crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall_new] On limite l'upload des appartements ENS

Browse source 
Ignore-this: d684765f44d3a1ed757985421c51f14b

darcs-hash:20121005151500-3a55a-997c16ca303b52c0335e6192ecf4a64bf3736ff3.gz
This commit is contained in:
Valentin Samir 2012-10-05 17:15:00 +02:00
parent f069f4cb51
commit b3a74d3233
1 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

30
gestion/gen_confs/firewall_new.py
View file

@ -1372,6 +1372,8 @@ class firewall_sable(firewall_redisdead):
for port in accueil_route[ip]: for port in accueil_route[ip]:
iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port)) iptables("-A FORWARD -p tcp -d %s --dport %s -j ACCEPT" % (ip,port))
iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port)) iptables("-A FORWARD -p tcp -s %s --sport %s -j ACCEPT" % (ip,port))
iptables("-A FORWARD -s %s -j ACCEPT" % NETs['personnel-ens'][0])
iptables("-A FORWARD -d %s -j ACCEPT" % NETs['personnel-ens'][0])
def mangle_table(self): def mangle_table(self):
iptables("-t mangle -F PREROUTING") iptables("-t mangle -F PREROUTING")
@ -1382,13 +1384,37 @@ class firewall_sable(firewall_redisdead):
"-m mac --mac-source %s " % mac_komaz + "-m mac --mac-source %s " % mac_komaz +
"-j MARK --set-mark %s" % conf_fw.mark['proxy']) "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
#classification des personnels ens
for net in NETs['personnel-ens']:
# pas de limitation en download
#iptables("-t mangle -A POSTROUTING -d %(net)s "
# "-j CLASSIFY --set-class 1:9998" % locals())
iptables("-t mangle -A POSTROUTING -s %(net)s "
"-j CLASSIFY --set-class 1:9998" % locals())
warn=''
for interface in ["eth0.21"]:
# On vide les classes et qdisc
try:
tc("qdisc del dev %s root" % interface)
except TcError, c:
warn += str(c) + '\n'
# On construit les classes et qdisc de base
# La partie principale qui définit le comportement par défaut
tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals())
tc("class add dev %(interface)s parent 1: classid 1:1 "
"htb rate 128kbps ceil 128kbps" % locals())
tc("class add dev %(interface)s parent 1:1 classid 1:9998 "
"htb rate 128kbps ceil 128kbps prio 1" % locals())
tc("qdisc add dev %(interface)s parent 1:9998 "
"handle 9998: sfq perturb 10" % locals())
print warn
def nat_table(self): def nat_table(self):
firewall_redisdead.nat_table(self) firewall_redisdead.nat_table(self)
# Proxy transparent pour le filiaire # Proxy transparent pour le filiaire
iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
iptables("-t nat -A POSTROUTING -s %s -j MASQUERADE" % NETs['personnel-ens'][0])
if_defaut = "eth0" if_defaut = "eth0"
if_radin = "eth0.%d" % vlans["radin"] if_radin = "eth0.%d" % vlans["radin"]
if_accueil = "eth0.%d" % vlans["accueil"] if_accueil = "eth0.%d" % vlans["accueil"]