crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[generate,firewall_new] Ajout d'un firewall pour routeur, on n'utilise plus le squid de sable pour la connexion de secours et pour les blacklist softs

Browse source 
Ignore-this: c820183e6f2f727090b02919763180bb

darcs-hash:20121108234918-3a55a-673ea6cda3848b2f3e7efac20c56a75fa266f3b3.gz
This commit is contained in:
Valentin Samir 2012-11-09 00:49:18 +01:00
parent 166fb4393c
commit 9723c45944
2 changed files with 74 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

73
gestion/gen_confs/firewall_new.py
View file

@ -702,7 +702,7 @@ class firewall_komaz(firewall_crans) :
# Proxy transparent # Proxy transparent
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
"-j DNAT --to-destination 10.231.136.9:3128") "-j DNAT --to-destination 10.231.136.4:3128")
# Appartement ENS # Appartement ENS
iptables("-t nat -A POSTROUTING -o ens -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0]) iptables("-t nat -A POSTROUTING -o ens -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
@ -710,7 +710,7 @@ class firewall_komaz(firewall_crans) :
#Connection de secours #Connection de secours
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
"-j DNAT --to-destination 10.231.136.9:3128") "-j DNAT --to-destination 10.231.136.4:3129")
print OK print OK
def filter_table(self) : def filter_table(self) :
@ -1085,8 +1085,8 @@ class firewall_komaz(firewall_crans) :
blacklist = [] blacklist = []
blacklist_soft = [] blacklist_soft = []
# Recherche sur le champ ablacklist (clubs compris) # Recherche sur le champ paiement seulement (clubs compris) et plus ablacklist pour capturer aussi les deconnection pour chambre invalide et carte étudiant
search = db.search('ablacklist=*&paiement=ok') search = db.search('paiement=ok')
self.anim = anim("\tBlackliste adhérents+clubs", 2*len(search['adherent']+search['club'])) self.anim = anim("\tBlackliste adhérents+clubs", 2*len(search['adherent']+search['club']))
for entite in search['adherent'] + search['club']: for entite in search['adherent'] + search['club']:
self.anim.cycle() self.anim.cycle()
@ -1526,6 +1526,71 @@ class firewall_gordon(firewall_crans) :
print OK print OK
"""
Routeur
"""
class firewall_routeur(firewall_crans):
# interfaces physiques
eth_pub = "eth0"
eth_adm = "eth1"
eth_accueil = "eth2"
eth_isolement = "eth3"
eth_appart = "eth4"
def filter_table(self) :
self.anim = anim('\tStructure de la table filter')
iptables('-N TEST_MAC-IP')
for net in NETs['fil'] + NETs['wifi']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub))
for net in NETs['adm']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm))
iptables("-P INPUT ACCEPT")
iptables("-P OUTPUT ACCEPT")
print OK
def filter_table_tweaks(self) :
iptables("-P INPUT ACCEPT")
iptables("-P FORWARD DROP")
for ip in accueil_route.keys():
for port in accueil_route[ip]:
iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
def mangle_table(self):
iptables("-t mangle -F PREROUTING")
def nat_table(self):
#intranet et wiki pour le vlan accueil
for ip in accueil_route.keys():
for port in accueil_route[ip]:
iptables("-t nat -A PREROUTING -i %s -p tcp -d %s --dport %s -j ACCEPT" % (self.eth_accueil ,ip,port))
iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port))
# Proxy transparent pour les vlans isolement et accueil
for interface in [self.eth_accueil, self.eth_isolement]:
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.10" % interface)
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j ACCEPT" % interface)
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
def post_start_hook(self) :
self.anim = anim("\tMise en place du routage")
warn = ''
for cmd in [ 'echo 1 > /proc/sys/net/ipv4/ip_forward' ,
'echo 65536 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max' ] :
status,output=getstatusoutput(cmd)
if status :
warn += output + '\n'
if warn :
print WARNING
if self.debug :
print warn
else :
print OK
if __name__ == '__main__' : if __name__ == '__main__' :
# Chaînes pouvant être recontruites # Chaînes pouvant être recontruites
fw = eval('firewall_%s()' % hostname) fw = eval('firewall_%s()' % hostname)

5
gestion/gen_confs/generate.py
View file

@ -328,6 +328,11 @@ class charybde(base_reconfigure):
from gen_confs.bind import dns from gen_confs.bind import dns
self._do(dns(), self._machines()) self._do(dns(), self._machines())
class routeur(base_reconfigure):
def dns(self):
from gen_confs.bind import dns
self._do(dns(), self._machines())
class ragnarok(base_reconfigure): class ragnarok(base_reconfigure):
__restart_wifi_update = False __restart_wifi_update = False