diff --git a/gestion/gen_confs/firewall_komaz.py b/gestion/gen_confs/firewall_komaz.py index e8bdedb4..b82d52f7 100755 --- a/gestion/gen_confs/firewall_komaz.py +++ b/gestion/gen_confs/firewall_komaz.py @@ -104,23 +104,23 @@ class firewall_komaz(firewall_crans) : iptables("-t nat -I PREROUTING 3 -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur) iptables("-t nat -I PREROUTING 6 -i %s -j ACCEPT" % self.eth_ext ) - iptables("-t nat -I PREROUTING 6 -s %s -j ACCEPT" % self.zone_serveur ) - iptables("-t nat -I PREROUTING 6 -d %s -j ACCEPT" % self.zone_serveur ) - iptables("-t nat -R PREROUTING 5 -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) + iptables("-t nat -I PREROUTING 6 -s %s -j ACCEPT" % self.zone_serveur ) + iptables("-t nat -I PREROUTING 6 -d %s -j ACCEPT" % self.zone_serveur ) + iptables("-t nat -R PREROUTING 5 -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) print OK def filter_table_tweaks(self) : self.anim = anim(' règles spécifiques à komaz') - for chaine in [ 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P' ] : + for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P' ] : iptables('-N %s' % chaine) iptables("-A FORWARD -i lo -j ACCEPT") iptables("-A FORWARD -p icmp -j ACCEPT") iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) ) - iptables("-A FORWARD -o %s -d %s -j REJECT" % (self.eth_int, self.vlan_adm) ) iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext ) iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext ) iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) ) iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") + iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) ) iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) ) iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) ) iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext ) @@ -158,6 +158,7 @@ class firewall_komaz(firewall_crans) : self.exception_catcher(self.test_virus_flood) self.exception_catcher(self.reseaux_non_routables) self.exception_catcher(self.blacklist) + self.exception_catcher(self.admin_vlan) self.exception_catcher(self.serveurs_vers_ext) self.exception_catcher(self.ext_vers_serveurs) self.exception_catcher(self.crans_vers_ext) @@ -220,7 +221,19 @@ class firewall_komaz(firewall_crans) : def ext_vers_crans(self) : """ Reconstruit la chaine EXT_VERS_CRANS """ self.build_chaine_adherent('EXT_VERS_CRANS',self.__ext_vers_crans) - + + def admin_vlan(self) : + """ Reconstruit la chaine ADMIN_VLAN """ + iptables("-F ADMIN_VLAN") + self.anim = anim(' Chaîne ADMIN_VLAN') + for adherent in crans_ldap().search('droits=Nounou')['adherent'] : + for machine in adherent.machines() : + self.anim.cycle() + iptables("-A ADMIN_VLAN -p tcp -s %s --dport ssh -j ACCEPT" % machine.ip() ) + iptables("-A ADMIN_VLAN -j REJECT") + self.anim.reinit() + print OK + def __serveurs_vers_ext(self,machine): ip=machine.ip() if not AddrInNet(ip,self.zone_serveur): @@ -336,7 +349,7 @@ if __name__ == '__main__' : global chaines chaines = [ 'log_chaines' , 'test_virus_flood', 'reseaux_non_routables', 'test_mac_ip' , 'blacklist' , 'ext_vers_serveurs' , 'serveurs_vers_ext', - 'ext_vers_crans', 'crans_vers_ext' , 'filtre_p2p' ] + 'ext_vers_crans', 'crans_vers_ext' , 'filtre_p2p', 'admin_vlan' ] def __usage(txt=None) : if txt!=None : cprint(txt,'gras')