diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 03d7a218..175590bb 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -495,6 +495,10 @@ class firewall_komaz(firewall_crans) : # On vide complètement la table iptables("-t mangle -F") iptables("-t mangle -X") + + #Log de paquets + iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_int) + iptables('-t mangle -A PREROUTING -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext) # Proxy transparent iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) @@ -509,6 +513,10 @@ class firewall_komaz(firewall_crans) : (NETs['fil'][0], NETs['wifi'][0])) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + + #connection de secours + iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (conf_fw.mark['secours'])) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours']) # Parametres pour iptables/tc mark = conf_fw.mark['bittorrent'] @@ -663,6 +671,10 @@ class firewall_komaz(firewall_crans) : # Proxy transparent iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + "-j DNAT --to-destination 10.231.136.9:3128") + + #Connection de secours + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] + + "-j DNAT --to-destination 10.231.136.9:3128") print OK def filter_table(self) : @@ -683,6 +695,12 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST") iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) + + # Proxy transparent, pour les deconnexion soft + iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + + #Connection de secours + iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours']) iptables("-P FORWARD ACCEPT") @@ -726,11 +744,6 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext ) iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext ) - # Proxy transparent, pour les deconnexion soft - iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) - - iptables('-I FORWARD -o %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext) - iptables('-I FORWARD -i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % self.eth_ext) print OK @@ -1077,7 +1090,8 @@ class firewall_komaz(firewall_crans) : iptables("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) iptables("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) self.anim.reinit() - self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist)) + print OK + self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft)) for machine in blacklist_soft: self.anim.cycle() iptables("-t mangle -I BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) @@ -1335,7 +1349,7 @@ class firewall_sable(firewall_rouge): def mangle_table(self): iptables("-t mangle -F PREROUTING") - # Pour le proxy transparent + # Pour le transparent iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + "--destination 10.231.136.9 " + "-m mac --mac-source %s " % mac_komaz +