[firewall_new,config,firewall6,generate,ipt] On rediriges les machines blacklisté vers routeur

Ignore-this: fc33fe2ea8d2c37c48b52d3e70443231 Pour ça, generate doit regénérer la chaine BLACKLIST_SOFT du firewall pour tout type de blacklist. On on utilise plus le squid de sable, on néttoie les fonctions en question dans generate. Pour rediriger vers routeur, un utilise le nginx de komaz comme relais, cf commit du 09/11/2012. darcs-hash:20121111154240-3a55a-6d7b39b7797ff6950f18e436d7cfd187f31c4656.gz
2012-11-11 16:42:40 +01:00 · 2012-11-11 16:42:40 +01:00 · 977d281c56
commit 977d281c56
parent bc8061ce62
4 changed files with 27 additions and 76 deletions
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@ -37,7 +37,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
 from affich_tools import *
 from commands import getstatusoutput
 from iptools import AddrInNet, NetSubnets, IpSubnet
-from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route
+from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft
 from ipset import IpsetError, Ipset
 from lc_ldap import lc_ldap
 syslog.openlog('firewall')
@ -700,7 +700,7 @@ class firewall_komaz(firewall_crans) :
        # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80 -s ! %s -j DNAT --to-destination 138.231.136.3:81" % (self.eth_int, self.zone_serveur) )
        # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )

-        # Proxy transparent
+        # Proxy transparent pour deconnexion soft
        iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
                 "-j DNAT --to-destination 10.231.136.4:3128")
                 
@ -763,6 +763,7 @@ class firewall_komaz(firewall_crans) :
        iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
        iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
        iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
+
        iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
        iptables("-A FORWARD -j INGRESS_FILTERING")
        # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
@ -919,8 +920,8 @@ class firewall_komaz(firewall_crans) :
        self.exception_catcher(self.ext_vers_serveurs)
        self.exception_catcher(self.crans_vers_ext)
        self.exception_catcher(self.ext_vers_crans)
-        self.exception_catcher(self.test_mac_ip)
        self.exception_catcher(self.filtre_p2p)
+        self.exception_catcher(self.test_mac_ip)
        self.exception_catcher(self.qos)

    def serveurs_maj_list_to_do(self) :
@ -1076,12 +1077,6 @@ class firewall_komaz(firewall_crans) :
        iptables('-F BLACKLIST_SRC')
        iptables('-t mangle -F BLACKLIST_SOFT')

-        # Peut-être à mettre dans config.py ?
-        blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq')
-        blacklist_sanctions_soft  = ('autodisc_virus','ipv6_ra','mail_invalide','virus',      
-        'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide')
-
-
        blacklist = []
        blacklist_soft = []

@ -1290,8 +1285,6 @@ class firewall_zamok(firewall_crans) :

        self.filter_table()

-        blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq')
-
        # Recherche sur le champ ablacklist (clubs compris)
        search = db.search('ablacklist=*&paiement=ok')
        self.anim = anim("\tBlackliste des comptes Crans", len(search['adherent']))
@ -1570,10 +1563,12 @@ class firewall_routeur(firewall_crans):
            iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port))

        # Proxy transparent pour les vlans isolement et accueil
+        i=1
        for interface in [self.eth_accueil, self.eth_isolement]:
-            iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.10" % interface)
+            iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.5%s.0.10" % (interface,i))
            iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j ACCEPT" % interface)
            iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
+            i+=1

    def post_start_hook(self) :
        self.anim = anim("\tMise en place du routage")