[firewall_new,config,firewall6,generate,ipt] On rediriges les machines blacklisté vers routeur

Ignore-this: fc33fe2ea8d2c37c48b52d3e70443231
Pour ça, generate doit regénérer la chaine BLACKLIST_SOFT du firewall pour tout type de blacklist.
On on utilise plus le squid de sable, on néttoie les fonctions en question dans generate.
Pour rediriger vers routeur, un utilise le nginx de komaz comme relais, cf commit du 09/11/2012.

darcs-hash:20121111154240-3a55a-6d7b39b7797ff6950f18e436d7cfd187f31c4656.gz

gestion/config.py

@@ -582,8 +582,9 @@ file_pickle = { 4 : '/tmp/ipt_pickle',
                 6 : '/tmp/ip6t_pickle'
               }
 
-blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p',
+blacklist_sanctions = ['upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq']
-        'autodisc_upload', 'bloq', 'carte_etudiant','chambre_invalide']
+blacklist_sanctions_soft  = ['autodisc_virus','ipv6_ra','mail_invalide','virus',
+        'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide']
 
 adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis',
         'nut', 'respbats', 'list', 'sqlgrey', 'ntpd', 'lp' ]

gestion/gen_confs/firewall_new.py

@@ -37,7 +37,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
 from affich_tools import *
 from commands import getstatusoutput
 from iptools import AddrInNet, NetSubnets, IpSubnet
-from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route
+from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft
 from ipset import IpsetError, Ipset
 from lc_ldap import lc_ldap
 syslog.openlog('firewall')
@@ -700,7 +700,7 @@ class firewall_komaz(firewall_crans) :
         # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80 -s ! %s -j DNAT --to-destination 138.231.136.3:81" % (self.eth_int, self.zone_serveur) )
         # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
 
-        # Proxy transparent
+        # Proxy transparent pour deconnexion soft
         iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
                  "-j DNAT --to-destination 10.231.136.4:3128")
                  
@@ -763,6 +763,7 @@ class firewall_komaz(firewall_crans) :
         iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
         iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
         iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
+
         iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
         iptables("-A FORWARD -j INGRESS_FILTERING")
         # on ne route pas les paquets n'appartenant pas à notre plage ip -- xhub
@@ -919,8 +920,8 @@ class firewall_komaz(firewall_crans) :
         self.exception_catcher(self.ext_vers_serveurs)
         self.exception_catcher(self.crans_vers_ext)
         self.exception_catcher(self.ext_vers_crans)
-        self.exception_catcher(self.test_mac_ip)
         self.exception_catcher(self.filtre_p2p)
+        self.exception_catcher(self.test_mac_ip)
         self.exception_catcher(self.qos)
 
     def serveurs_maj_list_to_do(self) :
@@ -1076,12 +1077,6 @@ class firewall_komaz(firewall_crans) :
         iptables('-F BLACKLIST_SRC')
         iptables('-t mangle -F BLACKLIST_SOFT')
 
-        # Peut-être à mettre dans config.py ?
-        blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq')
-        blacklist_sanctions_soft  = ('autodisc_virus','ipv6_ra','mail_invalide','virus',      
-        'upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq','carte_etudiant','chambre_invalide')
-
-
         blacklist = []
         blacklist_soft = []
 
@@ -1290,8 +1285,6 @@ class firewall_zamok(firewall_crans) :
 
         self.filter_table()
 
-        blacklist_sanctions = ('upload', 'warez', 'p2p', 'autodisc_p2p', 'autodisc_upload', 'bloq')
-
         # Recherche sur le champ ablacklist (clubs compris)
         search = db.search('ablacklist=*&paiement=ok')
         self.anim = anim("\tBlackliste des comptes Crans", len(search['adherent']))
@@ -1570,10 +1563,12 @@ class firewall_routeur(firewall_crans):
             iptables("-t nat -A POSTROUTING -p tcp -s %s -d %s --dport %s -j MASQUERADE" % (NETs['accueil'][0],ip,port))
 
         # Proxy transparent pour les vlans isolement et accueil
+        i=1
         for interface in [self.eth_accueil, self.eth_isolement]:
-            iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.10" % interface)
+            iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.5%s.0.10" % (interface,i))
             iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j ACCEPT" % interface)
             iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
+            i+=1
 
     def post_start_hook(self) :
         self.anim = anim("\tMise en place du routage")

gestion/gen_confs/generate.py

@@ -41,13 +41,19 @@ make_lock('auto_generate', 'Big lock', nowait=1)
 class base_reconfigure:
     __service_develop = {
         'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip',
-            'sable-blacklist_check' ],
+            'routeur-macip' ],
 #        'droits': [ 'rouge-droits', 'ragnarok-droits' ],
-        'blacklist_upload': [ 'sable-blacklist_upload', 'komaz-blacklist', 'zamok-blacklist' ],
+        'bl_carte_etudiant':['komaz-blacklist'],
-        'blacklist_p2p': [ 'sable-blacklist_p2p', 'komaz-blacklist', 'zamok-blacklist' ],
+        'bl_chbre_invalide':['komaz-blacklist'],
-        'blacklist_autodisc_upload': [ 'sable-blacklist_autodisc_upload', 'komaz-blacklist', 'zamok-blacklist'],
+        'blacklist_mail_invalide':['komaz-blacklist'],
-        'blacklist_autodisc_p2p': [ 'sable-blacklist_autodisc_p2p', 'komaz-blacklist', 'zamok-blacklist'],
+        'blacklist_virus':['komaz-blacklist'],
-        'blacklist_bloq': [ 'komaz-blacklist', 'sable-blacklist_bloq', 'zamok-blacklist', 'dns' ],
+        'blacklist_warez':['komaz-blacklist'],
+        'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ],
+        'blacklist_autodisc_virus':['komaz-blacklist'],
+        'blacklist_autodisc_upload': ['komaz-blacklist', 'zamok-blacklist'],
+        'blacklist_autodisc_p2p': ['komaz-blacklist', 'zamok-blacklist'],
+        'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ],
         'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ]
         }
 
@@ -234,12 +240,6 @@ class komaz(base_reconfigure):
         self.__fw().blacklist()
         self.__fw6().blacklist(6)
 
-    def bl_carte_etudiant(self):
-        self.blacklist()
-        
-    def bl_chbre_invalide(self):
-        self.blacklist()
-
     def classify(self, ips):
         self.__fw().classes_p2p_maj(ips)
 
@@ -266,54 +266,6 @@ class sable(base_reconfigure):
         from gen_confs.bind import dns
         self._do(dns(), self._machines())
 
-    def blacklist_check(self, ips):
-        from gen_confs.squid import squid_check
-        self._do(squid_check(ips))
-
-    def bl_carte_etudiant(self):
-        from gen_confs.squid import squid_carte
-        self._do(squid_carte())
-
-    def bl_chbre_invalide(self):
-        from gen_confs.squid import squid_chbre
-        self._do(squid_chbre())
-
-    def blacklist_mail_invalide(self):
-        from gen_confs.squid import squid_mail
-        self._do(squid_mail())
-
-    def blacklist_virus(self):
-        from gen_confs.squid import squid_virus
-        self._do(squid_virus())
-
-    def blacklist_warez(self):
-        from gen_confs.squid import squid_warez
-        self._do(squid_warez())
-
-    def blacklist_upload(self):
-        from gen_confs.squid import squid_upload
-        self._do(squid_upload())
-
-    def blacklist_p2p(self):
-        from gen_confs.squid import squid_p2p
-        self._do(squid_p2p())
-
-    def blacklist_autodisc_virus(self):
-        from gen_confs.squid import squid_autodisc_virus
-        self._do(squid_autodisc_virus())
-
-    def blacklist_autodisc_upload(self):
-        from gen_confs.squid import squid_autodisc_upload
-        self._do(squid_autodisc_upload())
-
-    def blacklist_autodisc_p2p(self):
-        from gen_confs.squid import squid_autodisc_p2p
-        self._do(squid_autodisc_p2p())
-
-    def blacklist_bloq(self):
-        from gen_confs.squid import squid_bloq
-        self._do(squid_bloq())
-
     def macip(self, ips):
         from firewall_new import firewall_sable
         firewall_sable().mac_ip_maj(ips)

gestion/ipt.py

@@ -25,12 +25,14 @@ import os, re, syslog, cPickle
 from ldap_crans import crans_ldap, hostname
 from commands import getstatusoutput
 from config import NETs, role, prefix, mid, output_file, filter_policy
-from config import blacklist_sanctions, file_pickle
+from config import blacklist_sanctions, blacklist_sanctions_soft, file_pickle
 from iptools import AddrInNet
 from midtools import Mid
 import subprocess
 import netaddr
 
+blacklist_sanctions.extend(blacklist_sanctions_soft)
+
 Mangle_policy = """
 *mangle
 :PREROUTING ACCEPT [0:0]
@@ -161,6 +163,7 @@ ACCEPT' % (dev, proto, ip, port))
                 ip = ipv6_addr(machine.mac(), type_m)
                 mac=machine.mac()
                 break
+
         if ip:
             self.filter.blacklist_src('-m mac --mac-source %s -j REJECT --reject-with icmp6-port-unreachable' % mac)
             #~ self.filter.blacklist_src('-s %s -j REJECT --reject-with \
@@ -664,7 +667,7 @@ def blacklist(ipt):
 
     blcklst = []
 
-    s = db.search('ablacklist=*&paiement=ok')
+    s = db.search('paiement=ok')
 
     for target in s['adherent'] + s['club']:
         sanctions = target.blacklist_actif()