crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall_new] Mise en place de la connection de secours au niveau du pare-feu, de façon similaire aux déconnections soft.

Browse source 
Ignore-this: f8e92058fc65398b26445105f2f77b80

darcs-hash:20120216180110-3a55a-cd9ac5171a2ccfb60ba5f2a4d67ad4dc4c2aba27.gz
This commit is contained in:
Valentin Samir 2012-02-16 19:01:10 +01:00
parent ccec4ca67e
commit 902ca066cd
1 changed files with 21 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

28
gestion/gen_confs/firewall_new.py
View file

@ -495,6 +495,10 @@ class firewall_komaz(firewall_crans) :
# On vide complètement la table
iptables("-t mangle -F")
iptables("-t mangle -X")
#Log de paquets
iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_int)
iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext)
# Proxy transparent
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
@ -509,6 +513,10 @@ class firewall_komaz(firewall_crans) :
(NETs['fil'][0], NETs['wifi'][0]))
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
#connection de secours
iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (conf_fw.mark['secours']))
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours'])
# Parametres pour iptables/tc
mark = conf_fw.mark['bittorrent']
@ -663,6 +671,10 @@ class firewall_komaz(firewall_crans) :
# Proxy transparent
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
"-j DNAT --to-destination 10.231.136.9:3128")
#Connection de secours
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
"-j DNAT --to-destination 10.231.136.9:3128")
print OK
def filter_table(self) :
@ -683,6 +695,12 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST")
iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
# Proxy transparent, pour les deconnexion soft
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
#Connection de secours
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours'])
iptables("-P FORWARD ACCEPT")
@ -726,11 +744,6 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
# Proxy transparent, pour les deconnexion soft
iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
iptables('-I FORWARD -o %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext)
iptables('-I FORWARD -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext)
print OK
@ -1077,7 +1090,8 @@ class firewall_komaz(firewall_crans) :
iptables("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
iptables("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
self.anim.reinit()
self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist))
print OK
self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft))
for machine in blacklist_soft:
self.anim.cycle()
iptables("-t mangle -I BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy']))
@ -1335,7 +1349,7 @@ class firewall_sable(firewall_rouge):
def mangle_table(self):
iptables("-t mangle -F PREROUTING")
# Pour le proxy transparent
# Pour le transparent
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
"--destination 10.231.136.9 " +
"-m mac --mac-source %s " % mac_komaz +