crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall_new] On ajoute une interface wifi sur komaz pour y router directement le wifi. On fait les modification nécessaire dans le pare-feu pour cela. On fait en sorte que le routage via gordon fonctionne toujours, du moins pour un temps.

Browse source 
Ignore-this: 3101c19683d2c38eeb8cf8a01d76e22e

darcs-hash:20130125032321-3a55a-58b229a31b25f46fb5e08b2b18eeb7f78b75098e.gz
This commit is contained in:
Valentin Samir 2013-01-25 04:23:21 +01:00
parent 203d78afbb
commit 7f4bfdad17
1 changed files with 38 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

45
gestion/gen_confs/firewall_new.py
View file

@ -167,11 +167,16 @@ class firewall_crans :
""" Pose un lock """ """ Pose un lock """
make_lock('firewall') make_lock('firewall')
self.mac_ip_set = Ipset("MAC-IP","macipmap","--from 138.231.136.0 --to 138.231.151.255") self.mac_ip_set = Ipset("MAC-IP","macipmap","--from 138.231.136.0 --to 138.231.151.255")
self.mac_ip_set_wifi = Ipset("MAC-IP-WIFI","macipmap","--from 138.231.144.0 --to 138.231.151.255")
self.mac_ip_adm_set = Ipset("MAC-IP-ADM","macipmap","--from 10.231.136.0 --to 10.231.136.255") self.mac_ip_adm_set = Ipset("MAC-IP-ADM","macipmap","--from 10.231.136.0 --to 10.231.136.255")
try: try:
self.mac_ip_set.list() self.mac_ip_set.list()
except IpsetError: except IpsetError:
self.mac_ip_set.create() self.mac_ip_set.create()
try:
self.mac_ip_set_wifi.list()
except IpsetError:
self.mac_ip_set_wifi.create()
try: try:
self.mac_ip_adm_set.list() self.mac_ip_adm_set.list()
except IpsetError: except IpsetError:
@ -267,6 +272,7 @@ class firewall_crans :
iptables('-t filter -F TEST_MAC-IP') iptables('-t filter -F TEST_MAC-IP')
self.mac_ip_gen() self.mac_ip_gen()
iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_set.set) iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_set.set)
iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_set_wifi.set)
iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_adm_set.set) iptables('-t filter -A TEST_MAC-IP -m set --match-set %s src -j RETURN' % self.mac_ip_adm_set.set)
# Proxy ARP de Komaz et Titanic pour OVH # Proxy ARP de Komaz et Titanic pour OVH
@ -282,6 +288,7 @@ class firewall_crans :
if not flushed: if not flushed:
try: try:
self.mac_ip_set.delete(ip) self.mac_ip_set.delete(ip)
self.mac_ip_set_wifi.delete(ip)
except IpsetError: except IpsetError:
pass pass
if machine.__class__.__name__ == "MachineWifi" and hostname != 'gordon': if machine.__class__.__name__ == "MachineWifi" and hostname != 'gordon':
@ -290,6 +297,10 @@ class firewall_crans :
else: else:
# Machine fixe # Machine fixe
self.mac_ip_set.add("%s,%s" % (ip,machine.mac())) self.mac_ip_set.add("%s,%s" % (ip,machine.mac()))
if machine.__class__.__name__ == "MachineWifi" and hostname == 'komaz':
self.mac_ip_set_wifi.add("%s,%s" % (ip,machine.mac()))
elif machine.__class__.__name__ == "MachineWifi" and hostname != 'komaz':
self.mac_ip_set_wifi.add("%s,%s" % (ip,mac_komaz))
elif ip.startswith("10.231.136."): elif ip.startswith("10.231.136."):
if not flushed: if not flushed:
try: try:
@ -302,6 +313,7 @@ class firewall_crans :
if ip.startswith("138.231.1"): if ip.startswith("138.231.1"):
try: try:
self.mac_ip_set.delete(ip) self.mac_ip_set.delete(ip)
self.mac_ip_set_wifi.delete(ip)
except IpsetError: except IpsetError:
pass pass
elif ip.startswith("10.231.136."): elif ip.startswith("10.231.136."):
@ -326,6 +338,7 @@ class firewall_crans :
def mac_ip_gen(self): def mac_ip_gen(self):
self.anim = anim('\tChaîne TEST_MAC-IP', len(self.__machines())) self.anim = anim('\tChaîne TEST_MAC-IP', len(self.__machines()))
self.mac_ip_set.flush() self.mac_ip_set.flush()
self.mac_ip_set_wifi.flush()
self.mac_ip_adm_set.flush() self.mac_ip_adm_set.flush()
self.anim.reinit() self.anim.reinit()
@ -447,6 +460,7 @@ class firewall_komaz(firewall_crans) :
# interfaces physiques # interfaces physiques
eth_ext = "ens" eth_ext = "ens"
eth_int = "crans" eth_int = "crans"
eth_wifi = "crans.3"
eth_adm = "crans.2" eth_adm = "crans.2"
# Ports ouverts # Ports ouverts
@ -511,6 +525,7 @@ class firewall_komaz(firewall_crans) :
#Log de paquets #Log de paquets
iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_int) iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_int)
iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_wifi)
iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext) iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext)
# Proxy transparent # Proxy transparent
@ -537,6 +552,7 @@ class firewall_komaz(firewall_crans) :
debit_max_semi=debit_max/2 debit_max_semi=debit_max/2
eth_ext = self.eth_ext eth_ext = self.eth_ext
eth_int = self.eth_int eth_int = self.eth_int
eth_wifi = self.eth_wifi
# Classification du traffic : extérieur <-> ftp # Classification du traffic : extérieur <-> ftp
iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d 138.231.136.98 " iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d 138.231.136.98 "
@ -560,6 +576,9 @@ class firewall_komaz(firewall_crans) :
for net in NETs['all']: for net in NETs['all']:
iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d %(net)s " iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d %(net)s "
"-j CLASSIFY --set-class 1:9998" % locals()) "-j CLASSIFY --set-class 1:9998" % locals())
iptables("-t mangle -A POSTROUTING -o %(eth_wifi)s -d %(net)s "
"-j CLASSIFY --set-class 1:9998" % locals())
iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s " iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s "
"-j CLASSIFY --set-class 1:9998" % locals()) "-j CLASSIFY --set-class 1:9998" % locals())
@ -592,7 +611,7 @@ class firewall_komaz(firewall_crans) :
debit_adh = int(debit_max / float(len(adherents))) debit_adh = int(debit_max / float(len(adherents)))
# Création des classes et qdisc # Création des classes et qdisc
for interface in [eth_ext, eth_int]: for interface in [eth_ext, eth_int, eth_wifi]:
# On vide les classes et qdisc # On vide les classes et qdisc
try: try:
tc("qdisc del dev %s root" % interface) tc("qdisc del dev %s root" % interface)
@ -650,6 +669,7 @@ class firewall_komaz(firewall_crans) :
debit_max_semi=debit_max/2 debit_max_semi=debit_max/2
eth_ext = self.eth_ext eth_ext = self.eth_ext
eth_int = self.eth_int eth_int = self.eth_int
eth_wifi = self.eth_wifi
adherents = self.adherents adherents = self.adherents
debit_adh = int(debit_max / float(len(adherents))) debit_adh = int(debit_max / float(len(adherents)))
@ -663,7 +683,7 @@ class firewall_komaz(firewall_crans) :
class_id = int(adherent.id()) + 1 class_id = int(adherent.id()) + 1
# Il nous faut un n° inférieur à 9999 unique # Il nous faut un n° inférieur à 9999 unique
qdisc_id = class_id qdisc_id = class_id
for interface in [self.eth_ext, self.eth_int]: for interface in [self.eth_ext, self.eth_int, self.eth_wifi]:
tc("class add dev %(interface)s parent 1:1 classid 1:%(class_id)d " tc("class add dev %(interface)s parent 1:1 classid 1:%(class_id)d "
"htb rate %(debit_adh)skbps ceil %(debit_max)skbps prio 0" % locals()) "htb rate %(debit_adh)skbps ceil %(debit_max)skbps prio 0" % locals())
tc("qdisc add dev %(interface)s parent 1:%(class_id)d " tc("qdisc add dev %(interface)s parent 1:%(class_id)d "
@ -736,6 +756,8 @@ class firewall_komaz(firewall_crans) :
#iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
for net in NETs['wifi']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi))
for net in NETs['adm']: for net in NETs['adm']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm))
@ -751,6 +773,8 @@ class firewall_komaz(firewall_crans) :
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
for net in NETs['wifi']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi))
for net in NETs['adm']: for net in NETs['adm']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm))
iptables("-P INPUT ACCEPT") iptables("-P INPUT ACCEPT")
@ -768,7 +792,7 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -i crans -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu") iptables("-A FORWARD -i crans -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext ) iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext ) iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) ) iptables("-A FORWARD -o %s -s ! %s -d ! %s -j FILTRE_P2P" % (self.eth_ext,self.zone_serveur, self.zone_serveur) )
# Appartement ENS # Appartement ENS
iptables("-A FORWARD -i crans.21 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu") iptables("-A FORWARD -i crans.21 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
@ -790,8 +814,9 @@ class firewall_komaz(firewall_crans) :
iptables("-A INGRESS_FILTERING -i ens -j LOG --log-prefix BAD_SRC ") iptables("-A INGRESS_FILTERING -i ens -j LOG --log-prefix BAD_SRC ")
iptables("-A INGRESS_FILTERING -i ens -j DROP") iptables("-A INGRESS_FILTERING -i ens -j DROP")
iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) ) iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) )
iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_wifi, self.vlan_adm) )
iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) ) iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )
iptables("-A FORWARD -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur) iptables("-A FORWARD -s ! %s -o %s -j TEST_VIRUS_FLOOD" % (self.zone_serveur,self.eth_ext))
iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) ) iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) ) iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext ) iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
@ -827,6 +852,7 @@ class firewall_komaz(firewall_crans) :
debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate
eth_ext = self.eth_ext eth_ext = self.eth_ext
eth_int = self.eth_int eth_int = self.eth_int
eth_wifi = self.eth_wifi
try: try:
for ip in ip_list: for ip in ip_list:
@ -859,7 +885,7 @@ class firewall_komaz(firewall_crans) :
# On cree la classe et la qdisc s'il elles n'existent pas deja # On cree la classe et la qdisc s'il elles n'existent pas deja
qdisc_id = class_id qdisc_id = class_id
try: try:
for interface in [eth_ext, eth_int]: for interface in [eth_ext, eth_int, eth_wifi]:
tc("class add dev %(interface)s " tc("class add dev %(interface)s "
"parent 1:1 classid 1:%(class_id)d htb " "parent 1:1 classid 1:%(class_id)d htb "
"rate %(debit_adh)s ceil %(debit_max)s" % locals()) "rate %(debit_adh)s ceil %(debit_max)s" % locals())
@ -878,6 +904,9 @@ class firewall_komaz(firewall_crans) :
iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s " iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s "
"-o %(eth_int)s -d %(ip)s " "-o %(eth_int)s -d %(ip)s "
"-j CLASSIFY --set-class 1:%(class_id)s" % locals()) "-j CLASSIFY --set-class 1:%(class_id)s" % locals())
iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s "
"-o %(eth_wifi)s -d %(ip)s "
"-j CLASSIFY --set-class 1:%(class_id)s" % locals())
iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s " iptables("-t mangle %(iptables_option)s SUBNET-%(subnet)s "
"-o %(eth_ext)s -s %(ip)s " "-o %(eth_ext)s -s %(ip)s "
"-j CLASSIFY --set-class 1:%(class_id)s" % locals()) "-j CLASSIFY --set-class 1:%(class_id)s" % locals())
@ -1203,11 +1232,11 @@ class firewall_komaz(firewall_crans) :
iptables("-A TRACKER_FILTER -j LOG_TRACKER") iptables("-A TRACKER_FILTER -j LOG_TRACKER")
#On analyse que les requetes http #On analyse que les requetes http
iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER" % self.eth_int) iptables("-A FILTRE_P2P -p tcp -m string --algo kmp --string \"GET \" -j TRACKER_FILTER")
iptables("-A FILTRE_P2P -i %s -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER" % self.eth_int) iptables("-A FILTRE_P2P -p tcp -m string --algo kmp --string \"get \" -j TRACKER_FILTER")
# fait bcp de faux positif, peux servir a detecter de nouveau trackers # fait bcp de faux positif, peux servir a detecter de nouveau trackers
iptables("-A FILTRE_P2P -i %s -p udp -m string --from 0 --to 65 --algo kmp --hex-string \"|4500002c00004000|\" -j LOG --log-level notice --log-prefix \"TRACKER_TORRENT: \"" % self.eth_int) iptables("-A FILTRE_P2P -p udp -m string --from 0 --to 65 --algo kmp --hex-string \"|4500002c00004000|\" -j LOG --log-level notice --log-prefix \"TRACKER_TORRENT: \"")
iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "') iptables('-A LOG_TRACKER -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "')
iptables('-A LOG_TRACKER -j REJECT --reject-with icmp-admin-prohibited') iptables('-A LOG_TRACKER -j REJECT --reject-with icmp-admin-prohibited')