From 9a5b4e2d573ba5204273767b084024a3f103840e Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sat, 17 Nov 2012 01:39:29 +0100 Subject: [PATCH] =?UTF-8?q?[config,firewall=5Fnew,generate,ldap=5Fcrans]?= =?UTF-8?q?=20On=20route=20intranet2=20depuis=20le=20vlan=20accueil,=20on?= =?UTF-8?q?=20utilise=20iptable-restore=20pour=20la=20g=C3=A9n=C3=A9ration?= =?UTF-8?q?=20des=20blacklists,=20les=20d=C3=A9co=20soft=20sont=20relaiy?= =?UTF-8?q?=C3=A9=20par=20le=20nginx=20de=20komaz,=20toutes=20les=20blackl?= =?UTF-8?q?iste=20sont=20=C3=A0=20generate=20sur=20komaz,=20les=20premi?= =?UTF-8?q?=C3=A8re=20inscription=20n'ont=20que=20inscription=20dans=20leu?= =?UTF-8?q?r=20historique.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore-this: 8b8414f5185ec9db2e4bf7f7f97d9161 darcs-hash:20121117003929-3a55a-0452cece4b67e246e6cf7ac72469af9f71722826.gz --- gestion/config.py | 3 ++- gestion/gen_confs/firewall_new.py | 36 ++++++++++++++++++++++--------- gestion/gen_confs/generate.py | 14 ++++++++++++ gestion/ldap_crans.py | 2 +- 4 files changed, 43 insertions(+), 12 deletions(-) diff --git a/gestion/config.py b/gestion/config.py index 5ce0535e..d64fff5d 100644 --- a/gestion/config.py +++ b/gestion/config.py @@ -601,7 +601,8 @@ debit_max_gratuit = 1000000 accueil_route = { '138.231.136.1':['80','443'], '138.231.136.67':['80','443'], - '138.231.136.98':['20','21','80'] + '138.231.136.98':['20','21','80'], + '138.231.136.130':['80','443'] } diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 0491a015..63389d7c 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -73,6 +73,13 @@ def iptables(cmd): if status: raise IptablesError(cmd,status,output) return output + +def iptables_restore(path): + #~ syslog.syslog(syslog.LOG_INFO,cmd) + status,output=getstatusoutput("cat %s | /sbin/iptables-restore -n" % path) + if status: + raise IptablesError(cmd,status,output) + return output def iptables_save(): """ Sauvegarde d'ipatbles """ @@ -723,6 +730,8 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -p icmp -j ACCEPT") iptables("-A FORWARD -i tun-ovh -j ACCEPT") iptables("-A FORWARD -d 224.0.0.0/4 -j DROP") + # Proxy transparent, pour les deconnexion soft + iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") for net in NETs['fil'] + NETs['wifi']: iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) @@ -731,10 +740,6 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST") iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) - - - # Proxy transparent, pour les deconnexion soft - iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) #Connection de secours # on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid @@ -1076,12 +1081,11 @@ class firewall_komaz(firewall_crans) : def blacklist(self): """ Construit les chaînes de blackliste (BLACKLIST_{DST,SRC}) """ - iptables('-F BLACKLIST_DST') - iptables('-F BLACKLIST_SRC') - iptables('-t mangle -F BLACKLIST_SOFT') blacklist = [] blacklist_soft = [] + rules=['*filter',':BLACKLIST_DST - [0:0]',':BLACKLIST_SRC - [0:0]'] + # Recherche sur le champ paiement seulement (clubs compris) et plus ablacklist pour capturer aussi les deconnection pour chambre invalide et carte étudiant search = db.search('paiement=ok') @@ -1126,15 +1130,27 @@ class firewall_komaz(firewall_crans) : self.anim = anim("\tChaînes BLACKLIST", len(blacklist)) for machine in blacklist: self.anim.cycle() - iptables("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) - iptables("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) + rules.append("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) + rules.append("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) self.anim.reinit() print OK + rules.append('COMMIT') + rules.append('*mangle') + rules.append(':BLACKLIST_SOFT - [0:0]') self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft)) for machine in blacklist_soft: self.anim.cycle() - iptables("-t mangle -I BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) + #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) + rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) self.anim.reinit() + rules.append('COMMIT\n') + f = open('/tmp/ipt_blacklist', 'w') + f.write("\n".join(rules)) + f.close() + iptables('-F BLACKLIST_DST') + iptables('-F BLACKLIST_SRC') + iptables('-t mangle -F BLACKLIST_SOFT') + iptables_restore('/tmp/ipt_blacklist') print OK def filtre_p2p(self): diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py index 31ba5b67..4ee75935 100644 --- a/gestion/gen_confs/generate.py +++ b/gestion/gen_confs/generate.py @@ -48,6 +48,7 @@ class base_reconfigure: 'blacklist_mail_invalide':['komaz-blacklist'], 'blacklist_virus':['komaz-blacklist'], 'blacklist_warez':['komaz-blacklist'], + 'blacklist_ipv6_ra':['komaz-blacklist'], 'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ], 'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ], 'blacklist_autodisc_virus':['komaz-blacklist'], @@ -56,6 +57,19 @@ class base_reconfigure: 'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ], 'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ] } + #Y R U Aliasing ! + __service_develop.update({ + 'mail_invalide':__service_develop['blacklist_mail_invalide'], + 'virus':__service_develop['blacklist_virus'], + 'warez':__service_develop['blacklist_warez'], + 'ipv6_ra':__service_develop['blacklist_ipv6_ra'], + 'upload': __service_develop['blacklist_upload'], + 'p2p': __service_develop['blacklist_p2p'], + 'autodisc_virus':__service_develop['blacklist_autodisc_virus'], + 'autodisc_upload': __service_develop['blacklist_autodisc_upload'], + 'autodisc_p2p': __service_develop['blacklist_autodisc_p2p'], + 'bloq': __service_develop['blacklist_bloq'], + }) def __init__(self, to_do=None): diff --git a/gestion/ldap_crans.py b/gestion/ldap_crans.py index 900339b0..bed5a614 100644 --- a/gestion/ldap_crans.py +++ b/gestion/ldap_crans.py @@ -978,7 +978,7 @@ class BaseClasseCrans(CransLdap): # blacklistes virtuelle si on est un adhérent pour carte étudiant et chambre invalides if not config.periode_transitoire and config.bl_carte_et_actif and not (config.ann_scol in self.carteEtudiant()): for h in self.historique()[::-1]: - x=re.match("(.*),.* : .*paiement\+%s.*" % config.ann_scol,h) + x=re.match("(.*),.* : .*(paiement\+%s|inscription).*" % config.ann_scol,h) if x != None: if (time.time()-time.mktime(time.strptime(x.group(1),'%d/%m/%Y %H:%M')))>config.sursis_carte: actifs['carte_etudiant']=('-','-')