crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall6, ipt] Routage du wifi via komaz, ajout d'une zone serveur distincte des machines filaires, clamp-mss-to-pmtu

Browse source
This commit is contained in:
Valentin Samir 2013-02-09 17:41:50 +01:00
parent 4ed07296ce
commit 74468eb34d
3 changed files with 52 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

5
gestion/config.py
View file

@ -614,11 +614,12 @@ prefix = { 'subnet' : [ '2a01:240:fe3d::/48' ],
'serveurs' : [ '2a01:240:fe3d:4::/64'],
'fil' : [ '2a01:240:fe3d:4::/64' ],
'adm' : [ '2a01:240:fe3d:c804::/64' ],
'wifi' : [ '2a01:240:fe3d:f7::/64' ],
'wifi' : [ '2a01:240:fe3d:c04::/64' ],
'fil-v6' : [ '2a01:240:fe3d:4::/64' ],
'wifi-v6' : [ '2a01:240:fe3d:f7::/64' ],
'wifi-v6' : [ '2a01:240:fe3d:c04::/64' ],
'personnel-ens' : [ '2a01:240:fe3d:4::/64' ],
'sixxs2' : [ '2a01:240:fe00:68::/64' ],
'evenementiel' : [ '2a01:240:fe3d:d2::/64' ],
}
# Domaines dans lesquels les machines sont placées suivant leur type

47
gestion/gen_confs/firewall6.py
View file

@ -43,13 +43,14 @@ Usage:
""" % { 'script' : sys.argv[0].split('/')[-1] }
def ports(dev_ip6, dev_crans):
def ports(dev_ip6, dev_list):
''' Ouvre les ports '''
for machine in machines :
for type_machine in ['fil', 'fil-v6', 'wifi', 'wifi-v6']:
for type_machine in ['fil', 'fil-v6', 'wifi', 'wifi-v6', 'serveurs']:
if int(machine.rid()) in range(rid[type_machine][0],
rid[type_machine][1]):
ports_io(ip6tables, machine, type_machine, dev_ip6, dev_crans)
for dev in dev_list:
ports_io(ip6tables, machine, type_machine, dev_ip6, dev)
#Protection contre les attaques brute-force
# XXX FIXIT !!!
@ -72,12 +73,13 @@ def ports(dev_ip6, dev_crans):
eval('ip6tables.filter.ext' + re.sub('-', '', type_machine))('-j REJECT --reject-with icmp6-port-unreachable')
# Port ouvert CRANS->EXT
ip6tables.filter.forward('-i %s -p udp -m multiport --dports 0:136,140:65535 -j ACCEPT' % dev_crans)
for dev in dev_list:
ip6tables.filter.forward('-i %s -p udp -m multiport --dports 0:136,140:65535 -j ACCEPT' % dev)
# FIXME: proxy transparent -> port 80
ip6tables.filter.forward('-i %s -p tcp -m multiport --dports 0:24,26:79,80,81:134,136,140:444,446:65535 -j ACCEPT' % dev_crans)
ip6tables.filter.forward('-i %s -p tcp -m multiport --dports 0:24,26:79,80,81:134,136,140:444,446:65535 -j ACCEPT' % dev)
for type_machine in ['fil', 'fil-v6', 'wifi', 'wifi-v6']:
ip6tables.filter.forward('-i %s -s %s -j %s' % (dev_crans,
ip6tables.filter.forward('-i %s -s %s -j %s' % (iface6(type_machine),
prefix[dprefix[type_machine]][0], 'CRANS' + re.sub('-', '',
type_machine.upper())))
eval('ip6tables.filter.crans' + re.sub('-', '', type_machine))('-j REJECT --reject-with icmp6-port-unreachable')
@ -101,12 +103,12 @@ def basic_fw():
# XXX Code spécifique pour le wifi, peut être pas la manière la plus
# élégante, mais peut être la plus pratique
if hostname in role.keys() and ('wifi-router' not in role[hostname]):
ip6tables.filter.ieui64('-i %s -s %s -m mac --mac-source %s -j RETURN'
% (iface6('fil'), prefix['wifi'][0], mac_wifi))
#if hostname in role.keys() and ('wifi-router' not in role[hostname]):
# ip6tables.filter.ieui64('-i %s -s %s -m mac --mac-source %s -j RETURN'
# % (iface6('fil'), prefix['wifi'][0], mac_wifi))
# Correspondance MAC-IP
mac_ip(ip6tables, machines, ['fil', 'fil-v6', 'adm'])
mac_ip(ip6tables, machines, ['fil', 'fil-v6', 'adm', 'wifi', 'wifi-v6', 'serveurs'])
#wifi ?
@ -127,10 +129,19 @@ def main_router():
# ip6tables.mangle.prerouting("-p tcp -d ! %s --dport 80 -j MARK --set-mark\
# %s" % (prefix['fil'][0], conf_fw.mark['proxy']))
#
dev_crans = iface6('fil')
dev_wifi = iface6('wifi')
dev_ip6 = iface6('sixxs2')
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6)
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi)
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_crans)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_MAC_IP "' % dev_crans)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_MAC_IP "' % dev_wifi)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_wifi)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_ip6 )
@ -142,6 +153,7 @@ def main_router():
# machine.
blacklist(ip6tables)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_wifi)
#~ ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
@ -171,15 +183,16 @@ def main_router():
ip6tables.filter.forward('-j INGRESS_FILTERING')
# Pour les autres connections
for type_m in [i for i in ['fil', 'fil-v6'] if not 'v6' in i]:
for type_m in [i for i in ['fil', 'fil-v6', 'wifi', 'wifi-v6'] if not 'v6' in i]:
ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
type_m.upper()))
ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
ip6tables.filter.forward('-i %s -j FEUI64' % dev_crans)
ip6tables.filter.feui64('-s %s -m mac --mac-source %s -j RETURN' %
(prefix['wifi'][0], mac_wifi))
ip6tables.filter.feui64('-s %s -m eui64 -j RETURN' % prefix['fil'][0])
ip6tables.filter.feui64('-j REJECT')
ip6tables.filter.forward('-i %s -j MAC' % dev_wifi)
#ip6tables.filter.forward('-i %s -j FEUI64' % dev_crans)
#ip6tables.filter.feui64('-s %s -m mac --mac-source %s -j RETURN' %
# (prefix['wifi'][0], mac_wifi))
#ip6tables.filter.feui64('-s %s -m eui64 -j RETURN' % prefix['fil'][0])
#ip6tables.filter.feui64('-j REJECT')
# Rien ne passe vers adm
# est ce que du local est gêné par le règle ?
@ -194,7 +207,7 @@ def main_router():
ip6tables.filter.forward('-m rt --rt-type 0 -j REJECT')
# Ouverture des ports
ports(dev_ip6, dev_crans)
ports(dev_ip6, [dev_crans, dev_wifi])
# On met en place le forwarding
enable_forwarding(6)

20
gestion/ipt.py
View file

@ -56,7 +56,7 @@ Filter_policy_template = """
"""
dprefix = { 'fil' : 'fil', 'fil-v6' : 'fil', 'adm' : 'adm', 'wifi' : 'wifi',
'wifi-v6' : 'wifi','personnel-ens':'personnel-ens' }
'wifi-v6' : 'wifi','personnel-ens':'personnel-ens', 'serveurs':'serveurs' }
default_chains = [ 'PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING' ]
@ -87,6 +87,7 @@ class Table(object):
self.postrouting = Chain()
self.mac = Chain()
self.macfil = Chain()
self.macserveurs = Chain()
self.macfilv6 = Chain()
self.macadm = Chain()
self.macwifi = Chain()
@ -116,6 +117,8 @@ class Ip6tables(object):
def macip(self, mac, type_m):
'''Fait la correspondance MAC-IP'''
tab = {'serveurs' : 'fil' }
if type_m in tab.keys(): type_m = tab[type_m]
type_mm = re.sub('-', '', type_m)
getattr(self.filter,'mac' + type_mm)(" ".join(['-m mac --mac-source', mac,
'-j RETURN']))
@ -126,7 +129,8 @@ class Ip6tables(object):
'''Ouverture des ports de l'extérieur vers la zone crans'''
tab = { 'fil' : 'extfil', 'fil-v6' : 'extfilv6',
'wifi' : 'extwifi',
'wifi-v6' : 'extwifiv6' }
'wifi-v6' : 'extwifiv6',
'serveurs':'extfil' }
ip = ipv6_addr(mac, type_machine)
for proto in ['tcp', 'udp']:
for port in ports[proto]:
@ -141,7 +145,8 @@ ACCEPT' % (dev, proto, ip, port))
'''Ouverture des ports de la zone crans vers l'extérieur'''
tab = { 'fil' : 'cransfil', 'fil-v6' :
'cransfilv6', 'wifi' : 'cranswifi',
'wifi-v6' : 'cranswifiv6' }
'wifi-v6' : 'cranswifiv6',
'serveurs':'cransfil' }
ip = ipv6_addr(mac, type_machine)
for proto in ['tcp', 'udp']:
for port in ports[proto]:
@ -255,11 +260,11 @@ REJECT --reject-with icmp6-port-unreachable')
l'interface devrait être la même que pour la fonction finale'''
check_ip_proto(ip_proto)
ipt_p = open_pickle(ip_proto)
for type_m in ['fil', 'fil-v6', 'adm']:
for type_m in ['fil', 'fil-v6', 'adm', 'serveurs']:
type_mm = re.sub('-', '', type_m)
getattr(ipt_p.filter,'mac%s' % type_mm).items[:] = []
machines = db.all_machines(graphic = True)
macips(ipt_p, machines, ['fil', 'fil-v6', 'adm'])
macips(ipt_p, machines, ['fil', 'fil-v6', 'adm', 'serveurs'])
write_rules(ipt_p)
apply_rules(ip_proto)
@ -728,6 +733,7 @@ def mac_ip(ipt, machines, types_machines):
'''Réalise une correspondance MAC-IP pour un réseau considéré
On vérifie d'abord que la MAC est connue et ensuite on n'accepte que les
adresses en eui64'''
macips(ipt, machines, types_machines)
# TODO Il faut raffiner avant de rajouter le wifi
for type_m in types_machines:
@ -745,12 +751,16 @@ def mac_ip(ipt, machines, types_machines):
def macips(ipt, machines, types_machines):
''' Construit la chaîne MAC '''
tab = {'serveurs' : 'fil' }
for machine in machines:
for type_m in types_machines:
if int(machine.rid()) in range(rid[type_m][0], rid[type_m][1]):
ipt.macip(machine.mac(), type_m)
break
for type_m in types_machines:
if not type_m in tab.keys():
type_mm = re.sub('-', '', type_m)
getattr(ipt.filter,'mac' + type_mm)('-j REJECT')
#eval('ipt.filter.mac' + type_mm)('-j REJECT')