crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall] on arrête de leaker de la merde

Browse source 
darcs-hash:20100224211415-61eff-1cf1ef2abc3a2520ef044b491a382532bd0fc7c6.gz
This commit is contained in:
Stephane Glondu 2010-02-24 22:14:15 +01:00
parent 73b2a5c82f
commit 8b61ad1b11
1 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
gestion/gen_confs/firewall.py
View file

@ -459,6 +459,7 @@ class firewall_komaz(firewall_crans) :
EXT_VERS_SERVEURS et SERVEURS_VERS_EXT
ACCEPT pour bon mac-ip-port
REJECT pour le reste
INGRESS_FILTERING : ne laisse sortir que les paquets dont l'adresse IP source appartient au crans
"""
# interfaces physiques
@ -499,8 +500,6 @@ class firewall_komaz(firewall_crans) :
self.anim = anim('\tFiltrage ip non routables',len(self.liste_reseaux_non_routables))
iptables("-t nat -A RESEAUX_NON_ROUTABLES_DST -d 10.231.136.0/24 -j RETURN")
iptables("-t nat -A RESEAUX_NON_ROUTABLES_SRC -d 10.231.136.0/24 -j RETURN")
iptables("-t nat -A RESEAUX_NON_ROUTABLES_DST -i crans -s 78.251.0.0/16 -j LOG --log-prefix BAD_ROUTE ")
iptables("-t nat -A RESEAUX_NON_ROUTABLES_DST -i crans -s 78.251.0.0/16 -j DROP")
for reseau in self.liste_reseaux_non_routables :
iptables("-t nat -A RESEAUX_NON_ROUTABLES_DST -d %s -j DROP" % reseau)
iptables("-t nat -A RESEAUX_NON_ROUTABLES_SRC -s %s -j DROP" % reseau)
@ -665,9 +664,14 @@ class firewall_komaz(firewall_crans) :
def filter_table_tweaks(self) :
self.anim = anim('\tRègles spécifiques à komaz')
for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P' ] :
for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P', 'INGRESS_FILTERING' ] :
iptables('-N %s' % chaine)
iptables("-A FORWARD -i lo -j ACCEPT")
iptables("-A FORWARD -o ens -j INGRESS_FILTERING")
for net in NETs['all']:
iptables("-A INGRESS_FILTERING -s %s -j RETURN" % net)
iptables("-A INGRESS_FILTERING -j LOG --log-prefix BAD_ROUTE ")
iptables("-A INGRESS_FILTERING -j DROP")
iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) )
iptables("-A FORWARD -p icmp -j ACCEPT")
iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )