diff --git a/gestion/config.py b/gestion/config.py index 17bdf016..5ce0535e 100644 --- a/gestion/config.py +++ b/gestion/config.py @@ -582,8 +582,9 @@ file_pickle = { 4 : '/tmp/ipt_pickle', 6 : '/tmp/ip6t_pickle' } -blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', - 'autodisc_upload', 'bloq', 'carte_etudiant','chambre_invalide'] +blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq'] +blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', + 'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide'] adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis', 'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ] diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 5832223f..629a719f 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -37,7 +37,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet, NetSubnets, IpSubnet -from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route +from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft from ipset import IpsetError, Ipset from lc_ldap import lc_ldap syslog.openlog('firewall') @@ -700,7 +700,7 @@ class firewall_komaz(firewall_crans) : # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80 -s ! %s -j DNAT --to-destination 138.231.136.3:81" % (self.eth_int, self.zone_serveur) ) # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) - # Proxy transparent + # Proxy transparent pour deconnexion soft iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + "-j DNAT --to-destination 10.231.136.4:3128") @@ -763,6 +763,7 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) ) iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0]) iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0]) + iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") iptables("-A FORWARD -j INGRESS_FILTERING") # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub @@ -919,8 +920,8 @@ class firewall_komaz(firewall_crans) : self.exception_catcher(self.ext_vers_serveurs) self.exception_catcher(self.crans_vers_ext) self.exception_catcher(self.ext_vers_crans) - self.exception_catcher(self.test_mac_ip) self.exception_catcher(self.filtre_p2p) + self.exception_catcher(self.test_mac_ip) self.exception_catcher(self.qos) def serveurs_maj_list_to_do(self) : @@ -1076,12 +1077,6 @@ class firewall_komaz(firewall_crans) : iptables('-F BLACKLIST_SRC') iptables('-t mangle -F BLACKLIST_SOFT') - # Peut-être à mettre dans config.py ? - blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq') - blacklist_sanctions_soft = ('autodisc_virus','ipv6_ra','mail_invalide','virus', - 'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide') - - blacklist = [] blacklist_soft = [] @@ -1290,8 +1285,6 @@ class firewall_zamok(firewall_crans) : self.filter_table() - blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq') - # Recherche sur le champ ablacklist (clubs compris) search = db.search('ablacklist=*&paiement=ok') self.anim = anim("\tBlackliste des comptes Crans", len(search['adherent'])) @@ -1570,10 +1563,12 @@ class firewall_routeur(firewall_crans): iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port)) # Proxy transparent pour les vlans isolement et accueil + i=1 for interface in [self.eth_accueil, self.eth_isolement]: - iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.10" % interface) + iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.5%s.0.10" % (interface,i)) iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j ACCEPT" % interface) iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) + i+=1 def post_start_hook(self) : self.anim = anim("\tMise en place du routage") diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py index 3959a81e..31ba5b67 100644 --- a/gestion/gen_confs/generate.py +++ b/gestion/gen_confs/generate.py @@ -41,13 +41,19 @@ make_lock('auto_generate', 'Big lock', nowait=1) class base_reconfigure: __service_develop = { 'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip', - 'sable-blacklist_check' ], + 'routeur-macip' ], # 'droits': [ 'rouge-droits', 'ragnarok-droits' ], - 'blacklist_upload': [ 'sable-blacklist_upload', 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_p2p': [ 'sable-blacklist_p2p', 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_autodisc_upload': [ 'sable-blacklist_autodisc_upload', 'komaz-blacklist', 'zamok-blacklist'], - 'blacklist_autodisc_p2p': [ 'sable-blacklist_autodisc_p2p', 'komaz-blacklist', 'zamok-blacklist'], - 'blacklist_bloq': [ 'komaz-blacklist', 'sable-blacklist_bloq', 'zamok-blacklist', 'dns' ], + 'bl_carte_etudiant':['komaz-blacklist'], + 'bl_chbre_invalide':['komaz-blacklist'], + 'blacklist_mail_invalide':['komaz-blacklist'], + 'blacklist_virus':['komaz-blacklist'], + 'blacklist_warez':['komaz-blacklist'], + 'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ], + 'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ], + 'blacklist_autodisc_virus':['komaz-blacklist'], + 'blacklist_autodisc_upload': ['komaz-blacklist', 'zamok-blacklist'], + 'blacklist_autodisc_p2p': ['komaz-blacklist', 'zamok-blacklist'], + 'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ], 'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ] } @@ -233,12 +239,6 @@ class komaz(base_reconfigure): def blacklist(self): self.__fw().blacklist() self.__fw6().blacklist(6) - - def bl_carte_etudiant(self): - self.blacklist() - - def bl_chbre_invalide(self): - self.blacklist() def classify(self, ips): self.__fw().classes_p2p_maj(ips) @@ -266,54 +266,6 @@ class sable(base_reconfigure): from gen_confs.bind import dns self._do(dns(), self._machines()) - def blacklist_check(self, ips): - from gen_confs.squid import squid_check - self._do(squid_check(ips)) - - def bl_carte_etudiant(self): - from gen_confs.squid import squid_carte - self._do(squid_carte()) - - def bl_chbre_invalide(self): - from gen_confs.squid import squid_chbre - self._do(squid_chbre()) - - def blacklist_mail_invalide(self): - from gen_confs.squid import squid_mail - self._do(squid_mail()) - - def blacklist_virus(self): - from gen_confs.squid import squid_virus - self._do(squid_virus()) - - def blacklist_warez(self): - from gen_confs.squid import squid_warez - self._do(squid_warez()) - - def blacklist_upload(self): - from gen_confs.squid import squid_upload - self._do(squid_upload()) - - def blacklist_p2p(self): - from gen_confs.squid import squid_p2p - self._do(squid_p2p()) - - def blacklist_autodisc_virus(self): - from gen_confs.squid import squid_autodisc_virus - self._do(squid_autodisc_virus()) - - def blacklist_autodisc_upload(self): - from gen_confs.squid import squid_autodisc_upload - self._do(squid_autodisc_upload()) - - def blacklist_autodisc_p2p(self): - from gen_confs.squid import squid_autodisc_p2p - self._do(squid_autodisc_p2p()) - - def blacklist_bloq(self): - from gen_confs.squid import squid_bloq - self._do(squid_bloq()) - def macip(self, ips): from firewall_new import firewall_sable firewall_sable().mac_ip_maj(ips) diff --git a/gestion/ipt.py b/gestion/ipt.py index 79f047ac..ff4191b1 100755 --- a/gestion/ipt.py +++ b/gestion/ipt.py @@ -25,12 +25,14 @@ import os, re, syslog, cPickle from ldap_crans import crans_ldap, hostname from commands import getstatusoutput from config import NETs, role, prefix, mid, output_file, filter_policy -from config import blacklist_sanctions, file_pickle +from config import blacklist_sanctions, blacklist_sanctions_soft, file_pickle from iptools import AddrInNet from midtools import Mid import subprocess import netaddr +blacklist_sanctions.extend(blacklist_sanctions_soft) + Mangle_policy = """ *mangle :PREROUTING ACCEPT [0:0] @@ -161,6 +163,7 @@ ACCEPT' % (dev, proto, ip, port)) ip = ipv6_addr(machine.mac(), type_m) mac=machine.mac() break + if ip: self.filter.blacklist_src('-m mac --mac-source %s -j REJECT --reject-with icmp6-port-unreachable' % mac) #~ self.filter.blacklist_src('-s %s -j REJECT --reject-with \ @@ -664,7 +667,7 @@ def blacklist(ipt): blcklst = [] - s = db.search('ablacklist=*&paiement=ok') + s = db.search('paiement=ok') for target in s['adherent'] + s['club']: sanctions = target.blacklist_actif()