Transformation.

darcs-hash:20041107181225-1d643-3fb5c2dd80944e513ffda446bff951772361cecf.gz
2004-11-07 19:12:25 +01:00 · 2004-11-07 19:12:25 +01:00 · 84e7efabde
commit 84e7efabde
parent 2ca96e32c7
1 changed files with 78 additions and 63 deletions
--- a/gestion/classe_firewall.py
+++ b/gestion/classe_firewall.py
@ -28,6 +28,7 @@ class ErrorArgument(Exception):
    Erreur sur les arguments d'appel du firewall
    """
    pass
+
 class ErrorIp(Exception):
    """
    User defined exception
@ -35,12 +36,14 @@ class ErrorIp(Exception):
    """
    def __init__(self, ip):
        self.ip=ip
+
 class ErrorMoreThanOneIp(ErrorIp):
    """
    User defined exception
    Au moins deux utilisateurs ont la même ip
    """
    pass
+
 class ErrorIptables(Exception):
    """
    User defined exception
@ -101,6 +104,13 @@ class firewall:
    """
    zone_serveur="138.231.136.0/28"
    eth_ext = "eth2"
+    ports_default = { 'tcp_input' : ['22','1024:'],
+                     'tcp_output': [':79','81:134','136','140:444','446:'],
+		     'udp_input' : [''],
+		     'udp_output': [':136','140:'] }
+    mac_wifi = '00:0c:f1:fa:f1:4b'
+    limit = " -m limit --limit 10/s --limit-burst 10 "
+						   
 						   
    def __init__(self):
 	self.file_log=open("/var/log/fw.log","a")
@ -113,6 +123,7 @@ class firewall:
 	if status:
 	    raise IptablesError(cmd,status,output)
 	self.file_log.write(time.time+": "+cmd)
+	return output
    
    def __base(self) :
 	""" Construction de PREROUTING et FORWARD"""
@ -175,8 +186,6 @@ class firewall:
        Construit le firewall
        Pas d'arguments
        """
-        self.komaz()
-        self.serveurs()
        self.filtrage_mac()
 	self.create_forward()
        self.blacklist()
@ -193,6 +202,8 @@ class firewall:
 	iptables("iptables -X")

    def add_machines(self,machine):
+	__test_mac_ip_flood(machine)
+	__test_flood(machine)
 	__serveurs_vers_ext__(machine)
 	__ext_vers_serveurs__(machine)
 	__crans_vers_ext__(machine)
@ -202,11 +213,11 @@ class firewall:
 	ip=machine.ip()
 	if AddrInNet(ip,self.zone_serveur):
            for i in machine.portTCPout().split():
-                iptables("-t nat -A PREROUTING -d "+\
+                iptables("-t filter -A SERVEURS_VERS_EXT -d "+\
 		"%s -p tcp --dport %s -j ACCEPT"\
 		%(ip,i))
            for i in machine.portUDPout().split():
-                iptables("-t nat -A PREROUTING -d "+\
+                iptables("-t filter -A SERVEURS_VERS_EXT-d "+\
 		"%s -p udp --dport %s -j ACCEPT"\
 		%(ip,i))

@ -214,18 +225,72 @@ class firewall:
 	ip=machine.ip()
 	if AddrInNet(ip,self.zone_serveur):
            for i in machine.portTCPin().split():
-                iptables("-t nat -A PREROUTING "+\
+                iptables("-t filter -I EXT_VERS_SERVEURS "+\
 		"-s %s -p tcp --dport %s -j ACCEPT"\
 		%(ip,i))
            for i in machine.portUDPin().split():
-                iptables("-t nat -A PREROUTING "+\
+                iptables("-t filter -I EXT_VERS_SERVEURS "+\
 		"-s %s -p udp --dport %s -j ACCEPT"\
 		%(ip,i))
 		
    def __crans_vers_ext__(self,machine):
 	ip=machine.ip()
+	if not AddrInNet(ip,self.zone_serveur):
+	    if machine.portTCPin():
+		for i in machine.portTCPin().split():
+		    iptables("-t filter -I CRANS_VERS_EXT -d "+\
+		    "%s -p tcp --dport %s -j ACCEPT"\
+		    %(ip,i))
+		else:
+		    for i in self.ports_default["tcp_input"]:
+			iptables("-I CRANS_VERS_EXT -p tcp --dport "+\
+			"%s -j ACCEPT"%i)
+	    if machine.portUDPin():
+		for i in machine.portUDPin().split():
+		    iptables("-t filter -I CRANS_VERS_EXT -d "+\
+		    "%s -p udp --dport %s -j ACCEPT"\
+		    %(ip,i))
+		else:
+		    for i in self.ports_default["udp_input"]:
+			iptables("-I CRANS_VERS_EXT -p udp --dport "+\
+			"%s -j ACCEPT"%i)
 												       
    def __ext_vers_crans__(self,machine):
+	ip=machine.ip()
+	if not AddrInNet(ip,self.zone_serveur):
+	    if machine.portTCPout():
+		for i in machine.portTCPout().split():
+		    iptables("-t filter -I EXT_VERS_CRANS -d "+\
+		    "%s -p tcp --dport %s -j ACCEPT"\
+		    %(ip,i))
+		else:
+		    for i in self.ports_default["tcp_output"]:
+			iptables("-I EXT_VERS_CRANS -p tcp --dport "+\
+			"%s -j ACCEPT"%i)
+	    if machine.portUDPout():
+		for i in machine.portUDPout().split():
+		    iptables("-t filter -I EXT_VERS_CRANS -d "+\
+		    "%s -p udp --dport %s -j ACCEPT"\
+		    %(ip,i))
+		else:
+		for i in self.ports_default["udp_output"]:
+		    iptables("-I EXT_VERS_CRANS -p udp --dport "+\
+		    "%s -j ACCEPT"%i)
+
+
+    def __test_mac_ip_flood(machine):
+	ip=machine.ip()
+	mac=machine.mac()
+	if machine.ipsec():
+	    iptables("-t nat -A PREROUTING -s "+\
+	    "%s -m mac --mac-source %s %s -j ACCEPT"%(ip,self.mac_wifi,self.limit))
+	else:
+	    iptables("-t nat -A PREROUTING -s "+\
+	    "%s -m mac --mac-source %s %s -j ACCEPT"%(ip,mac,self.limit))
+
+
+    def __test_flood(machine):
+	iptables("-t nat -A PREROUTING -j LOG_FLOOD")
 	
    def del_entree(self,ip):
        """
@ -269,12 +334,6 @@ class firewall:
 		iptables("iptables -t nat -D %s  %i"%(chaine,count))
        os.system("rm -f /tmp/firewall")
                  
-    def paire_macip(self,ip,mac):
-        """
-        Crée le filtrage pour une paire mac-ip
-        """
-        iptables("iptables -t nat -A PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"\
-          %(ip,mac))

    def filtrage_mac(self):
        """
@ -332,8 +391,6 @@ class firewall:
        """
        Bloque les adhérents blacklistés
        """
-	iptables("iptables -N DEFAULT_INPUT")
-        iptables("iptables -N DEFAULT_OUTPUT")

        db=crans_ldap()
        blacklist=[]
@ -360,8 +417,8 @@ class firewall:
                  (loglevel,logprefix_blacklist))
            iptables("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\
                  instance_machine.ip())
-        iptables("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT")
-        iptables("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT")
+        iptables("iptables -A BLACKLIST_INPUT -j EXT_VERS_CRANS")
+        iptables("iptables -A BLACKLIST_OUTPUT -j CRANS_VERS_EXT")


    def create_adherents(self):
@ -421,46 +478,4 @@ class firewall:
              (loglevel,logprefix_adherents))
        iptables("iptables -A ADHERENTS_OUTPUT -j REJECT")

-    def adherent(self,ip):
-        """
-        Gère complètement l'ajout d'un adhérent dans le firewall
-        os.systemer la blacklist
-        """
-        db=crans_ldap()
-        search=db.search('ip='+ip)['machine']
-        if len(search)==0:
-            raise ErrorNoSuchIp(ip)
-        elif len(search)!=1:
-            raise ErrorMoreThanOneIp(ip)
-        i=0
-        wifi=False
-        while (i<len(config.NETs['wifi'])):
-            if (iptools.AddrInNet(ip,config.NETs['all'][i])):
-                iptables("iptables -t nat -I PREROUTING -s %s -m mac --mac-source "%ip+\
-                "%s -j ACCEPT"%config.mac_wifi)
-                wifi=True
-            i=i+1
-        if (not wifi):
-            iptables("iptables -t nat -I PREROUTING -s %s -m mac --mac-source %s -j ACCEPT"%\
-                  (ip,search[0].mac()))
-        if search[0].portTCPin()!='':
-            ports=search[0].portTCPin()
-            for j in ports.split(' '):
-                iptables("iptables -I ADHERENTS_INPUT -d %s"%ip+\
-                      " -p tcp --dport %s -j ACCEPT"%j)
-        if search[0].portTCPout()!='':
-            ports=search[0].portTCPout()
-            for j in ports.split(' '):
-                iptables("iptables -I ADHERENTS_OUTPUT -d %s"%ip+\
-                      " -p tcp --dport %s -j ACCEPT"%j)
-        if search[0].portUDPin()!='':
-            ports=search[0].portUDPin()
-            for j in ports.split(' '):
-                iptables("iptables -I ADHERENTS_INPUT -d %s"%ip+\
-                      " -p udp --dport %s -j ACCEPT"%j)
-        if search[0].portUDPout()!='':
-            ports=search[0].portUDPout()
-            for j in ports.split(' '):
-                iptables("iptables -I ADHERENTS_OUTPUT -d %s"%ip+\
-                      " -p udp --dport %s -j ACCEPT"%j)