From 7ab4485d5401242423c4bf34be6673423de935ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Wed, 1 Jul 2015 11:38:25 +0200 Subject: [PATCH] =?UTF-8?q?On=20s=C3=A9pare=20les=20compteurs=20forwarding?= =?UTF-8?q?=20des=20compteurs=20input=20en=20ssh?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- gestion/gen_confs/firewall4/komaz.py | 8 ++++---- gestion/gen_confs/firewall6.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gestion/gen_confs/firewall4/komaz.py b/gestion/gen_confs/firewall4/komaz.py index b16e07a5..df419569 100644 --- a/gestion/gen_confs/firewall4/komaz.py +++ b/gestion/gen_confs/firewall4/komaz.py @@ -116,7 +116,7 @@ class firewall(base.firewall_routeur): self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_wififederez(table)) self.add(table, chain, '-j %s' % self.ingress_filtering(table)) - self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table, ttl=30)) + self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table, ttl=30, counter_name="SSH2")) self.add(table, chain, '-i %s -j %s' % (dev['out'], self.filtrage_ports(table))) self.add(table, chain, '-o %s -j %s' % (dev['out'], self.filtrage_ports(table))) return @@ -151,13 +151,13 @@ class firewall(base.firewall_routeur): self.apply(table, chain) return chain - def limit_ssh_connexion(self, table=None, apply=False, ttl=120): + def limit_ssh_connexion(self, table=None, apply=False, ttl=120, counter_name="SSH"): chain = 'LIMIT-SSH-CONNEXION' if table == 'filter': pretty_print(table, chain) - self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set' % dev['out']) - self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds %s --hitcount 10 --rttl -j DROP' % (dev['out'], ttl)) + self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name %s --set' % (dev['out'], counter_name)) + self.add(table, chain, '-i %s -p tcp --dport ssh -m state --state NEW -m recent --name %s --update --seconds %s --hitcount 10 --rttl -j DROP' % (dev['out'], counter_name, ttl)) print OK if apply: diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index ec5ce83e..7346f35c 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -60,8 +60,8 @@ def ports(dev_ip6, dev_list): # Il semble qu'il faille un kernel >= .29 et iptables >= 1.4.3 # http://netfilter.org/projects/iptables/files/changes-iptables-1.4.3.txt - ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set ' % dev_ip6) - ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev_ip6) + ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH2 --set ' % dev_ip6) + ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH2 --update --seconds 30 --hitcount 10 --rttl -j DROP' % dev_ip6) ip6tables.filter.input('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --set ' % dev_ip6) ip6tables.filter.input('-i %s -p tcp --dport ssh -m state --state NEW -m recent --name SSH --update --seconds 120 --hitcount 10 --rttl -j DROP' % dev_ip6) #ip6tables.filter.forward('-i %s -p tcp --dport ssh -m state --state NEW -j ACCEPT' % dev_ip6)