From 84e7efabdea5960138ff6d5cf4b2f76ba85e1ce8 Mon Sep 17 00:00:00 2001 From: sabban Date: Sun, 7 Nov 2004 19:12:25 +0100 Subject: [PATCH] Transformation. darcs-hash:20041107181225-1d643-3fb5c2dd80944e513ffda446bff951772361cecf.gz --- gestion/classe_firewall.py | 141 ++++++++++++++++++++----------------- 1 file changed, 78 insertions(+), 63 deletions(-) diff --git a/gestion/classe_firewall.py b/gestion/classe_firewall.py index 687e32e6..8a18b767 100755 --- a/gestion/classe_firewall.py +++ b/gestion/classe_firewall.py @@ -28,6 +28,7 @@ class ErrorArgument(Exception): Erreur sur les arguments d'appel du firewall """ pass + class ErrorIp(Exception): """ User defined exception @@ -35,12 +36,14 @@ class ErrorIp(Exception): """ def __init__(self, ip): self.ip=ip + class ErrorMoreThanOneIp(ErrorIp): """ User defined exception Au moins deux utilisateurs ont la même ip """ pass + class ErrorIptables(Exception): """ User defined exception @@ -101,7 +104,14 @@ class firewall: """ zone_serveur="138.231.136.0/28" eth_ext = "eth2" - + ports_default = { 'tcp_input' : ['22','1024:'], + 'tcp_output': [':79','81:134','136','140:444','446:'], + 'udp_input' : [''], + 'udp_output': [':136','140:'] } + mac_wifi = '00:0c:f1:fa:f1:4b' + limit = " -m limit --limit 10/s --limit-burst 10 " + + def __init__(self): self.file_log=open("/var/log/fw.log","a") @@ -113,7 +123,8 @@ class firewall: if status: raise IptablesError(cmd,status,output) self.file_log.write(time.time+": "+cmd) - + return output + def __base(self) : """ Construction de PREROUTING et FORWARD""" anim('\t Construction base firewall') @@ -175,8 +186,6 @@ class firewall: Construit le firewall Pas d'arguments """ - self.komaz() - self.serveurs() self.filtrage_mac() self.create_forward() self.blacklist() @@ -193,20 +202,22 @@ class firewall: iptables("iptables -X") def add_machines(self,machine): + __test_mac_ip_flood(machine) + __test_flood(machine) __serveurs_vers_ext__(machine) __ext_vers_serveurs__(machine) __crans_vers_ext__(machine) __ext_vers_crans__(machine) - + def __serveurs_vers_ext(self,machine): ip=machine.ip() if AddrInNet(ip,self.zone_serveur): for i in machine.portTCPout().split(): - iptables("-t nat -A PREROUTING -d "+\ + iptables("-t filter -A SERVEURS_VERS_EXT -d "+\ "%s -p tcp --dport %s -j ACCEPT"\ %(ip,i)) for i in machine.portUDPout().split(): - iptables("-t nat -A PREROUTING -d "+\ + iptables("-t filter -A SERVEURS_VERS_EXT-d "+\ "%s -p udp --dport %s -j ACCEPT"\ %(ip,i)) @@ -214,18 +225,72 @@ class firewall: ip=machine.ip() if AddrInNet(ip,self.zone_serveur): for i in machine.portTCPin().split(): - iptables("-t nat -A PREROUTING "+\ + iptables("-t filter -I EXT_VERS_SERVEURS "+\ "-s %s -p tcp --dport %s -j ACCEPT"\ %(ip,i)) for i in machine.portUDPin().split(): - iptables("-t nat -A PREROUTING "+\ + iptables("-t filter -I EXT_VERS_SERVEURS "+\ "-s %s -p udp --dport %s -j ACCEPT"\ %(ip,i)) - + def __crans_vers_ext__(self,machine): ip=machine.ip() - + if not AddrInNet(ip,self.zone_serveur): + if machine.portTCPin(): + for i in machine.portTCPin().split(): + iptables("-t filter -I CRANS_VERS_EXT -d "+\ + "%s -p tcp --dport %s -j ACCEPT"\ + %(ip,i)) + else: + for i in self.ports_default["tcp_input"]: + iptables("-I CRANS_VERS_EXT -p tcp --dport "+\ + "%s -j ACCEPT"%i) + if machine.portUDPin(): + for i in machine.portUDPin().split(): + iptables("-t filter -I CRANS_VERS_EXT -d "+\ + "%s -p udp --dport %s -j ACCEPT"\ + %(ip,i)) + else: + for i in self.ports_default["udp_input"]: + iptables("-I CRANS_VERS_EXT -p udp --dport "+\ + "%s -j ACCEPT"%i) + def __ext_vers_crans__(self,machine): + ip=machine.ip() + if not AddrInNet(ip,self.zone_serveur): + if machine.portTCPout(): + for i in machine.portTCPout().split(): + iptables("-t filter -I EXT_VERS_CRANS -d "+\ + "%s -p tcp --dport %s -j ACCEPT"\ + %(ip,i)) + else: + for i in self.ports_default["tcp_output"]: + iptables("-I EXT_VERS_CRANS -p tcp --dport "+\ + "%s -j ACCEPT"%i) + if machine.portUDPout(): + for i in machine.portUDPout().split(): + iptables("-t filter -I EXT_VERS_CRANS -d "+\ + "%s -p udp --dport %s -j ACCEPT"\ + %(ip,i)) + else: + for i in self.ports_default["udp_output"]: + iptables("-I EXT_VERS_CRANS -p udp --dport "+\ + "%s -j ACCEPT"%i) + + + def __test_mac_ip_flood(machine): + ip=machine.ip() + mac=machine.mac() + if machine.ipsec(): + iptables("-t nat -A PREROUTING -s "+\ + "%s -m mac --mac-source %s %s -j ACCEPT"%(ip,self.mac_wifi,self.limit)) + else: + iptables("-t nat -A PREROUTING -s "+\ + "%s -m mac --mac-source %s %s -j ACCEPT"%(ip,mac,self.limit)) + + + def __test_flood(machine): + iptables("-t nat -A PREROUTING -j LOG_FLOOD") def del_entree(self,ip): """ @@ -269,12 +334,6 @@ class firewall: iptables("iptables -t nat -D %s %i"%(chaine,count)) os.system("rm -f /tmp/firewall") - def paire_macip(self,ip,mac): - """ - Crée le filtrage pour une paire mac-ip - """ - iptables("iptables -t nat -A PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"\ - %(ip,mac)) def filtrage_mac(self): """ @@ -332,8 +391,6 @@ class firewall: """ Bloque les adhérents blacklistés """ - iptables("iptables -N DEFAULT_INPUT") - iptables("iptables -N DEFAULT_OUTPUT") db=crans_ldap() blacklist=[] @@ -360,8 +417,8 @@ class firewall: (loglevel,logprefix_blacklist)) iptables("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\ instance_machine.ip()) - iptables("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT") - iptables("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT") + iptables("iptables -A BLACKLIST_INPUT -j EXT_VERS_CRANS") + iptables("iptables -A BLACKLIST_OUTPUT -j CRANS_VERS_EXT") def create_adherents(self): @@ -421,46 +478,4 @@ class firewall: (loglevel,logprefix_adherents)) iptables("iptables -A ADHERENTS_OUTPUT -j REJECT") - def adherent(self,ip): - """ - Gère complètement l'ajout d'un adhérent dans le firewall - os.systemer la blacklist - """ - db=crans_ldap() - search=db.search('ip='+ip)['machine'] - if len(search)==0: - raise ErrorNoSuchIp(ip) - elif len(search)!=1: - raise ErrorMoreThanOneIp(ip) - i=0 - wifi=False - while (i