diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index 66f4e3e1..2de94f31 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -516,7 +516,6 @@ class firewall_komaz(firewall_base_routeur): chain = 'PREROUTING' self.add(table, chain, '-j %s' % self.log_all(table)) - self.add(table, chain, '-j %s' % self.blacklist_soft(table, fill_ipset=True)) self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-p tcp -j CONNMARK --restore-mark') @@ -532,18 +531,29 @@ class firewall_komaz(firewall_base_routeur): mac_ip_chain = self.test_mac_ip() blacklist_hard_chain = self.blacklist_hard() + blacklist_soft_chain = self.blacklist_soft(table) + + chain = 'INPUT' + self.flush(table, chain) + self.add(table, chain, '-i lo -j ACCEPT') + self.add(table, chain, '-p icmp -j ACCEPT') + self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT') + self.add(table, chain, '-j %s' % blacklist_soft_chain) + for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']: + self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain)) + self.add(table, chain, '-j %s' % blacklist_hard_chain) chain = 'FORWARD' self.flush(table, chain) self.add(table, chain, '-i lo -j ACCEPT') self.add(table, chain, '-p icmp -j ACCEPT') - self.add(table, chain, '-j %s' % self.tunnel_6in4(table)) self.add(table, chain, '-j %s' % self.admin_vlan(table)) + self.add(table, chain, '-j %s' % blacklist_soft_chain) self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain)) self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain)) self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT') + self.add(table, chain, '-j %s' % self.tunnel_6in4(table)) self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True)) - self.add(table, chain, '-j %s' % self.blacklist_soft(table)) for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']: self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain)) self.add(table, chain, '-j %s' % self.connexion_secours(table)) @@ -764,25 +774,19 @@ class firewall_komaz(firewall_base_routeur): self.ipset['blacklist']['soft'].restore(bl_soft_ips) print OK - if table == 'mangle': - pretty_print(table, chain) - self.add(table, chain, '-p tcp ! --dport 80 -j RETURN') - self.add(table, chain, '! -p tcp -j RETURN') - for net in NETs['all']: - self.add(table, chain, '-d %s -j RETURN' % net) - self.add(table, chain, '-m set --match-set %s src -j MARK --set-mark %s' - % (self.ipset['blacklist']['soft'], config.firewall.mark['proxy'])) - - print OK - if table == 'filter': pretty_print(table, chain) - self.add(table, chain, '-m mark --mark %s -j ACCEPT' % config.firewall.mark['proxy']) + self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['soft'] ) + self.add(table, chain, '-p tcp --sport 80 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['soft'] ) + self.add(table, chain, '-p tcp -d 10.231.136.4 --dport 3128 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['soft'] ) + self.add(table, chain, '-p tcp -s 10.231.136.4 --sport 3128 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['soft'] ) print OK if table == 'nat': pretty_print(table, chain) - self.add(table, chain, '-p tcp -m mark --mark %s -j DNAT --to-destination 10.231.136.4:3128' % config.firewall.mark['proxy'] ) + for net in NETs['all']: + self.add(table, chain, '-d %s -j RETURN' % net) + self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j DNAT --to-destination 10.231.136.4:3128' % self.ipset['blacklist']['soft'] ) print OK if apply: