From 977d281c564e90a3308213caf49ec8312d42469e Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sun, 11 Nov 2012 16:42:40 +0100 Subject: [PATCH] =?UTF-8?q?[firewall=5Fnew,config,firewall6,generate,ipt]?= =?UTF-8?q?=20On=20rediriges=20les=20machines=20blacklist=C3=A9=20vers=20r?= =?UTF-8?q?outeur?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore-this: fc33fe2ea8d2c37c48b52d3e70443231 Pour ça, generate doit regénérer la chaine BLACKLIST_SOFT du firewall pour tout type de blacklist. On on utilise plus le squid de sable, on néttoie les fonctions en question dans generate. Pour rediriger vers routeur, un utilise le nginx de komaz comme relais, cf commit du 09/11/2012. darcs-hash:20121111154240-3a55a-6d7b39b7797ff6950f18e436d7cfd187f31c4656.gz --- gestion/config.py | 5 ++- gestion/gen_confs/firewall_new.py | 19 +++----- gestion/gen_confs/generate.py | 72 ++++++------------------------- gestion/ipt.py | 7 ++- 4 files changed, 27 insertions(+), 76 deletions(-) diff --git a/gestion/config.py b/gestion/config.py index 17bdf016..5ce0535e 100644 --- a/gestion/config.py +++ b/gestion/config.py @@ -582,8 +582,9 @@ file_pickle = { 4 : '/tmp/ipt_pickle', 6 : '/tmp/ip6t_pickle' } -blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', - 'autodisc_upload', 'bloq', 'carte_etudiant','chambre_invalide'] +blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq'] +blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', + 'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide'] adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis', 'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ] diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 5832223f..629a719f 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -37,7 +37,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet, NetSubnets, IpSubnet -from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route +from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft from ipset import IpsetError, Ipset from lc_ldap import lc_ldap syslog.openlog('firewall') @@ -700,7 +700,7 @@ class firewall_komaz(firewall_crans) : # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80 -s ! %s -j DNAT --to-destination 138.231.136.3:81" % (self.eth_int, self.zone_serveur) ) # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) - # Proxy transparent + # Proxy transparent pour deconnexion soft iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + "-j DNAT --to-destination 10.231.136.4:3128") @@ -763,6 +763,7 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) ) iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0]) iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0]) + iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") iptables("-A FORWARD -j INGRESS_FILTERING") # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub @@ -919,8 +920,8 @@ class firewall_komaz(firewall_crans) : self.exception_catcher(self.ext_vers_serveurs) self.exception_catcher(self.crans_vers_ext) self.exception_catcher(self.ext_vers_crans) - self.exception_catcher(self.test_mac_ip) self.exception_catcher(self.filtre_p2p) + self.exception_catcher(self.test_mac_ip) self.exception_catcher(self.qos) def serveurs_maj_list_to_do(self) : @@ -1076,12 +1077,6 @@ class firewall_komaz(firewall_crans) : iptables('-F BLACKLIST_SRC') iptables('-t mangle -F BLACKLIST_SOFT') - # Peut-être à mettre dans config.py ? - blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq') - blacklist_sanctions_soft = ('autodisc_virus','ipv6_ra','mail_invalide','virus', - 'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide') - - blacklist = [] blacklist_soft = [] @@ -1290,8 +1285,6 @@ class firewall_zamok(firewall_crans) : self.filter_table() - blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq') - # Recherche sur le champ ablacklist (clubs compris) search = db.search('ablacklist=*&paiement=ok') self.anim = anim("\tBlackliste des comptes Crans", len(search['adherent'])) @@ -1570,10 +1563,12 @@ class firewall_routeur(firewall_crans): iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port)) # Proxy transparent pour les vlans isolement et accueil + i=1 for interface in [self.eth_accueil, self.eth_isolement]: - iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.10" % interface) + iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.5%s.0.10" % (interface,i)) iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j ACCEPT" % interface) iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) + i+=1 def post_start_hook(self) : self.anim = anim("\tMise en place du routage") diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py index 3959a81e..31ba5b67 100644 --- a/gestion/gen_confs/generate.py +++ b/gestion/gen_confs/generate.py @@ -41,13 +41,19 @@ make_lock('auto_generate', 'Big lock', nowait=1) class base_reconfigure: __service_develop = { 'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip', - 'sable-blacklist_check' ], + 'routeur-macip' ], # 'droits': [ 'rouge-droits', 'ragnarok-droits' ], - 'blacklist_upload': [ 'sable-blacklist_upload', 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_p2p': [ 'sable-blacklist_p2p', 'komaz-blacklist', 'zamok-blacklist' ], - 'blacklist_autodisc_upload': [ 'sable-blacklist_autodisc_upload', 'komaz-blacklist', 'zamok-blacklist'], - 'blacklist_autodisc_p2p': [ 'sable-blacklist_autodisc_p2p', 'komaz-blacklist', 'zamok-blacklist'], - 'blacklist_bloq': [ 'komaz-blacklist', 'sable-blacklist_bloq', 'zamok-blacklist', 'dns' ], + 'bl_carte_etudiant':['komaz-blacklist'], + 'bl_chbre_invalide':['komaz-blacklist'], + 'blacklist_mail_invalide':['komaz-blacklist'], + 'blacklist_virus':['komaz-blacklist'], + 'blacklist_warez':['komaz-blacklist'], + 'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ], + 'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ], + 'blacklist_autodisc_virus':['komaz-blacklist'], + 'blacklist_autodisc_upload': ['komaz-blacklist', 'zamok-blacklist'], + 'blacklist_autodisc_p2p': ['komaz-blacklist', 'zamok-blacklist'], + 'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ], 'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ] } @@ -233,12 +239,6 @@ class komaz(base_reconfigure): def blacklist(self): self.__fw().blacklist() self.__fw6().blacklist(6) - - def bl_carte_etudiant(self): - self.blacklist() - - def bl_chbre_invalide(self): - self.blacklist() def classify(self, ips): self.__fw().classes_p2p_maj(ips) @@ -266,54 +266,6 @@ class sable(base_reconfigure): from gen_confs.bind import dns self._do(dns(), self._machines()) - def blacklist_check(self, ips): - from gen_confs.squid import squid_check - self._do(squid_check(ips)) - - def bl_carte_etudiant(self): - from gen_confs.squid import squid_carte - self._do(squid_carte()) - - def bl_chbre_invalide(self): - from gen_confs.squid import squid_chbre - self._do(squid_chbre()) - - def blacklist_mail_invalide(self): - from gen_confs.squid import squid_mail - self._do(squid_mail()) - - def blacklist_virus(self): - from gen_confs.squid import squid_virus - self._do(squid_virus()) - - def blacklist_warez(self): - from gen_confs.squid import squid_warez - self._do(squid_warez()) - - def blacklist_upload(self): - from gen_confs.squid import squid_upload - self._do(squid_upload()) - - def blacklist_p2p(self): - from gen_confs.squid import squid_p2p - self._do(squid_p2p()) - - def blacklist_autodisc_virus(self): - from gen_confs.squid import squid_autodisc_virus - self._do(squid_autodisc_virus()) - - def blacklist_autodisc_upload(self): - from gen_confs.squid import squid_autodisc_upload - self._do(squid_autodisc_upload()) - - def blacklist_autodisc_p2p(self): - from gen_confs.squid import squid_autodisc_p2p - self._do(squid_autodisc_p2p()) - - def blacklist_bloq(self): - from gen_confs.squid import squid_bloq - self._do(squid_bloq()) - def macip(self, ips): from firewall_new import firewall_sable firewall_sable().mac_ip_maj(ips) diff --git a/gestion/ipt.py b/gestion/ipt.py index 79f047ac..ff4191b1 100755 --- a/gestion/ipt.py +++ b/gestion/ipt.py @@ -25,12 +25,14 @@ import os, re, syslog, cPickle from ldap_crans import crans_ldap, hostname from commands import getstatusoutput from config import NETs, role, prefix, mid, output_file, filter_policy -from config import blacklist_sanctions, file_pickle +from config import blacklist_sanctions, blacklist_sanctions_soft, file_pickle from iptools import AddrInNet from midtools import Mid import subprocess import netaddr +blacklist_sanctions.extend(blacklist_sanctions_soft) + Mangle_policy = """ *mangle :PREROUTING ACCEPT [0:0] @@ -161,6 +163,7 @@ ACCEPT' % (dev, proto, ip, port)) ip = ipv6_addr(machine.mac(), type_m) mac=machine.mac() break + if ip: self.filter.blacklist_src('-m mac --mac-source %s -j REJECT --reject-with icmp6-port-unreachable' % mac) #~ self.filter.blacklist_src('-s %s -j REJECT --reject-with \ @@ -664,7 +667,7 @@ def blacklist(ipt): blcklst = [] - s = db.search('ablacklist=*&paiement=ok') + s = db.search('paiement=ok') for target in s['adherent'] + s['club']: sanctions = target.blacklist_actif()