crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Les nounous pourront accder en ssh au vlan adm, de leurs machines, en

Browse source 
passant par komaz. La route n'existe pas encore, mais a au moins c'est fait.
+ un peu de detabification.

darcs-hash:20050520085111-f163d-0cdfd4b6c53edfb7456f11f349bc36ac9a16e70e.gz
This commit is contained in:
segaud 2005-05-20 10:51:11 +02:00
parent fc6003e7ae
commit 9097e11abb
1 changed files with 20 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

25
gestion/gen_confs/firewall_komaz.py
View file

@ -104,23 +104,23 @@ class firewall_komaz(firewall_crans) :
iptables("-t nat -I PREROUTING 3 -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
iptables("-t nat -I PREROUTING 6 -i %s -j ACCEPT" % self.eth_ext )
iptables("-t nat -I PREROUTING 6 -s %s -j ACCEPT" % self.zone_serveur )
iptables("-t nat -I PREROUTING 6 -d %s -j ACCEPT" % self.zone_serveur )
iptables("-t nat -R PREROUTING 5 -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
iptables("-t nat -I PREROUTING 6 -s %s -j ACCEPT" % self.zone_serveur )
iptables("-t nat -I PREROUTING 6 -d %s -j ACCEPT" % self.zone_serveur )
iptables("-t nat -R PREROUTING 5 -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
print OK
def filter_table_tweaks(self) :
self.anim = anim(' règles spécifiques à komaz')
for chaine in [ 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P' ] :
for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P' ] :
iptables('-N %s' % chaine)
iptables("-A FORWARD -i lo -j ACCEPT")
iptables("-A FORWARD -p icmp -j ACCEPT")
iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )
iptables("-A FORWARD -o %s -d %s -j REJECT" % (self.eth_int, self.vlan_adm) )
iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) )
iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
@ -158,6 +158,7 @@ class firewall_komaz(firewall_crans) :
self.exception_catcher(self.test_virus_flood)
self.exception_catcher(self.reseaux_non_routables)
self.exception_catcher(self.blacklist)
self.exception_catcher(self.admin_vlan)
self.exception_catcher(self.serveurs_vers_ext)
self.exception_catcher(self.ext_vers_serveurs)
self.exception_catcher(self.crans_vers_ext)
@ -221,6 +222,18 @@ class firewall_komaz(firewall_crans) :
""" Reconstruit la chaine EXT_VERS_CRANS """
self.build_chaine_adherent('EXT_VERS_CRANS',self.__ext_vers_crans)
def admin_vlan(self) :
""" Reconstruit la chaine ADMIN_VLAN """
iptables("-F ADMIN_VLAN")
self.anim = anim(' Chaîne ADMIN_VLAN')
for adherent in crans_ldap().search('droits=Nounou')['adherent'] :
for machine in adherent.machines() :
self.anim.cycle()
iptables("-A ADMIN_VLAN -p tcp -s %s --dport ssh -j ACCEPT" % machine.ip() )
iptables("-A ADMIN_VLAN -j REJECT")
self.anim.reinit()
print OK
def __serveurs_vers_ext(self,machine):
ip=machine.ip()
if not AddrInNet(ip,self.zone_serveur):
@ -336,7 +349,7 @@ if __name__ == '__main__' :
global chaines
chaines = [ 'log_chaines' , 'test_virus_flood', 'reseaux_non_routables',
'test_mac_ip' , 'blacklist' , 'ext_vers_serveurs' , 'serveurs_vers_ext',
'ext_vers_crans', 'crans_vers_ext' , 'filtre_p2p' ]
'ext_vers_crans', 'crans_vers_ext' , 'filtre_p2p', 'admin_vlan' ]
def __usage(txt=None) :
if txt!=None : cprint(txt,'gras')