crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[Firewall_new] On vire la classe de vert, et on s'assure que les serveurs passent mac_ip sur leur patte publique aussi.

Browse source 
Ignore-this: 3743f038f7f9728e1c98db22ef7cf5ae

darcs-hash:20130126222113-afe24-bc71f3415e81d1b10d01b24e3bf566e7d4c9538a.gz
This commit is contained in:
Pierre-Elliott Bécue 2013-01-26 23:21:13 +01:00
parent 94eaddc883
commit b96b691639
1 changed files with 5 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

50
gestion/gen_confs/firewall_new.py
View file

@ -773,7 +773,7 @@ class firewall_komaz(firewall_crans) :
# Proxy transparent, pour les deconnexion soft # Proxy transparent, pour les deconnexion soft
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
#iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
for net in NETs['wifi']: for net in NETs['wifi']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi)) iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi))
@ -790,7 +790,7 @@ class firewall_komaz(firewall_crans) :
iptables("-P FORWARD ACCEPT") iptables("-P FORWARD ACCEPT")
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
for net in NETs['wifi']: for net in NETs['wifi']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_wifi))
@ -1419,7 +1419,7 @@ class firewall_redisdead(firewall_crans) :
def filter_table(self) : def filter_table(self) :
self.anim = anim('\tStructure de la table filter') self.anim = anim('\tStructure de la table filter')
iptables('-N TEST_MAC-IP') iptables('-N TEST_MAC-IP')
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub))
for net in NETs['adm']: for net in NETs['adm']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm))
@ -1434,46 +1434,6 @@ class firewall_redisdead(firewall_crans) :
print OK print OK
"""
Vert
"""
class firewall_vert(firewall_crans) :
"""
Structure du firewall :
table nat :
MAC-IP
table filter :
FORWARD (policy par défaut : DROP)
rien ne passe pas la chaîne FORWARD
INPUT (policy par défaut : ACCEPT)
"""
# interfaces physiques
eth_crans = "crans"
def nat_table(self) :
self.anim = anim('\tStructure de la table nat')
iptables('-t nat -N TEST_MAC-IP')
iptables("-t nat -P PREROUTING ACCEPT")
iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] :
iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net)
iptables("-t nat -P PREROUTING ACCEPT")
iptables("-t nat -P OUTPUT ACCEPT")
print OK
def filter_table_tweaks(self) :
self.anim = anim('\tRègles spécifiques à vert')
iptables("-P INPUT ACCEPT")
iptables("-P FORWARD DROP")
print OK
class firewall_sable(firewall_redisdead): class firewall_sable(firewall_redisdead):
"""Comme pour rouge, avec le proxy transparent en plus""" """Comme pour rouge, avec le proxy transparent en plus"""
@ -1558,7 +1518,7 @@ class firewall_gordon(firewall_crans) :
iptables("-t filter -A FORWARD -i lo -j ACCEPT") iptables("-t filter -A FORWARD -i lo -j ACCEPT")
iptables("-t filter -A FORWARD -d 224.0.0.0/4 -j DROP") iptables("-t filter -A FORWARD -d 224.0.0.0/4 -j DROP")
for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] : for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] + NETs['serveurs']:
iptables("-t filter -A FORWARD -s %s -j TEST_MAC-IP" % net) iptables("-t filter -A FORWARD -s %s -j TEST_MAC-IP" % net)
iptables("-t filter -P FORWARD ACCEPT") iptables("-t filter -P FORWARD ACCEPT")
@ -1612,7 +1572,7 @@ class firewall_routeur(firewall_crans):
def filter_table(self) : def filter_table(self) :
self.anim = anim('\tStructure de la table filter') self.anim = anim('\tStructure de la table filter')
iptables('-N TEST_MAC-IP') iptables('-N TEST_MAC-IP')
for net in NETs['fil'] + NETs['wifi']: for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_pub))
for net in NETs['adm']: for net in NETs['adm']:
iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm)) iptables("-A INPUT -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_adm))