crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[config,firewall_new,generate,ldap_crans] On route intranet2 depuis le vlan accueil, on utilise iptable-restore pour la génération des blacklists, les déco soft sont relaiyé par le nginx de komaz, toutes les blackliste sont à generate sur komaz, les première inscription n'ont que inscription dans leur historique.

Browse source 
Ignore-this: 8b8414f5185ec9db2e4bf7f7f97d9161

darcs-hash:20121117003929-3a55a-0452cece4b67e246e6cf7ac72469af9f71722826.gz
This commit is contained in:
Valentin Samir 2012-11-17 01:39:29 +01:00
parent 19418d455b
commit 9a5b4e2d57
4 changed files with 43 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

3
gestion/config.py
View file

@ -601,7 +601,8 @@ debit_max_gratuit = 1000000
accueil_route = { accueil_route = {
'138.231.136.1':['80','443'], '138.231.136.1':['80','443'],
'138.231.136.67':['80','443'], '138.231.136.67':['80','443'],
'138.231.136.98':['20','21','80'] '138.231.136.98':['20','21','80'],
'138.231.136.130':['80','443']
} }

36
gestion/gen_confs/firewall_new.py
View file

@ -73,6 +73,13 @@ def iptables(cmd):
if status: if status:
raise IptablesError(cmd,status,output) raise IptablesError(cmd,status,output)
return output return output
def iptables_restore(path):
#~ syslog.syslog(syslog.LOG_INFO,cmd)
status,output=getstatusoutput("cat %s | /sbin/iptables-restore -n" % path)
if status:
raise IptablesError(cmd,status,output)
return output
def iptables_save(): def iptables_save():
""" Sauvegarde d'ipatbles """ """ Sauvegarde d'ipatbles """
@ -723,6 +730,8 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -p icmp -j ACCEPT") iptables("-A FORWARD -p icmp -j ACCEPT")
iptables("-A FORWARD -i tun-ovh -j ACCEPT") iptables("-A FORWARD -i tun-ovh -j ACCEPT")
iptables("-A FORWARD -d 224.0.0.0/4 -j DROP") iptables("-A FORWARD -d 224.0.0.0/4 -j DROP")
# Proxy transparent, pour les deconnexion soft
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
#iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
@ -731,10 +740,6 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST") iptables("-A FORWARD -j RESEAUX_NON_ROUTABLES_DST")
iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) iptables("-A FORWARD -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
# Proxy transparent, pour les deconnexion soft
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
#Connection de secours #Connection de secours
# on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid # on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid
@ -1076,12 +1081,11 @@ class firewall_komaz(firewall_crans) :
def blacklist(self): def blacklist(self):
""" Construit les chaînes de blackliste (BLACKLIST_{DST,SRC}) """ """ Construit les chaînes de blackliste (BLACKLIST_{DST,SRC}) """
iptables('-F BLACKLIST_DST')
iptables('-F BLACKLIST_SRC')
iptables('-t mangle -F BLACKLIST_SOFT')
blacklist = [] blacklist = []
blacklist_soft = [] blacklist_soft = []
rules=['*filter',':BLACKLIST_DST - [0:0]',':BLACKLIST_SRC - [0:0]']
# Recherche sur le champ paiement seulement (clubs compris) et plus ablacklist pour capturer aussi les deconnection pour chambre invalide et carte étudiant # Recherche sur le champ paiement seulement (clubs compris) et plus ablacklist pour capturer aussi les deconnection pour chambre invalide et carte étudiant
search = db.search('paiement=ok') search = db.search('paiement=ok')
@ -1126,15 +1130,27 @@ class firewall_komaz(firewall_crans) :
self.anim = anim("\tChaînes BLACKLIST", len(blacklist)) self.anim = anim("\tChaînes BLACKLIST", len(blacklist))
for machine in blacklist: for machine in blacklist:
self.anim.cycle() self.anim.cycle()
iptables("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) rules.append("-A BLACKLIST_DST -d %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
iptables("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip()) rules.append("-A BLACKLIST_SRC -s %s -j REJECT --reject-with icmp-host-prohibited" % machine.ip())
self.anim.reinit() self.anim.reinit()
print OK print OK
rules.append('COMMIT')
rules.append('*mangle')
rules.append(':BLACKLIST_SOFT - [0:0]')
self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft)) self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft))
for machine in blacklist_soft: for machine in blacklist_soft:
self.anim.cycle() self.anim.cycle()
iptables("-t mangle -I BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy']))
rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy']))
self.anim.reinit() self.anim.reinit()
rules.append('COMMIT\n')
f = open('/tmp/ipt_blacklist', 'w')
f.write("\n".join(rules))
f.close()
iptables('-F BLACKLIST_DST')
iptables('-F BLACKLIST_SRC')
iptables('-t mangle -F BLACKLIST_SOFT')
iptables_restore('/tmp/ipt_blacklist')
print OK print OK
def filtre_p2p(self): def filtre_p2p(self):

14
gestion/gen_confs/generate.py
View file

@ -48,6 +48,7 @@ class base_reconfigure:
'blacklist_mail_invalide':['komaz-blacklist'], 'blacklist_mail_invalide':['komaz-blacklist'],
'blacklist_virus':['komaz-blacklist'], 'blacklist_virus':['komaz-blacklist'],
'blacklist_warez':['komaz-blacklist'], 'blacklist_warez':['komaz-blacklist'],
'blacklist_ipv6_ra':['komaz-blacklist'],
'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ], 'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ],
'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ], 'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ],
'blacklist_autodisc_virus':['komaz-blacklist'], 'blacklist_autodisc_virus':['komaz-blacklist'],
@ -56,6 +57,19 @@ class base_reconfigure:
'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ], 'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ],
'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ] 'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ]
} }
#Y R U Aliasing !
__service_develop.update({
'mail_invalide':__service_develop['blacklist_mail_invalide'],
'virus':__service_develop['blacklist_virus'],
'warez':__service_develop['blacklist_warez'],
'ipv6_ra':__service_develop['blacklist_ipv6_ra'],
'upload': __service_develop['blacklist_upload'],
'p2p': __service_develop['blacklist_p2p'],
'autodisc_virus':__service_develop['blacklist_autodisc_virus'],
'autodisc_upload': __service_develop['blacklist_autodisc_upload'],
'autodisc_p2p': __service_develop['blacklist_autodisc_p2p'],
'bloq': __service_develop['blacklist_bloq'],
})
def __init__(self, to_do=None): def __init__(self, to_do=None):

2
gestion/ldap_crans.py
View file

@ -978,7 +978,7 @@ class BaseClasseCrans(CransLdap):
# blacklistes virtuelle si on est un adhérent pour carte étudiant et chambre invalides # blacklistes virtuelle si on est un adhérent pour carte étudiant et chambre invalides
if not config.periode_transitoire and config.bl_carte_et_actif and not (config.ann_scol in self.carteEtudiant()): if not config.periode_transitoire and config.bl_carte_et_actif and not (config.ann_scol in self.carteEtudiant()):
for h in self.historique()[::-1]: for h in self.historique()[::-1]:
x=re.match("(.*),.* : .*paiement\+%s.*" % config.ann_scol,h) x=re.match("(.*),.* : .*(paiement\+%s|inscription).*" % config.ann_scol,h)
if x != None: if x != None:
if (time.time()-time.mktime(time.strptime(x.group(1),'%d/%m/%Y %H:%M')))>config.sursis_carte: if (time.time()-time.mktime(time.strptime(x.group(1),'%d/%m/%Y %H:%M')))>config.sursis_carte:
actifs['carte_etudiant']=('-','-') actifs['carte_etudiant']=('-','-')