From 76bf5f8ab8d6cb55a1cbf952f25a6395564fbdd5 Mon Sep 17 00:00:00 2001
From: sabban <none>
Date: Wed, 27 Oct 2004 21:20:14 +0200
Subject: [PATCH] -> firewall dans le cvs

darcs-hash:20041027192014-1d643-ab1724aa01fbf9cdb0f3278644685aa10bb2d2ef.gz
---
 gestion/classe_firewall.py | 374 +++++++++++++++++++++++++++++++++++++
 gestion/config_firewall.py |  66 +++++++
 gestion/firewall.py        |  99 ++++++++++
 3 files changed, 539 insertions(+)
 create mode 100755 gestion/classe_firewall.py
 create mode 100644 gestion/config_firewall.py
 create mode 100755 gestion/firewall.py

diff --git a/gestion/classe_firewall.py b/gestion/classe_firewall.py
new file mode 100755
index 00000000..05c32e1b
--- /dev/null
+++ b/gestion/classe_firewall.py
@@ -0,0 +1,374 @@
+#!/usr/bin/env python
+# -*- coding: iso-8859-1 -*- 
+# The author of this code is Manuel Sabban <manu@feyd-rautha.org>
+#
+# Copyright (c) 2004 Manuel Sabban.
+#
+# Permission to use, copy, and modify this software with or without fee
+# is hereby granted, provided that this entire notice is included in
+# all source code copies of any software which is or includes a copy or
+# modification of this software.
+#
+# THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+# IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+# REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+# MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+# PURPOSE.
+""" classe Firewall de Komaz """
+import sys,os
+import iptools,config,fileinput
+from ldap_crans import *
+from config_firewall import *
+from affich_tools import *
+def test(fredgroscon):
+    print fredgroscon
+    os.system(fredgroscon)
+
+class ErrorArgument(Exception):
+    """
+    User defined exception 
+    Erreur sur les arguments d'appel du firewall
+    """
+    pass
+class ErrorIp(Exception):
+    """
+    User defined exception
+    Erreur dans les fonctions Ips
+    """
+    def __init__(self, ip):
+        self.ip=ip
+class ErrorMoreThanOneIp(ErrorIp):
+    """
+    User defined exception
+    Au moins deux utilisateurs ont la même ip
+    """
+    pass
+class ErrorIptables(Exception):
+    pass
+    """
+    User defined exception
+    Les erreurs d'iptables
+    """
+
+class ErrorNoSuchIp(ErrorIp):
+    """
+    User defined exception
+    Personne n'a cette ip
+    """
+    pass
+    
+class firewall:                    
+    def start(self):
+        """
+        Construit le firewall
+        Pas d'arguments
+        """
+        self.komaz
+        self.serveurs()
+        self.filtrage_mac()
+	self.create_forward()
+        self.blacklist()
+        self.create_adherents()
+        
+    def stop(self):
+        """
+        Arrête le firewall
+        Pas d'arguments
+        """
+        print "Arrêt du firewall"
+        os.system("iptables -F")
+        os.system("iptables -t nat -F")
+	os.system("iptables -X")
+
+    def create_defaults(self):
+        """
+        Crée la chaîne par laquelle tous les adhérents passent par défault
+        Pas d'argument
+        """
+        for proto in ["tcp","udp"]:
+            for i in range(len(config.port_default["%s_input" % proto])):
+                test("iptables -A DEFAULT_INPUT -p %s --dport "%proto+\
+                      config.port_default["%s_input" % proto][i]+\
+                      " -j ACCEPT")
+            for i in range(len(config.port_default["%s_output" % proto])):
+                test("iptables -A DEFAULT_OUTPUT -p %s --sport "%proto+\
+                      config.port_default["%s_output" % proto][i]+\
+                      " -j ACCEPT")
+
+	
+    def del_entree(self,ip):
+        """
+        Détruit une entrée dans le firewall
+        Note: Il faut *tester lourdement* cette fonction.
+        """
+        try:
+            os.system("iptables -L -n > /tmp/firewall")
+        except:
+            print "Impossible de créer le fichier d'états /tmp/firewall"
+            exit()
+        chaines=[]
+        count=0
+        for line in fileinput.input('/tmp/firewall'):
+            count=count+1
+            if "Chain" in line:
+                tmp=line.split(' ')
+                chaine=tmp[1]
+                count=0
+            if ip in line:
+                test("iptables -D %i %s"%(count,chaine))
+        os.system("rm -f /tmp/firewall")
+                  
+    def paire_macip(self,ip,mac):
+        """
+        Crée le filtrage pour une paire mac-ip
+        """
+        os.system("iptables -t nat -A PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"\
+          %(ip,mac))
+
+    def filtrage_mac(self):
+        """
+        Crée tout le routage sur la chaîne PREROUTING
+        """
+        db=crans_ldap()
+        search=db.search('host!=*.wifi.crans.org')['machine']
+	barre=anim("Filtrage mac-ip des machines fixes.",len(search))
+        for i in range(0,len(search)):
+            self.paire_macip(search[i].ip(),search[i].mac())
+	    barre.cycle()
+        search=db.search('host=*.wifi.crans.org')['machine']
+
+	barre=anim("Filtrage mac-ip des machines wifi.",len(search))
+	for i in range(0,len(search)):
+            self.paire_macip(search[i].ip(),'00:0c:f1:fa:f1:4b')
+	    barre.cycle()
+
+	os.system("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\
+              " 138.231.136.0/21 -j ACCEPT")
+        os.system("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\
+              " 138.231.148.0/22 -j ACCEPT")
+        for i in reseaux_non_routables:
+            os.system("iptables -t nat -A PREROUTING -i %s -s %s"%(int_crans,i)+\
+                  " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+                  " -j LOG --log-level %s --log-prefix %s"%\
+                  (loglevel,logprefix_macip))
+            os.system("iptables -t nat -A PREROUTING -i %s -s %s -j DROP"%\
+                  (int_crans,i))
+            os.system("iptables -t nat -A PREROUTING -i %s -d %s"%(int_crans,i)+\
+                  " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+                  " -j LOG --log-level %s --log-prefix %s"%\
+                  (loglevel,logprefix_macip))
+            os.system("iptables -t nat -A PREROUTING -i %s -d %s -j DROP"%\
+                  (int_crans,i))
+        test("iptables -t nat -A PREROUTING -i %s -p tcp "%int_crans+\
+              " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+              " -j LOG --log-level %s --log-prefix %s"%\
+              (loglevel,logprefix_macip))
+        test("iptables -t nat -A PREROUTING -i %s -p tcp"%int_crans+\
+              " -j REJECT --reject-with tcp-reset")
+        test("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\
+              " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+              " -j LOG --log-level %s --log-prefix %s"%\
+              (loglevel,logprefix_macip))
+        test("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\
+               " -j REJECT --reject-with icmp-port-unreachable")
+
+    def komaz(self):
+        """
+        Crée les règles spécifiques à la machine komaz
+        """
+        ports=komaz_ports['portTCPin']
+        for i in ports.split(' '):
+            os.system("iptables -A INPUT -d 138.231.136.4 -p tcp --dport %s"%i+\
+                  " -j ACCEPT")
+        ports=komaz_ports['portTCPout']
+        for i in ports.split(' '):
+            os.system("iptables -A OUTPUT -s 138.231.136.4 -p tcp --dport %s"%i+\
+                  " -j ACCEPT")
+        ports=komaz_ports['portUDPin']
+        for i in ports.split(' '):
+            os.system("iptables -A INPUT -d 138.231.136.4 -p udp --dport %s"%i+\
+                  " -j ACCEPT")
+        ports=komaz_ports['portUDPout']
+        for i in ports.split(' '):
+            os.system("iptables -A OUTPUT -s 138.231.136.4 -p udp --dport %s"%i+\
+                  " -j ACCEPT")
+                  
+    def serveurs(self):
+        def fonction_utile(valeur):
+            return valeur
+        """
+        Définit les chaînes relatives au serveur
+        Note: Ça marche pas si port{TCP,UDP}{in,out} est ''
+        Fred corrigera
+        """
+        for serveur in serveurs_list:
+            ports=serveurs_ports[serveur]['portTCPin']
+            for i in ports.split(' '):
+                os.system("iptables -A FORWARD -d %s"%\
+                      eval(fonction_utile(serveur))['ip']+\
+                      " -p tcp --dport %s -j ACCEPT"%i)
+            ports=serveurs_ports[serveur]['portTCPout']
+            for i in ports.split(' '):
+                os.system("iptables -A FORWARD -s %s"%\
+                      eval(fonction_utile(serveur))['ip']+\
+                      " -p tcp --dport %s -j ACCEPT"%i)
+            ports=serveurs_ports[serveur]['portUDPin']
+            for i in ports.split(' '):
+                os.system("iptables -A FORWARD -d %s"%\
+                      eval(fonction_utile(serveur))['ip']+\
+                      " -p udp --dport %s -j ACCEPT"%i)
+            ports=serveurs_ports[serveur]['portUDPout']
+            for i in ports.split(' '):
+                os.system("iptables -A FORWARD -s %s"%\
+                      eval(fonction_utile(serveur))['ip']+\
+                      " -p udp --dport %s -j ACCEPT"%i)
+        for serveur in serveurs_list:
+            self.paire_macip(eval(fonction_utile(serveur))['ip'],\
+                             eval(fonction_utile(serveur))['mac'])
+        
+    def blacklist(self):
+        """
+        Bloque les adhérents blacklistés
+        """
+	os.system("iptables -N DEFAULT_INPUT")
+        os.system("iptables -N DEFAULT_OUTPUT")
+
+        db=crans_ldap()
+        blacklist=[]
+        search=db.search('blacklist=*&paiement=%s'%ann_scol)
+        for entite in search['adherent']+\
+            search['club']+search['machine']:
+            if 'upload' in entite.blacklist_actif():
+                if search.__class__==machine:
+                    blacklist+=[entite]
+                else:
+                    blacklist+=entite.machines()
+        for instance_machine in blacklist:
+            test("iptables -A BLACKLIST_INPUT -d %s"%\
+                  instance_machine.ip().encode("iso-8859-15")+\
+                  "-m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+                  "-j LOG --log-level %s --log-prefix_macip %s"%\
+                  (loglevel,logprefix_blacklist))
+            test("iptables -A BLACKLIST_INPUT -d %s -j REJECT"%\
+                  instance_machine.ip())
+            test("iptables -A BLACKLIST_OUTPUT -s %s"%\
+                  instance_machine.ip().encode("iso-8859-15")+\
+                  "-m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+                  "-j LOG --log-level %s --log-prefix_macip %s"%\
+                  (loglevel,logprefix_blacklist))
+            test("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\
+                  instance_machine.ip())
+        os.system("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT")
+        os.system("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT")
+
+    def create_forward(self):
+        """
+        Différencie ce qui arrive et ce qui part dans la chaîne FORWARD
+        """
+        os.system("iptables -N BLACKLIST_INPUT")
+        os.system("iptables -N BLACKLIST_OUTPUT")
+	os.system("iptables -A FORWARD -s 138.231.136.0/21 -j BLACKLIST_OUTPUT")
+        os.system("iptables -A FORWARD -s 138.231.136.0/22 -j BLACKLIST_OUTPUT")
+        os.system("iptables -A FORWARD -d 138.231.148.0/21 -j BLACKLIST_INPUT")
+        os.system("iptables -A FORWARD -d 138.231.148.0/22 -j BLACKLIST_INPUT")
+
+    def create_adherents(self):
+        """
+        Crée toutes les règles relatives aux adhérents ayant des règles
+        spéciales
+        """
+	os.system("iptables -N ADHERENTS_OUTPUT")
+        os.system("iptables -N ADHERENTS_INPUT")
+
+        os.system("iptables -A ADHERENTS_INPUT -m state --state "+\
+              "RELATED -j ACCEPT")
+        os.system("iptables -A ADHERENTS_OUTPUT -m state --state "+\
+              "RELATED -j ACCEPT")
+        os.system("iptables -A ADHERENTS_INPUT -m state --state "+\
+              "ESTABLISHED -m limit --limit-burst "+\
+              "%s -j ACCEPT"%limite_connexion)
+        os.system("iptables -A ADHERENTS_OUTPUT -m state --state "+\
+              "ESTABLISHED -m limit --limit-burst "+\
+              "%s-j ACCEPT"%limite_connexion)
+        test("iptables -A DEFAULT_INPUT -j ADHERENTS_INPUT")
+        test("iptables -A DEFAULT_OUTPUT -j ADHERENTS_OUTPUT")
+
+        db=crans_ldap()
+        search=db.search('host=*.crans.org & portTCPin=*')['machine']
+        for champ in search:
+            ports=champ.portTCPin()
+            for j in ports.split(' '):
+                os.system("iptables -A ADHERENTS_INPUT -d %s"%champ.ip()+\
+                      " -p tcp --dport %s -j ACCEPT"%j)
+        search=db.search('host=*.crans.org & portTCPout=*')['machine']
+        for champ in search:
+            ports=champ.portTCPout()
+            for j in ports.split(' '):
+                os.system("iptables -A ADHERENTS_OUTPUT -d %s"%champ.ip()+\
+                      " -p tcp --dport %s -j ACCEPT"%j)
+        search=db.search('host=*.crans.org & portUDPin=*')['machine']
+        for champ in search:
+            ports=champ.portUDPin()
+            for j in ports.split(' '):
+                os.system("iptables -A ADHERENTS_INPUT -d %s"%champ.ip()+\
+                      " -p udp --dport %s -j ACCEPT"%j)
+        search=db.search('host=*.crans.org & portUDPin=*')['machine']
+        for champ in search:
+            ports=champ.portUDPout()
+            for j in ports.split(' '):
+                os.system("iptables -A ADHERENTS_OUTPUT -d %s"%champ.ip()+\
+                      " -p udp --dport %s -j ACCEPT"%j)
+        os.system("iptables -A ADHERENTS_INPUT"+\
+              " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+              " -j LOG --log-level %s --log-prefix %s"%\
+              (loglevel,logprefix_adherents))
+        os.system("iptables -A ADHERENTS_INPUT -j REJECT")
+        os.system("iptables -A ADHERENTS_OUTPUT"+\
+              " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\
+              " -j LOG --log-level %s --log-prefix %s"%\
+              (loglevel,logprefix_adherents))
+        os.system("iptables -A ADHERENTS_OUTPUT -j REJECT")
+
+    def adherent(self,ip):
+        """
+        Gère complètement l'ajout d'un adhérent dans le firewall
+        Tester la blacklist
+        """
+        db=crans_ldap()
+        search=db.search('ip='+ip)['machine']
+        if len(search)==0:
+            raise ErrorNoSuchIp(ip)
+        elif len(search)!=1:
+            raise ErrorMoreThanOneIp(ip)
+        i=0
+        wifi=False
+        while (i<len(config.NETs['wifi'])):
+            if (iptools.AddrInNet(ip,config.NETs['all'][i])):
+                test("iptables -I PREROUTING 1 -s %s --mac-source "%ip+\
+                "%s -j ACCEPT"%config.mac_wifi)
+                wifi=True
+            i=i+1
+        if (not wifi):
+            test("iptables -I PREROUTING 1 -s %s --mac-source %s -j ACCEPT"%\
+                  (ip,search[0].mac()))
+        if search[0].portTCPin()!='':
+            ports=search[0].portTCPin()
+            for j in ports.split(' '):
+                test("iptables -I ADHERENTS_INPUT 1 -d %s"%ip+\
+                      " -p tcp --dport %s -j ACCEPT"%j)
+        if search[0].portTCPout()!='':
+            ports=search[0].portTCPout()
+            for j in ports.split(' '):
+                test("iptables -I ADHERENTS_OUTPUT 1 -d %s"%ip+\
+                      " -p tcp --dport %s -j ACCEPT"%j)
+        if search[0].portUDPin()!='':
+            ports=search[0].portUDPin()
+            for j in ports.split(' '):
+                test("iptables -I ADHERENTS_INPUT 1 -d %s"%ip+\
+                      " -p udp --dport %s -j ACCEPT"%j)
+        if search[0].portUDPout()!='':
+            ports=search[0].portUDPout()
+            for j in ports.split(' '):
+                test("iptables -I ADHERENTS_OUTPUT 1 -d %s"%ip+\
+                      " -p udp --dport %s -j ACCEPT"%j)
+            
diff --git a/gestion/config_firewall.py b/gestion/config_firewall.py
new file mode 100644
index 00000000..9007a9d6
--- /dev/null
+++ b/gestion/config_firewall.py
@@ -0,0 +1,66 @@
+# -*- python -*-
+# -*- coding: iso-8859-15 -*-
+## Définition du comportement du firewall.
+
+## Liste des serveurs ayant des règles spéciales sur komaz
+serveurs_list = ['ZAMOK',
+                 'SILA',
+		 'EGON',
+		 'NS1']
+ZAMOK={'ip':'138.231.136.6','mac':'00:0e:0c:36:1d:16'}
+SILA= {'ip':'138.231.136.10','mac':'00:c0:9f:1d:0d:a1'}
+EGON= {'ip':'138.231.136.7','mac':'00:80:c8:c9:ab:01' }
+NS1=  {'ip':'138.231.136.8','mac':'00:0e:0c:36:1d:16'}
+
+limite_connexion='100'
+logburst='2'
+loglimit='1/s'
+loglevel='notice'
+logprefix_macip='"Mauvaise MacIp:"\n'
+logprefix_blacklist='"Adhérent blacklisté:"\n'
+logprefix_adherents='"Tentative d''abus de droits"\n'
+int_crans='eth0'
+int_net='eth2'
+## Liste des ports *ouverts* sur les serveurs listés précédement
+serveurs_ports = {'ZAMOK' : {'portTCPin' : '22 25 53 80 119 443 993 5222'+\
+			     ' 5223 5269',
+                             'portTCPout': ':',
+			     'portUDPin' : '53 514 33434',
+			     'portUDPout': ':'},
+		  'SILA' :  {'portTCPin' : '20 21 22 53 80 110 143',
+			     'portTCPout': ':',
+			     'portUDPin' : '53 33434',
+			     'portUDPout': ':'},
+		  'EGON' :  {'portTCPin' : '22 80 443',
+			     'portTCPout': ':',
+			     'portUDPin' : '53',
+			     'portUDPout': ':'},
+		  'NS1'  :  {'portTCPin' : '53',
+			     'portTCPout': ':',
+			     'portUDPin' : '53 33434',
+		             'portUDPout': ':'},
+			     }
+			     
+komaz_ports={'portTCPin' : '22 4949',
+	     'portTCPout': '22',
+	     'portUDPin' : '53',
+	     'portUDPout': '53'}
+	     
+reseaux_non_routables=['1.0.0.0/8','2.0.0.0/8','5.0.0.0/8','7.0.0.0/8',\
+'10.0.0.0/8','14.0.0.0/8','23.0.0.0/8','27.0.0.0/8','31.0.0.0/8','36.0.0.0/8',\
+'37.0.0.0/8','39.0.0.0/8','41.0.0.0/8','42.0.0.0/8','71.0.0.0/8','72.0.0.0/8',\
+'73.0.0.0/8','74.0.0.0/8','75.0.0.0/8','76.0.0.0/8','77.0.0.0/8','78.0.0.0/8',\
+'79.0.0.0/8','89.0.0.0/8','90.0.0.0/8','91.0.0.0/8','92.0.0.0/8','93.0.0.0/8',\
+'94.0.0.0/8','95.0.0.0/8','96.0.0.0/8','97.0.0.0/8','98.0.0.0/8','99.0.0.0/8',\
+'100.0.0.0/8','101.0.0.0/8','102.0.0.0/8','103.0.0.0/8','104.0.0.0/8',\
+'105.0.0.0/8','106.0.0.0/8','107.0.0.0/8','108.0.0.0/8','109.0.0.0/8',\
+'110.0.0.0/8','111.0.0.0/8','112.0.0.0/8','113.0.0.0/8','114.0.0.0/8',\
+'115.0.0.0/8','116.0.0.0/8','117.0.0.0/8','118.0.0.0/8','119.0.0.0/8',\
+'120.0.0.0/8','121.0.0.0/8','122.0.0.0/8','123.0.0.0/8','124.0.0.0/8',\
+'125.0.0.0/8','126.0.0.0/8','127.0.0.0/8','169.254.0.0/16','172.16.0.0/12',\
+'173.0.0.0/8','174.0.0.0/8','175.0.0.0/8','176.0.0.0/8','177.0.0.0/8',\
+'178.0.0.0/8','179.0.0.0/8','180.0.0.0/8','181.0.0.0/8','182.0.0.0/8',\
+'183.0.0.0/8','184.0.0.0/8','185.0.0.0/8','186.0.0.0/8','187.0.0.0/8',\
+'189.0.0.0/8','190.0.0.0/8','192.168.0.0/16','197.0.0.0/8','223.0.0.0/8',\
+'224.0.0.0/4','240.0.0.0/4']
+
diff --git a/gestion/firewall.py b/gestion/firewall.py
new file mode 100755
index 00000000..e95ff130
--- /dev/null
+++ b/gestion/firewall.py
@@ -0,0 +1,99 @@
+#!/usr/bin/env python
+# -*- coding: iso-8859-1 -*- 
+# The author of this code is Manuel Sabban <manu@feyd-rautha.org>
+#
+# Copyright (c) 2004 Manuel Sabban.
+#
+# Permission to use, copy, and modify this software with or without fee
+# is hereby granted, provided that this entire notice is included in
+# all source code copies of any software which is or includes a copy or
+# modification of this software.
+#
+# THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+# IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
+# REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+# MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+# PURPOSE.
+""" Firewall de Komaz """
+import sys,os
+import iptools,config
+from classe_firewall import *
+
+def usage():
+    """
+    Vérifie le contenu et le contenant  des arguments
+    de la ligne de commande.
+    En cas d'appel correct, apelle les fonctions de classe_firewall.py
+    """
+    fw=firewall()
+    if len(sys.argv) < 2:
+        raise ErrorArgument,"Il faut au moins deux arguments."
+    try:
+        i=1
+        if len(sys.argv) >= 2:
+            if ((sys.argv[1]=="start")or(sys.argv[1]=="restart"))\
+                   and(len(sys.argv)==2):
+                fw.stop()
+                try:
+                    fw.start()
+                except KeyboardInterrupt:
+                    fw.stop()
+                    print "Firewall arrêté."
+            elif ((sys.argv[1]=="stop")and(len(sys.argv)==2)):
+		fw.stop()
+	    else:
+                while (i<len(sys.argv)):
+                    j=0
+                    argument=False
+                    while (j<len(config.NETs["all"])):
+                        if (iptools.AddrInNet(sys.argv[i],\
+                                              config.NETs["all"][j])):
+                            argument=True
+                            fw.del_entree(sys.argv[i])
+                            try:
+                                fw.adherent(sys.argv[i])
+                            except ErrorNoSuchIp,ip:
+                                print "Ip effacée du firewall."
+                            except MoreThanOneIp,ip:
+                                print "La on est mal, les scripts de Fred"+\
+                                      "foirent de partout, cette portion"+\
+                                      "de code ne devrait jamais être"+\
+                                      "executée"
+                            except KeyboardInterrupt:
+                                fw.del_entree(sys.argv[i])
+                                print "Ip non mise à jour"
+                                exit()
+                        j=j+1
+                    if (not argument) :
+                        raise ErrorArgument,(sys.argv[i],i)
+                    i=i+1
+                
+    except ErrorArgument,(val,nb):
+        for i in range(0,nb):
+            fw.del_entree(sys.argv[i])
+        print "L'ip %s n'est pas valide"%val
+        print "Le firewall est inchangé."
+        print_usage()
+            
+def print_usage():
+    """
+    Manière dont s'utilise ce script
+    Pas d'arguments
+    """
+    usage = """
+        Usage:
+        firewall.py start   : Construction du firewall.
+        firewall.py restart : Reconstruction du firewall.
+	firewall.py stop    : Arrêt du firewall.
+	firewall.py IPs     : Reconstruction des règles concernant la liste d\'ip IPs.
+        """
+    print usage
+
+def main():
+    """
+    Fonction principale
+    """
+    usage()
+
+main()
+