crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall4] Blacklist soft redirige vers portail captif même quand blacklist hard

Browse source 
Il suffisait d'autoriser la connection à komaz dans INPUT et non pas dans FORWARD -_-'
This commit is contained in:
Valentin Samir 2013-11-08 02:59:33 +01:00
parent a29e729c1e
commit ab99ecea37
1 changed files with 20 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

36
gestion/gen_confs/firewall4.py
View file

@ -516,7 +516,6 @@ class firewall_komaz(firewall_base_routeur):
chain = 'PREROUTING' chain = 'PREROUTING'
self.add(table, chain, '-j %s' % self.log_all(table)) self.add(table, chain, '-j %s' % self.log_all(table))
self.add(table, chain, '-j %s' % self.blacklist_soft(table, fill_ipset=True))
self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-p tcp -j CONNMARK --restore-mark') self.add(table, chain, '-p tcp -j CONNMARK --restore-mark')
@ -532,18 +531,29 @@ class firewall_komaz(firewall_base_routeur):
mac_ip_chain = self.test_mac_ip() mac_ip_chain = self.test_mac_ip()
blacklist_hard_chain = self.blacklist_hard() blacklist_hard_chain = self.blacklist_hard()
blacklist_soft_chain = self.blacklist_soft(table)
chain = 'INPUT'
self.flush(table, chain)
self.add(table, chain, '-i lo -j ACCEPT')
self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
self.add(table, chain, '-j %s' % blacklist_soft_chain)
for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']:
self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain))
self.add(table, chain, '-j %s' % blacklist_hard_chain)
chain = 'FORWARD' chain = 'FORWARD'
self.flush(table, chain) self.flush(table, chain)
self.add(table, chain, '-i lo -j ACCEPT') self.add(table, chain, '-i lo -j ACCEPT')
self.add(table, chain, '-p icmp -j ACCEPT') self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-j %s' % self.tunnel_6in4(table))
self.add(table, chain, '-j %s' % self.admin_vlan(table)) self.add(table, chain, '-j %s' % self.admin_vlan(table))
self.add(table, chain, '-j %s' % blacklist_soft_chain)
self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain)) self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain)) self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT') self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
self.add(table, chain, '-j %s' % self.tunnel_6in4(table))
self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True)) self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True))
self.add(table, chain, '-j %s' % self.blacklist_soft(table))
for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']: for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']:
self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain)) self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain))
self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_secours(table))
@ -764,25 +774,19 @@ class firewall_komaz(firewall_base_routeur):
self.ipset['blacklist']['soft'].restore(bl_soft_ips) self.ipset['blacklist']['soft'].restore(bl_soft_ips)
print OK print OK
if table == 'mangle':
pretty_print(table, chain)
self.add(table, chain, '-p tcp ! --dport 80 -j RETURN')
self.add(table, chain, '! -p tcp -j RETURN')
for net in NETs['all']:
self.add(table, chain, '-d %s -j RETURN' % net)
self.add(table, chain, '-m set --match-set %s src -j MARK --set-mark %s'
% (self.ipset['blacklist']['soft'], config.firewall.mark['proxy']))
print OK
if table == 'filter': if table == 'filter':
pretty_print(table, chain) pretty_print(table, chain)
self.add(table, chain, '-m mark --mark %s -j ACCEPT' % config.firewall.mark['proxy']) self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['soft'] )
self.add(table, chain, '-p tcp --sport 80 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['soft'] )
self.add(table, chain, '-p tcp -d 10.231.136.4 --dport 3128 -m set --match-set %s src -j ACCEPT' % self.ipset['blacklist']['soft'] )
self.add(table, chain, '-p tcp -s 10.231.136.4 --sport 3128 -m set --match-set %s dst -j ACCEPT' % self.ipset['blacklist']['soft'] )
print OK print OK
if table == 'nat': if table == 'nat':
pretty_print(table, chain) pretty_print(table, chain)
self.add(table, chain, '-p tcp -m mark --mark %s -j DNAT --to-destination 10.231.136.4:3128' % config.firewall.mark['proxy'] ) for net in NETs['all']:
self.add(table, chain, '-d %s -j RETURN' % net)
self.add(table, chain, '-p tcp --dport 80 -m set --match-set %s src -j DNAT --to-destination 10.231.136.4:3128' % self.ipset['blacklist']['soft'] )
print OK print OK
if apply: if apply: