Transformation.

darcs-hash:20041107181225-1d643-3fb5c2dd80944e513ffda446bff951772361cecf.gz
2004-11-07 19:12:25 +01:00 · 2004-11-07 19:12:25 +01:00 · 84e7efabde
commit 84e7efabde
parent 2ca96e32c7
1 changed files with 78 additions and 63 deletions
--- a/gestion/classe_firewall.py
+++ b/gestion/classe_firewall.py
@ -28,6 +28,7 @@ class ErrorArgument(Exception):
    Erreur sur les arguments d'appel du firewall
    """
    pass
 class ErrorIp(Exception):
    """
    User defined exception
@ -35,12 +36,14 @@ class ErrorIp(Exception):
    """
    def __init__(self, ip):
        self.ip=ip
 class ErrorMoreThanOneIp(ErrorIp):
    """
    User defined exception
    Au moins deux utilisateurs ont la même ip
    """
    pass
 class ErrorIptables(Exception):
    """
    User defined exception
@ -101,7 +104,14 @@ class firewall:
    """
    zone_serveur="138.231.136.0/28"
    eth_ext = "eth2"
-    
+    ports_default = { 'tcp_input' : ['22','1024:'],
                     'tcp_output': [':79','81:134','136','140:444','446:'],
 		     'udp_input' : [''],
 		     'udp_output': [':136','140:'] }
    mac_wifi = '00:0c:f1:fa:f1:4b'
    limit = " -m limit --limit 10/s --limit-burst 10 "
    def __init__(self):
 	self.file_log=open("/var/log/fw.log","a")
@ -113,7 +123,8 @@ class firewall:
 	if status:
 	    raise IptablesError(cmd,status,output)
 	self.file_log.write(time.time+": "+cmd)
-	
+	return output
    def __base(self) :
 	""" Construction de PREROUTING et FORWARD"""
 	anim('\t  Construction base firewall')
@ -175,8 +186,6 @@ class firewall:
        Construit le firewall
        Pas d'arguments
        """
        self.komaz()
        self.serveurs()
        self.filtrage_mac()
 	self.create_forward()
        self.blacklist()
@ -193,20 +202,22 @@ class firewall:
 	iptables("iptables -X")
    def add_machines(self,machine):
 	__test_mac_ip_flood(machine)
 	__test_flood(machine)
 	__serveurs_vers_ext__(machine)
 	__ext_vers_serveurs__(machine)
 	__crans_vers_ext__(machine)
 	__ext_vers_crans__(machine)
-	
+
    def __serveurs_vers_ext(self,machine):
 	ip=machine.ip()
 	if AddrInNet(ip,self.zone_serveur):
            for i in machine.portTCPout().split():
-                iptables("-t nat -A PREROUTING -d "+\
+                iptables("-t filter -A SERVEURS_VERS_EXT -d "+\
 		"%s -p tcp --dport %s -j ACCEPT"\
 		%(ip,i))
            for i in machine.portUDPout().split():
-                iptables("-t nat -A PREROUTING -d "+\
+                iptables("-t filter -A SERVEURS_VERS_EXT-d "+\
 		"%s -p udp --dport %s -j ACCEPT"\
 		%(ip,i))
@ -214,18 +225,72 @@ class firewall:
 	ip=machine.ip()
 	if AddrInNet(ip,self.zone_serveur):
            for i in machine.portTCPin().split():
-                iptables("-t nat -A PREROUTING "+\
+                iptables("-t filter -I EXT_VERS_SERVEURS "+\
 		"-s %s -p tcp --dport %s -j ACCEPT"\
 		%(ip,i))
            for i in machine.portUDPin().split():
-                iptables("-t nat -A PREROUTING "+\
+                iptables("-t filter -I EXT_VERS_SERVEURS "+\
 		"-s %s -p udp --dport %s -j ACCEPT"\
 		%(ip,i))
-	
+		
    def __crans_vers_ext__(self,machine):
 	ip=machine.ip()
-	
+	if not AddrInNet(ip,self.zone_serveur):
 	    if machine.portTCPin():
 		for i in machine.portTCPin().split():
 		    iptables("-t filter -I CRANS_VERS_EXT -d "+\
 		    "%s -p tcp --dport %s -j ACCEPT"\
 		    %(ip,i))
 		else:
 		    for i in self.ports_default["tcp_input"]:
 			iptables("-I CRANS_VERS_EXT -p tcp --dport "+\
 			"%s -j ACCEPT"%i)
 	    if machine.portUDPin():
 		for i in machine.portUDPin().split():
 		    iptables("-t filter -I CRANS_VERS_EXT -d "+\
 		    "%s -p udp --dport %s -j ACCEPT"\
 		    %(ip,i))
 		else:
 		    for i in self.ports_default["udp_input"]:
 			iptables("-I CRANS_VERS_EXT -p udp --dport "+\
 			"%s -j ACCEPT"%i)
    def __ext_vers_crans__(self,machine):
 	ip=machine.ip()
 	if not AddrInNet(ip,self.zone_serveur):
 	    if machine.portTCPout():
 		for i in machine.portTCPout().split():
 		    iptables("-t filter -I EXT_VERS_CRANS -d "+\
 		    "%s -p tcp --dport %s -j ACCEPT"\
 		    %(ip,i))
 		else:
 		    for i in self.ports_default["tcp_output"]:
 			iptables("-I EXT_VERS_CRANS -p tcp --dport "+\
 			"%s -j ACCEPT"%i)
 	    if machine.portUDPout():
 		for i in machine.portUDPout().split():
 		    iptables("-t filter -I EXT_VERS_CRANS -d "+\
 		    "%s -p udp --dport %s -j ACCEPT"\
 		    %(ip,i))
 		else:
 		for i in self.ports_default["udp_output"]:
 		    iptables("-I EXT_VERS_CRANS -p udp --dport "+\
 		    "%s -j ACCEPT"%i)
    def __test_mac_ip_flood(machine):
 	ip=machine.ip()
 	mac=machine.mac()
 	if machine.ipsec():
 	    iptables("-t nat -A PREROUTING -s "+\
 	    "%s -m mac --mac-source %s %s -j ACCEPT"%(ip,self.mac_wifi,self.limit))
 	else:
 	    iptables("-t nat -A PREROUTING -s "+\
 	    "%s -m mac --mac-source %s %s -j ACCEPT"%(ip,mac,self.limit))
    def __test_flood(machine):
 	iptables("-t nat -A PREROUTING -j LOG_FLOOD")
    def del_entree(self,ip):
        """
@ -269,12 +334,6 @@ class firewall:
 		iptables("iptables -t nat -D %s  %i"%(chaine,count))
        os.system("rm -f /tmp/firewall")
    def paire_macip(self,ip,mac):
        """
        Crée le filtrage pour une paire mac-ip
        """
        iptables("iptables -t nat -A PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"\
          %(ip,mac))
    def filtrage_mac(self):
        """
@ -332,8 +391,6 @@ class firewall:
        """
        Bloque les adhérents blacklistés
        """
 	iptables("iptables -N DEFAULT_INPUT")
        iptables("iptables -N DEFAULT_OUTPUT")
        db=crans_ldap()
        blacklist=[]
@ -360,8 +417,8 @@ class firewall:
                  (loglevel,logprefix_blacklist))
            iptables("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\
                  instance_machine.ip())
-        iptables("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT")
+        iptables("iptables -A BLACKLIST_INPUT -j EXT_VERS_CRANS")
-        iptables("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT")
+        iptables("iptables -A BLACKLIST_OUTPUT -j CRANS_VERS_EXT")
    def create_adherents(self):
@ -421,46 +478,4 @@ class firewall:
              (loglevel,logprefix_adherents))
        iptables("iptables -A ADHERENTS_OUTPUT -j REJECT")
    def adherent(self,ip):
        """
        Gère complètement l'ajout d'un adhérent dans le firewall
        os.systemer la blacklist
        """
        db=crans_ldap()
        search=db.search('ip='+ip)['machine']
        if len(search)==0:
            raise ErrorNoSuchIp(ip)
        elif len(search)!=1:
            raise ErrorMoreThanOneIp(ip)
        i=0
        wifi=False
        while (i<len(config.NETs['wifi'])):
            if (iptools.AddrInNet(ip,config.NETs['all'][i])):
                iptables("iptables -t nat -I PREROUTING -s %s -m mac --mac-source "%ip+\
                "%s -j ACCEPT"%config.mac_wifi)
                wifi=True
            i=i+1
        if (not wifi):
            iptables("iptables -t nat -I PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"%\
                  (ip,search[0].mac()))
        if search[0].portTCPin()!='':
            ports=search[0].portTCPin()
            for j in ports.split(' '):
                iptables("iptables -I ADHERENTS_INPUT -d %s"%ip+\
                      " -p tcp --dport %s -j ACCEPT"%j)
        if search[0].portTCPout()!='':
            ports=search[0].portTCPout()
            for j in ports.split(' '):
                iptables("iptables -I ADHERENTS_OUTPUT -d %s"%ip+\
                      " -p tcp --dport %s -j ACCEPT"%j)
        if search[0].portUDPin()!='':
            ports=search[0].portUDPin()
            for j in ports.split(' '):
                iptables("iptables -I ADHERENTS_INPUT -d %s"%ip+\
                      " -p udp --dport %s -j ACCEPT"%j)
        if search[0].portUDPout()!='':
            ports=search[0].portUDPout()
            for j in ports.split(' '):
                iptables("iptables -I ADHERENTS_OUTPUT -d %s"%ip+\
                      " -p udp --dport %s -j ACCEPT"%j)