From b96b69163994639eda0382e2d59da9869cd99afc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pierre-Elliott=20B=C3=A9cue?= Date: Sat, 26 Jan 2013 23:21:13 +0100 Subject: [PATCH] [Firewall_new] On vire la classe de vert, et on s'assure que les serveurs passent mac_ip sur leur patte publique aussi. Ignore-this: 3743f038f7f9728e1c98db22ef7cf5ae darcs-hash:20130126222113-afe24-bc71f3415e81d1b10d01b24e3bf566e7d4c9538a.gz --- gestion/gen_confs/firewall_new.py | 50 ++++--------------------------- 1 file changed, 5 insertions(+), 45 deletions(-) diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 90735d03..1a6c1cd6 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -773,7 +773,7 @@ class firewall_komaz(firewall_crans) : # Proxy transparent, pour les deconnexion soft iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") - for net in NETs['fil'] + NETs['wifi']: + for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']: iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) for net in NETs['wifi']: iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi)) @@ -790,7 +790,7 @@ class firewall_komaz(firewall_crans) : iptables("-P FORWARD ACCEPT") - for net in NETs['fil'] + NETs['wifi']: + for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) for net in NETs['wifi']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi)) @@ -1419,7 +1419,7 @@ class firewall_redisdead(firewall_crans) : def filter_table(self) : self.anim = anim('\tStructure de la table filter') iptables('-N TEST_MAC-IP') - for net in NETs['fil'] + NETs['wifi']: + for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub)) for net in NETs['adm']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) @@ -1434,46 +1434,6 @@ class firewall_redisdead(firewall_crans) : print OK -""" -Vert -""" - -class firewall_vert(firewall_crans) : - """ - Structure du firewall : - table nat : - MAC-IP - table filter : - FORWARD (policy par défaut : DROP) - rien ne passe pas la chaîne FORWARD - INPUT (policy par défaut : ACCEPT) - - """ - - # interfaces physiques - eth_crans = "crans" - - def nat_table(self) : - self.anim = anim('\tStructure de la table nat') - iptables('-t nat -N TEST_MAC-IP') - - iptables("-t nat -P PREROUTING ACCEPT") - iptables("-t nat -A PREROUTING -i lo -j ACCEPT") - iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP") - - for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] : - iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net) - - iptables("-t nat -P PREROUTING ACCEPT") - iptables("-t nat -P OUTPUT ACCEPT") - print OK - - def filter_table_tweaks(self) : - self.anim = anim('\tRègles spécifiques à vert') - iptables("-P INPUT ACCEPT") - iptables("-P FORWARD DROP") - print OK - class firewall_sable(firewall_redisdead): """Comme pour rouge, avec le proxy transparent en plus""" @@ -1558,7 +1518,7 @@ class firewall_gordon(firewall_crans) : iptables("-t filter -A FORWARD -i lo -j ACCEPT") iptables("-t filter -A FORWARD -d 224.0.0.0/4 -j DROP") - for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] : + for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] + NETs['serveurs']: iptables("-t filter -A FORWARD -s %s -j TEST_MAC-IP" % net) iptables("-t filter -P FORWARD ACCEPT") @@ -1612,7 +1572,7 @@ class firewall_routeur(firewall_crans): def filter_table(self) : self.anim = anim('\tStructure de la table filter') iptables('-N TEST_MAC-IP') - for net in NETs['fil'] + NETs['wifi']: + for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub)) for net in NETs['adm']: iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm))