[ipv6only] Modifications pour pettre des machines sans ipv4 et pare feu pour nat64
This commit is contained in:
Valentin Samir
parent
d04d51a2c3
commit
a2369dadf4
9 changed files with 67 additions and 21 deletions
|
|
@ -249,6 +249,7 @@ prefix = { 'subnet' : [ '2a01:240:fe3d::/48' ],
|
||||||
'evenementiel' : [ '2a01:240:fe3d:d2::/64' ],
|
'evenementiel' : [ '2a01:240:fe3d:d2::/64' ],
|
||||||
'bornes' : [ '2a01:240:fe3d:c04::/64' ],
|
'bornes' : [ '2a01:240:fe3d:c04::/64' ],
|
||||||
'wifi-adh' : [ '2a01:240:fe3d:c04::/64' ],
|
'wifi-adh' : [ '2a01:240:fe3d:c04::/64' ],
|
||||||
|
'v6only' : [ '2001:470:c8b9:a4::/64' ],
|
||||||
}
|
}
|
||||||
|
|
||||||
# Domaines dans lesquels les machines sont placées suivant leur type
|
# Domaines dans lesquels les machines sont placées suivant leur type
|
||||||
|
|
|
||||||
|
|
@ -2,8 +2,7 @@
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
# Généré par gestion/extractionbcfg2.py sur bcfg2, à partir de Metadata/groups.xml
|
# Généré par gestion/extractionbcfg2.py sur bcfg2, à partir de Metadata/groups.xml
|
||||||
# Fichier obsolète (backward comp ftw)
|
|
||||||
|
|
||||||
adm_only = []
|
adm_only = []
|
||||||
|
|
||||||
role = {'zamok': ['adherents-server'], 'dyson': ['sniffer'], 'titanic': ['failover-proxy'], 'komaz': ['wifi-router', 'appt-proxy', 'main-router'], 'dhcp': ['appt-proxy'], 'ovh': ['externe'], 'routeur': ['appt-proxy']}
|
role = {'zamok': ['adherents-server'], 'nat64': ['routeur-nat64'], 'komaz': ['wifi-router', 'appt-proxy', 'main-router'], 'dyson': ['sniffer'], 'isc': ['appt-proxy'], 'dhcp': ['appt-proxy'], 'ovh': ['externe'], 'routeur': ['appt-proxy']}
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ recursiv = {
|
||||||
'wifi' : ['138.231.136.98', '138.231.136.152'],
|
'wifi' : ['138.231.136.98', '138.231.136.152'],
|
||||||
'evenementiel' : ['138.231.136.98', '138.231.136.152'],
|
'evenementiel' : ['138.231.136.98', '138.231.136.152'],
|
||||||
'adm' : ['10.231.136.98', '10.231.136.152'],
|
'adm' : ['10.231.136.98', '10.231.136.152'],
|
||||||
'gratuit' : ['10.42.0.10'],
|
'gratuit' : ['10.42.0.164'],
|
||||||
'accueil' : ['10.51.0.10'],
|
'accueil' : ['10.51.0.10'],
|
||||||
'isolement' : ['10.52.0.10'],
|
'isolement' : ['10.52.0.10'],
|
||||||
'personnel-ens' : ['10.2.9.10', '138.231.136.98', '138.231.136.152'],
|
'personnel-ens' : ['10.2.9.10', '138.231.136.98', '138.231.136.152'],
|
||||||
|
|
|
||||||
|
|
@ -18,20 +18,22 @@ role = %(role_dict)s
|
||||||
|
|
||||||
srvDict = { 'external' : [],
|
srvDict = { 'external' : [],
|
||||||
'connection-main' : [],
|
'connection-main' : [],
|
||||||
'failover-proxy-server' : [],
|
# 'failover-proxy-server' : [],
|
||||||
'vlan-ens' : [],
|
'vlan-ens' : [],
|
||||||
'users' : [],
|
'users' : [],
|
||||||
'sniffer' : [],
|
'sniffer' : [],
|
||||||
'router-wifi' : []
|
'router-wifi' : [],
|
||||||
|
'routeur-nat64' : [],
|
||||||
}
|
}
|
||||||
|
|
||||||
tr = { 'external' : 'externe',
|
tr = { 'external' : 'externe',
|
||||||
'connection-main' : 'main-router',
|
'connection-main' : 'main-router',
|
||||||
'vlan-ens' : 'appt-proxy',
|
'vlan-ens' : 'appt-proxy',
|
||||||
'failover-proxy-server' : 'failover-proxy',
|
# 'failover-proxy-server' : 'failover-proxy',
|
||||||
'router-wifi' : 'wifi-router',
|
'router-wifi' : 'wifi-router',
|
||||||
'users' : 'adherents-server',
|
'users' : 'adherents-server',
|
||||||
'sniffer' : 'sniffer'
|
'sniffer' : 'sniffer',
|
||||||
|
'routeur-nat64' : 'routeur-nat64',
|
||||||
}
|
}
|
||||||
|
|
||||||
fin = open('/var/lib/bcfg2/Metadata/groups.xml')
|
fin = open('/var/lib/bcfg2/Metadata/groups.xml')
|
||||||
|
|
@ -46,7 +48,6 @@ for key in srvDict.keys():
|
||||||
print "Erreur, il n'y a pas de serveur associé à l'attribut %s" % key
|
print "Erreur, il n'y a pas de serveur associé à l'attribut %s" % key
|
||||||
exit(1)
|
exit(1)
|
||||||
|
|
||||||
|
|
||||||
# On cherche les serveurs qui sont seulement sur le vlan adm
|
# On cherche les serveurs qui sont seulement sur le vlan adm
|
||||||
admOnly = parsedGroups.xpath('//Group[@name="adm-only"]/../@name')
|
admOnly = parsedGroups.xpath('//Group[@name="adm-only"]/../@name')
|
||||||
|
|
||||||
|
|
@ -60,8 +61,9 @@ for key, values in srvDict.items():
|
||||||
else:
|
else:
|
||||||
out[value] = [tr[key]]
|
out[value] = [tr[key]]
|
||||||
|
|
||||||
fout = open('/usr/scripts/gestion/config_srv.py', 'w')
|
fout = open('/usr/scripts/gestion/config/config_srv.py', 'w')
|
||||||
|
|
||||||
fout.write(template % {'adm_list': admOnly.__str__(), 'role_dict' : out.__str__()})
|
fout.write(template % {'adm_list': admOnly.__str__(), 'role_dict' : out.__str__()})
|
||||||
|
|
||||||
fout.close()
|
fout.close()
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -356,7 +356,9 @@ zone "%(NOM_zone)s" {
|
||||||
|
|
||||||
# Le direct
|
# Le direct
|
||||||
if zone in self.zones_direct :
|
if zone in self.zones_direct :
|
||||||
ligne = "%s\tIN\tA\t%s\n" % ( nom, machine.ip() )
|
ligne=''
|
||||||
|
if machine.ip() != '<automatique>':
|
||||||
|
ligne += "%s\tIN\tA\t%s\n" % ( nom, machine.ip() )
|
||||||
# Si la machine est une borne wifi, on ajoute la position
|
# Si la machine est une borne wifi, on ajoute la position
|
||||||
if isinstance(machine,ldap_crans.BorneWifi) and machine.position():
|
if isinstance(machine,ldap_crans.BorneWifi) and machine.position():
|
||||||
ligne +="%s\tIN\tTXT\t\"LOC %s,%s \"\n" % (nom,machine.position()[0],machine.position()[1])
|
ligne +="%s\tIN\tTXT\t\"LOC %s,%s \"\n" % (nom,machine.position()[0],machine.position()[1])
|
||||||
|
|
@ -402,6 +404,7 @@ zone "%(NOM_zone)s" {
|
||||||
alias = alias.encode('utf-8')
|
alias = alias.encode('utf-8')
|
||||||
# Cas particulier : nom de l'alias = nom de la zone
|
# Cas particulier : nom de l'alias = nom de la zone
|
||||||
if alias in self.zones_direct :
|
if alias in self.zones_direct :
|
||||||
|
if machine.ip() != '<automatique>':
|
||||||
ligne = "@\tIN\tA\t%s\n" % machine.ip()
|
ligne = "@\tIN\tA\t%s\n" % machine.ip()
|
||||||
ligne = ligne.encode('utf-8')
|
ligne = ligne.encode('utf-8')
|
||||||
direct[alias] = direct.get(alias, "") + ligne
|
direct[alias] = direct.get(alias, "") + ligne
|
||||||
|
|
@ -441,6 +444,9 @@ zone "%(NOM_zone)s" {
|
||||||
|
|
||||||
# Le reverse
|
# Le reverse
|
||||||
ip = machine.ip()
|
ip = machine.ip()
|
||||||
|
if ip == '<automatique>':
|
||||||
|
net=False
|
||||||
|
else:
|
||||||
net = AddrInNets(ip, self.zones_reverse)
|
net = AddrInNets(ip, self.zones_reverse)
|
||||||
if net:
|
if net:
|
||||||
base_ip = ip.split('.')
|
base_ip = ip.split('.')
|
||||||
|
|
|
||||||
|
|
@ -145,7 +145,7 @@ class dhcp(gen_config) :
|
||||||
for machine in self.machines :
|
for machine in self.machines :
|
||||||
self.anim.cycle()
|
self.anim.cycle()
|
||||||
for net in self.reseaux.keys() :
|
for net in self.reseaux.keys() :
|
||||||
if AddrInNet(machine.ip(), net) :
|
if machine.ip() != '<automatique>' and AddrInNet(machine.ip(), net) :
|
||||||
host_template = self.host_template
|
host_template = self.host_template
|
||||||
# variable pour remplir le template
|
# variable pour remplir le template
|
||||||
#d = { 'nom' : machine.nom().split('.')[0] , 'mac' : machine.mac() , 'ip' : machine.ip() }
|
#d = { 'nom' : machine.nom().split('.')[0] , 'mac' : machine.mac() , 'ip' : machine.ip() }
|
||||||
|
|
|
||||||
|
|
@ -480,6 +480,7 @@ class firewall_komaz(firewall_base_routeur):
|
||||||
'filtrage_ports' : self.filtrage_ports,
|
'filtrage_ports' : self.filtrage_ports,
|
||||||
'limitation_debit' : self.limitation_debit,
|
'limitation_debit' : self.limitation_debit,
|
||||||
'limit_ssh_connexion' : self.limit_ssh_connexion,
|
'limit_ssh_connexion' : self.limit_ssh_connexion,
|
||||||
|
'tunnel_6in4' : self.tunnel_6in4,
|
||||||
})
|
})
|
||||||
|
|
||||||
self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable])
|
self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable])
|
||||||
|
|
@ -569,7 +570,7 @@ class firewall_komaz(firewall_base_routeur):
|
||||||
def tunnel_6in4(self, table=None, apply=False):
|
def tunnel_6in4(self, table=None, apply=False):
|
||||||
chain = 'TUNNEL_IPV6'
|
chain = 'TUNNEL_IPV6'
|
||||||
|
|
||||||
tunnels_ipv6 = [ ('216.66.84.42', '138.231.136.12') ]
|
tunnels_ipv6 = [ ('216.66.84.42', '138.231.136.12'), ('216.66.84.42','138.231.136.164') ]
|
||||||
|
|
||||||
if table == 'filter':
|
if table == 'filter':
|
||||||
pretty_print(table, chain)
|
pretty_print(table, chain)
|
||||||
|
|
|
||||||
|
|
@ -200,6 +200,40 @@ def main_router():
|
||||||
# On met en place le forwarding
|
# On met en place le forwarding
|
||||||
enable_forwarding(6)
|
enable_forwarding(6)
|
||||||
|
|
||||||
|
|
||||||
|
def routeur_nat64():
|
||||||
|
''' Firewall pour le nat64 '''
|
||||||
|
|
||||||
|
dev_crans = iface6('fil')
|
||||||
|
dev_adm = iface6('adm')
|
||||||
|
dev_v6only = iface6('v6only')
|
||||||
|
|
||||||
|
# Les blacklistes
|
||||||
|
# Si on les met après la règle conntrack, une connexion existante ne sera
|
||||||
|
# pas sevrée et dinc avec un tunnel ssh idoine, la blacklist aurait aucun
|
||||||
|
# effet.
|
||||||
|
# Alternative : flusher la table conntrack des entrées concernant cette
|
||||||
|
# machine.
|
||||||
|
blacklist(ip6tables)
|
||||||
|
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_v6only)
|
||||||
|
ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_crans)
|
||||||
|
|
||||||
|
|
||||||
|
ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
|
||||||
|
|
||||||
|
# Pour les autres connections
|
||||||
|
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]:
|
||||||
|
ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
|
||||||
|
type_m.upper()))
|
||||||
|
ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
|
||||||
|
|
||||||
|
# Rien ne passe vers adm
|
||||||
|
# est ce que du local est gêné par le règle ?
|
||||||
|
ip6tables.filter.forward('-d %s -j REJECT --reject-with icmp6-addr-unreachable' % (prefix['adm'][0]))
|
||||||
|
|
||||||
|
# On met en place le forwarding
|
||||||
|
enable_forwarding(6)
|
||||||
|
|
||||||
def wifi_router():
|
def wifi_router():
|
||||||
''' Firewall pour le router du wifi '''
|
''' Firewall pour le router du wifi '''
|
||||||
# Le wifi est maintenant routé directement sur komaz.
|
# Le wifi est maintenant routé directement sur komaz.
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
import sys
|
||||||
import os, re, syslog, cPickle, socket
|
import os, re, syslog, cPickle, socket
|
||||||
|
|
||||||
from ldap_crans import crans_ldap, hostname
|
from ldap_crans import crans_ldap, hostname
|
||||||
|
|
@ -801,10 +801,13 @@ def mac_ip(ipt, machines, types_machines):
|
||||||
macips(ipt, machines, types_machines)
|
macips(ipt, machines, types_machines)
|
||||||
for type_m in types_machines:
|
for type_m in types_machines:
|
||||||
if not '-v6' in type_m and not type_m in tab.keys():
|
if not '-v6' in type_m and not type_m in tab.keys():
|
||||||
|
try:
|
||||||
dev = iface6(type_m)
|
dev = iface6(type_m)
|
||||||
ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0],
|
ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0],
|
||||||
'MAC' + type_m.upper()))
|
'MAC' + type_m.upper()))
|
||||||
ipt.filter.input('-i %s -j IEUI64' % dev)
|
ipt.filter.input('-i %s -j IEUI64' % dev)
|
||||||
|
except NoIface as e:
|
||||||
|
sys.stderr.write("NoIface: %s" % e)
|
||||||
|
|
||||||
# On active les extensions de vie privée
|
# On active les extensions de vie privée
|
||||||
for net in prefix['subnet']:
|
for net in prefix['subnet']:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue