From b2714f4009b3ca6db9c1f721518bf04a3b18fb37 Mon Sep 17 00:00:00 2001 From: sabban Date: Sun, 12 Dec 2004 13:43:27 +0100 Subject: [PATCH] moved darcs-hash:20041212124327-1d643-e4350947cab533589d3aa9c3feb70c1d5c3d0c1c.gz --- .../firewall-komaz.py} | 133 +++++++++++------- gestion/gen_confs/generate.py | 35 ++++- 2 files changed, 114 insertions(+), 54 deletions(-) rename gestion/{classe_firewall.py => gen_confs/firewall-komaz.py} (84%) diff --git a/gestion/classe_firewall.py b/gestion/gen_confs/firewall-komaz.py similarity index 84% rename from gestion/classe_firewall.py rename to gestion/gen_confs/firewall-komaz.py index 2cd35d69..7ea226f3 100755 --- a/gestion/classe_firewall.py +++ b/gestion/gen_confs/firewall-komaz.py @@ -152,60 +152,80 @@ class firewall_komaz : remove_lock('firewall') def restart(self): - """ Idem start """ - self.start() + """ Rédémarrage du firewall """ + cprint('Redémarrage firewall' % esthetisme,'gras') + self.__exception_catcher(self.__stop) + self.start(False) - def start(self) : - """ Construction du firewall """ - cprint('Démarrage firewall','gras') + def start(self,aff_txt_intro=True) : + """ Construction du firewall + aff_txt_intro s'occupe uniquement de l'esthétisme + """ + if aff_txt_intro : cprint('Démarrage firewall','gras') # Préliminaires - if not self.__machines() or self.stop() : - print "Abandon" + if not self.__machines() or self.__exception_catcher(self.__stop) : + cprint("Abandon",'rouge') return - - def procedure() : - self.anim = anim(' Structure de la table nat') - for chaine in [ 'LOG_VIRUS', 'LOG_FLOOD', 'TEST_VIRUS_FLOOD' , 'TEST_MAC-IP' , 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] : - iptables('-t nat -N %s' % chaine) - - iptables("-t nat -P PREROUTING ACCEPT") - iptables("-t nat -A PREROUTING -i lo -j ACCEPT") - iptables("-t nat -A PREROUTING -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur) - iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST") - iptables("-t nat -A PREROUTING -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) - iptables("-t nat -A PREROUTING -d %s -j ACCEPT" % self.zone_serveur ) - iptables("-t nat -A PREROUTING -s %s -j ACCEPT" % self.zone_serveur ) - iptables("-t nat -A PREROUTING -i %s -j ACCEPT" % self.eth_ext ) - iptables("-t nat -A PREROUTING -j TEST_MAC-IP") - iptables("-t nat -P PREROUTING DROP") - print OK - - self.anim = anim(' Structure de la table filter') - for chaine in [ 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' ] : - iptables('-N %s' % chaine) - - iptables("-A FORWARD -i lo -j ACCEPT") - iptables("-A FORWARD -p icmp -j ACCEPT") - iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext ) - iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext ) - iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") - iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) ) - iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) ) - iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext ) - iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext ) - print OK # Initialisation - self.__exception_catcher(procedure) - + self.__exception_catcher(self.__start) + # Remplisage for tache in [ self.log_chaines, self.test_virus_flood, self.reseaux_non_routables, self.blacklist , self.serveurs_vers_ext, self.ext_vers_serveurs, self.crans_vers_ext, self.ext_vers_crans, self.test_mac_ip ] : self.__exception_catcher(tache) + # On peux router + self.anim = anim(" Mise en place routage") + warn = '' + for cmd in [ 'echo 1 > /proc/sys/net/ipv4/ip_forward' , + 'echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max' , + 'modprobe ip_conntrack_ftp' ] : + status,output=getstatusoutput(cmd) + if status : + warn += output +'\n' + if warn : + print WARNING + if debug : + print warn + else : + print OK + cprint(" -> fin de la procédure de démarrage",'vert') + + def __start(self) : + self.anim = anim(' Structure de la table nat') + for chaine in [ 'LOG_VIRUS', 'LOG_FLOOD', 'TEST_VIRUS_FLOOD' , 'TEST_MAC-IP' , 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] : + iptables('-t nat -N %s' % chaine) + + iptables("-t nat -P PREROUTING ACCEPT") + iptables("-t nat -A PREROUTING -i lo -j ACCEPT") + iptables("-t nat -A PREROUTING -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur) + iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST") + iptables("-t nat -A PREROUTING -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext ) + iptables("-t nat -A PREROUTING -d %s -j ACCEPT" % self.zone_serveur ) + iptables("-t nat -A PREROUTING -s %s -j ACCEPT" % self.zone_serveur ) + iptables("-t nat -A PREROUTING -i %s -j ACCEPT" % self.eth_ext ) + iptables("-t nat -A PREROUTING -j TEST_MAC-IP") + iptables("-t nat -P PREROUTING DROP") + print OK + + self.anim = anim(' Structure de la table filter') + for chaine in [ 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' ] : + iptables('-N %s' % chaine) + iptables("-A FORWARD -i lo -j ACCEPT") + iptables("-A FORWARD -p icmp -j ACCEPT") + iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext ) + iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext ) + iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") + iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) ) + iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) ) + iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext ) + iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext ) + print OK + def log_chaines(self) : """ Construction des chaines de log (LOG_VIRUS et LOG_FLOOD) """ self.anim = anim(' Création des chaines de log') @@ -242,18 +262,25 @@ class firewall_komaz : def stop(self): """ Arrête le firewall """ - self.anim = anim(" Arrêt du firewall") - def procedure() : - iptables("-t nat -P PREROUTING ACCEPT") - iptables("-F") - iptables("-t nat -F") - iptables("-X") - iptables("-t nat -X") + cprint("Arrêt du firewall",'gras') + self.anim = anim(" Arrêt routage") + status,output=getstatusoutput('echo 0 > /proc/sys/net/ipv4/ip_forward') + if status : + print ERREUR + else : print OK - - return self.__exception_catcher(procedure) - + self.__exception_catcher(self.__stop) + cprint(" -> fin de la procédure d'arrêt",'vert') + def __stop(self) : + self.anim = anim(" Supression règles") + iptables("-t nat -P PREROUTING ACCEPT") + iptables("-F") + iptables("-t nat -F") + iptables("-X") + iptables("-t nat -X") + print OK + def test_mac_ip(self) : """ Reconstruit la correspondance MAC-IP des machines des adhérents """ self.anim = anim(' Chaîne TEST_MAC-IP',len(self.__machines())+1) @@ -487,6 +514,8 @@ class firewall_komaz : to_del.append(num) to_add.append(machine) + to_del.sort() + to_del.reverse() for i in to_del : iptables('-t nat -D TEST_MAC-IP %s' % i ) for machine in ( to_add + mac_ip_maj.values() ) : @@ -511,7 +540,7 @@ if __name__ == '__main__' : %(p)s start : Construction du firewall. %(p)s restart : Reconstruction du firewall. %(p)s stop : Arrêt du firewall. - %(p)s chaine : recontruit les chaines spécifiées + %(p)s chaine : reconstruit les chaines Les chaines pouvant être reconstruites sont : %(chaines)s Pour reconfiguration d'IPs particulières, utiliser generate. """ % \ diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py index 9e98d405..8832e45b 100755 --- a/gestion/gen_confs/generate.py +++ b/gestion/gen_confs/generate.py @@ -30,6 +30,8 @@ elif hostname == 'nectaris' : args_autorises += [ 'conf_wifi', 'bornes_wifi=' , 'droits-nectaris', 'dhcp-nectaris'] elif hostname == 'sila' : args_autorises += [ 'bl_squid_upload', 'blacklist_virus' , 'blacklist_warez' , 'bl_chbre_invalide', 'bl_carte_etudiant' ] +elif hostname == 'egon' : + args_autorises += [ 'firewall-komaz' , 'firewall-komaz-ports' , 'firewall-komaz-blacklist'] # On vérifie que l'on est root if os.getuid() != 0: @@ -232,6 +234,7 @@ if hostname == 'zamok': if 'blacklist_upload' in to_do.keys() : if auto : db.services_to_restart('-blacklist_upload') db.services_to_restart('bl_squid_upload') + db.services_to_restart('firewall-komaz-upload') try: from gen_confs.firewall import bl_upload_fw a = bl_upload_fw() @@ -308,8 +311,6 @@ Subject: Modifications sur une machine du CR@NS if 'firewall' in to_do.keys() : # Quand sila et komaz liront la base LDAP - # db.services_to_restart('firewall-komaz') - # db.services_to_restart('firewall-sila') from gen_confs.firewall import firewall inst.append([firewall(),"firewall"]) @@ -405,6 +406,36 @@ elif hostname == 'sila' : except: if auto: db.services_to_restart('bl_chbre_invalide') +elif hostname == 'egon' : + if 'firewall-komaz' in to_do.keys() or \ + 'firewall-komaz-ports' in to_do.keys() or \ + 'firewall-komaz-blacklist' in to_do.keys() : + from classe_firewall import firewall_komaz + fw = firewall_komaz() + fw.debug = debug + + cprint('Reconfiguration firewall','gras') + if 'firewall-komaz' in to_do.keys() : + if auto : db.services_to_restart('-firewall-komaz') + try : + fw.mac_ip_maj(to_do['firewall-komaz']) + except : + if auto : db.services_to_restart('firewall-komaz',to_do['firewall-komaz']) + + if 'firewall-komaz-ports' in to_do.keys() : + if auto : db.services_to_restart('-firewall-komaz-ports') + try : + fw.port_maj(to_do['firewall-komaz-ports']) + except : + if auto : db.services_to_restart('firewall-komaz-ports',to_do['firewall-komaz-ports']) + + if 'firewall-komaz-blacklist' in to_do.keys() : + if auto : db.services_to_restart('-firewall-komaz-blacklist') + try : + fw.blacklist(to_do['firewall-komaz-blacklist']) + except : + if auto : db.services_to_restart('firewall-komaz-blacklist',to_do['firewall-komaz-blacklist']) + # On indique que les services seront a priori redemarrés if auto : for i in inst: