From 7f4bfdad176b4a541e1d32d49b5b5675766e63ca Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Fri, 25 Jan 2013 04:23:21 +0100 Subject: [PATCH] =?UTF-8?q?[firewall=5Fnew]=20On=20ajoute=20une=20interfac?= =?UTF-8?q?e=20wifi=20sur=20komaz=20pour=20y=20router=20directement=20le?= =?UTF-8?q?=20wifi.=20On=20fait=20les=20modification=20n=C3=A9cessaire=20d?= =?UTF-8?q?ans=20le=20pare-feu=20pour=20cela.=20On=20fait=20en=20sorte=20q?= =?UTF-8?q?ue=20le=20routage=20via=20gordon=20fonctionne=20toujours,=20du?= =?UTF-8?q?=20moins=20pour=20un=20temps.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore-this: 3101c19683d2c38eeb8cf8a01d76e22e darcs-hash:20130125032321-3a55a-58b229a31b25f46fb5e08b2b18eeb7f78b75098e.gz --- gestion/gen_confs/firewall_new.py | 47 +++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 9 deletions(-) diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index ed6e9c62..36dc8d8b 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -167,11 +167,16 @@ class firewall_crans : """ Pose un lock """ make_lock('firewall') self.mac_ip_set = Ipset("MAC-IP","macipmap","--from 138.231.136.0 --to 138.231.151.255") + self.mac_ip_set_wifi = Ipset("MAC-IP-WIFI","macipmap","--from 138.231.144.0 --to 138.231.151.255") self.mac_ip_adm_set = Ipset("MAC-IP-ADM","macipmap","--from 10.231.136.0 --to 10.231.136.255") try: self.mac_ip_set.list() except IpsetError: self.mac_ip_set.create() + try: + self.mac_ip_set_wifi.list() + except IpsetError: + self.mac_ip_set_wifi.create() try: self.mac_ip_adm_set.list() except IpsetError: @@ -267,6 +272,7 @@ class firewall_crans : iptables('-t filter -F TEST_MAC-IP') self.mac_ip_gen() iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_set.set) + iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_set_wifi.set) iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_adm_set.set) # Proxy ARP de Komaz et Titanic pour OVH @@ -282,6 +288,7 @@ class firewall_crans : if not flushed: try: self.mac_ip_set.delete(ip) + self.mac_ip_set_wifi.delete(ip) except IpsetError: pass if machine.__class__.__name__ == "MachineWifi" and hostname != 'gordon': @@ -290,6 +297,10 @@ class firewall_crans : else: # Machine fixe self.mac_ip_set.add("%s,%s" % (ip,machine.mac())) + if machine.__class__.__name__ == "MachineWifi" and hostname == 'komaz': + self.mac_ip_set_wifi.add("%s,%s" % (ip,machine.mac())) + elif machine.__class__.__name__ == "MachineWifi" and hostname != 'komaz': + self.mac_ip_set_wifi.add("%s,%s" % (ip,mac_komaz)) elif ip.startswith("10.231.136."): if not flushed: try: @@ -302,6 +313,7 @@ class firewall_crans : if ip.startswith("138.231.1"): try: self.mac_ip_set.delete(ip) + self.mac_ip_set_wifi.delete(ip) except IpsetError: pass elif ip.startswith("10.231.136."): @@ -326,6 +338,7 @@ class firewall_crans : def mac_ip_gen(self): self.anim = anim('\tChaîne TEST_MAC-IP', len(self.__machines())) self.mac_ip_set.flush() + self.mac_ip_set_wifi.flush() self.mac_ip_adm_set.flush() self.anim.reinit() @@ -446,7 +459,8 @@ class firewall_komaz(firewall_crans) : # interfaces physiques eth_ext = "ens" - eth_int = "crans" + eth_int = "crans" + eth_wifi = "crans.3" eth_adm = "crans.2" # Ports ouverts @@ -511,6 +525,7 @@ class firewall_komaz(firewall_crans) : #Log de paquets iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_int) + iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_wifi) iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext) # Proxy transparent @@ -537,6 +552,7 @@ class firewall_komaz(firewall_crans) : debit_max_semi=debit_max/2 eth_ext = self.eth_ext eth_int = self.eth_int + eth_wifi = self.eth_wifi # Classification du traffic : extérieur <-> ftp iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d 138.231.136.98 " @@ -560,6 +576,9 @@ class firewall_komaz(firewall_crans) : for net in NETs['all']: iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d %(net)s " "-j CLASSIFY --set-class 1:9998" % locals()) + iptables("-t mangle -A POSTROUTING -o %(eth_wifi)s -d %(net)s " + "-j CLASSIFY --set-class 1:9998" % locals()) + iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s " "-j CLASSIFY --set-class 1:9998" % locals()) @@ -592,7 +611,7 @@ class firewall_komaz(firewall_crans) : debit_adh = int(debit_max / float(len(adherents))) # Création des classes et qdisc - for interface in [eth_ext, eth_int]: + for interface in [eth_ext, eth_int, eth_wifi]: # On vide les classes et qdisc try: tc("qdisc del dev %s root" % interface) @@ -650,6 +669,7 @@ class firewall_komaz(firewall_crans) : debit_max_semi=debit_max/2 eth_ext = self.eth_ext eth_int = self.eth_int + eth_wifi = self.eth_wifi adherents = self.adherents debit_adh = int(debit_max / float(len(adherents))) @@ -663,7 +683,7 @@ class firewall_komaz(firewall_crans) : class_id = int(adherent.id()) + 1 # Il nous faut un n° inférieur à 9999 unique qdisc_id = class_id - for interface in [self.eth_ext, self.eth_int]: + for interface in [self.eth_ext, self.eth_int, self.eth_wifi]: tc("class add dev %(interface)s parent 1:1 classid 1:%(class_id)d " "htb rate %(debit_adh)skbps ceil %(debit_max)skbps prio 0" % locals()) tc("qdisc add dev %(interface)s parent 1:%(class_id)d " @@ -736,6 +756,8 @@ class firewall_komaz(firewall_crans) : #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") for net in NETs['fil'] + NETs['wifi']: iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) + for net in NETs['wifi']: + iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi)) for net in NETs['adm']: iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) @@ -751,6 +773,8 @@ class firewall_komaz(firewall_crans) : for net in NETs['fil'] + NETs['wifi']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) + for net in NETs['wifi']: + iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi)) for net in NETs['adm']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) iptables("-P INPUT ACCEPT") @@ -768,7 +792,7 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -i crans -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu") iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext ) iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext ) - iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) ) + iptables("-A FORWARD -o %s -s ! %s -d ! %s -j FILTRE_P2P" % (self.eth_ext,self.zone_serveur, self.zone_serveur) ) # Appartement ENS iptables("-A FORWARD -i crans.21 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu") @@ -790,8 +814,9 @@ class firewall_komaz(firewall_crans) : iptables("-A INGRESS_FILTERING -i ens -j LOG --log-prefix BAD_SRC ") iptables("-A INGRESS_FILTERING -i ens -j DROP") iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) ) + iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_wifi, self.vlan_adm) ) iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) ) - iptables("-A FORWARD -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur) + iptables("-A FORWARD -s ! %s -o %s -j TEST_VIRUS_FLOOD" % (self.zone_serveur,self.eth_ext)) iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) ) iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) ) iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext ) @@ -827,6 +852,7 @@ class firewall_komaz(firewall_crans) : debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate eth_ext = self.eth_ext eth_int = self.eth_int + eth_wifi = self.eth_wifi try: for ip in ip_list: @@ -859,7 +885,7 @@ class firewall_komaz(firewall_crans) : # On cree la classe et la qdisc s'il elles n'existent pas deja qdisc_id = class_id try: - for interface in [eth_ext, eth_int]: + for interface in [eth_ext, eth_int, eth_wifi]: tc("class add dev %(interface)s " "parent 1:1 classid 1:%(class_id)d htb " "rate %(debit_adh)s ceil %(debit_max)s" % locals()) @@ -878,6 +904,9 @@ class firewall_komaz(firewall_crans) : iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s " "-o %(eth_int)s -d %(ip)s " "-j CLASSIFY --set-class 1:%(class_id)s" % locals()) + iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s " + "-o %(eth_wifi)s -d %(ip)s " + "-j CLASSIFY --set-class 1:%(class_id)s" % locals()) iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s " "-o %(eth_ext)s -s %(ip)s " "-j CLASSIFY --set-class 1:%(class_id)s" % locals()) @@ -1203,11 +1232,11 @@ class firewall_komaz(firewall_crans) : iptables("-A TRACKER_FILTER -j LOG_TRACKER") #On analyse que les requetes http - iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER" % self.eth_int) - iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER" % self.eth_int) + iptables("-A FILTRE_P2P -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER") + iptables("-A FILTRE_P2P -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER") # fait bcp de faux positif, peux servir a detecter de nouveau trackers - iptables("-A FILTRE_P2P -i %s -p udp -m string --from 0 --to 65 --algo kmp --hex-string \"|4500002c00004000|\" -j LOG --log-level notice --log-prefix \"TRACKER_TORRENT: \"" % self.eth_int) + iptables("-A FILTRE_P2P -p udp -m string --from 0 --to 65 --algo kmp --hex-string \"|4500002c00004000|\" -j LOG --log-level notice --log-prefix \"TRACKER_TORRENT: \"") iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "') iptables('-A LOG_TRACKER -j REJECT --reject-with icmp-admin-prohibited')