
     # On met en place le forwarding
     enable_forwarding(6)