crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall4] Fonctions de mise à jour pour generate pour mac-ip, l'ouverture des ports et les blacklists.

Browse source 
On utilise l'héritage pour traiter les cas particuliés de mac-ip sur komaz
This commit is contained in:
Valentin Samir 2013-04-06 14:48:21 +02:00
parent f07999af6a
commit c0e19b7247
1 changed files with 55 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

88
gestion/gen_confs/firewall4.py
View file

@ -139,11 +139,8 @@ class firewall_base(object) :
def apply(self, table, chain):
if not chain in self.chain_list[table]:
return
str = self.format([chain])
# TODO
self.clear(table, chain)
self.restore(table, [chain], noflush=True)
self.delete(table, chain)
def format(self, chains=[]):
str = ''
@ -156,7 +153,6 @@ class firewall_base(object) :
if not chains or chain in chains :
for rule in self.rules_list[table][chain]:
str += '-A %s %s\n' % (chain, rule)
self.clear(table, chain)
str += 'COMMIT\n'
return str
@ -234,6 +230,8 @@ class firewall_base(object) :
self.start()
return
def blacklist_maj(self, ips):
self.blacklist_hard_maj(ips)
def raw_table(self):
table = 'raw'
@ -271,9 +269,9 @@ class firewall_base(object) :
def blacklist_hard_maj(self, ip_list):
for ip in ip_list:
machine = db.search("ipHostNumber=%s" % ip)
machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine
if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_sanctions):
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions):
try: self.ipset['blacklist']['hard'].add(ip)
except IpsetError: pass
else:
@ -314,22 +312,13 @@ class firewall_base(object) :
for ip in ips:
# Si la machines est sur le réseau des adhérents
if AddrInNet(str(ip), NETs['wifi']):
# Komaz voit directement les machines wifi
if hostname == 'komaz':
func('adh', "%s,%s" % (ip, machine['macAddress'][0]))
# Les autres serveurs les voient à travers komaz
else:
# Les machines wifi sont vues à travers komaz
func('adh', "%s,%s" % (ip, mac_komaz))
elif AddrInNet(str(ip), NETs['fil']):
func('adh', "%s,%s" % (ip, machine['macAddress'][0]))
# Si la machine est sur le réseau admin
elif AddrInNet(str(ip), NETs['adm']):
func('adm', "%s,%s" % (ip, machine['macAddress'][0]))
# Si la machine est sur le réseaux des appartements de l'ENS
elif AddrInNet(str(ip), NETs['personnel-ens']):
# Les machines sont natter derrire komaz
if hostname == 'komaz':
func('app', "%s,%s" % (ip, machine['macAddress'][0]))
def test_mac_ip(self, table=None, fill_ipset=False, apply=False):
chain = 'TEST_MAC-IP'
@ -350,9 +339,6 @@ class firewall_base(object) :
if table == 'filter':
pretty_print(table, chain)
if hostname == 'komaz':
for key in ['out', 'tun-ovh' ]:
self.add(table, chain, '-i %s -j RETURN' % dev[key])
for key in ['accueil', 'isolement', ]:
for net in NETs[key]:
@ -374,12 +360,12 @@ class firewall_base(object) :
def mac_ip_maj(self, ip_list):
for ip in ip_list:
machine = db.search("ipHostNumber=%s" % ip)
machine = conn.search("ipHostNumber=%s" % ip)
if machine:
try: test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].add(data), machine)
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].add(data), machine[0])
except IpsetError: pass
else:
try: test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data), machine)
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
except IpsetError: pass
@ -410,6 +396,10 @@ class firewall_komaz(firewall_base):
'allow' : Ipset("RESEAUX-NON-ROUTABLE-ALLOW","nethash"),
}
def blacklist_maj(self, ips):
self.blacklist_hard_maj(ips)
self.blacklist_soft_maj(ips)
def raw_table(self):
return
@ -436,7 +426,7 @@ class firewall_komaz(firewall_base):
blacklist_hard_chain = self.blacklist_hard()
chain = 'FORWARD'
self.clear(table, chain)
self.flush(table, chain)
self.add(table, chain, '-i lo -j ACCEPT')
self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-j %s' % self.admin_vlan(table))
@ -467,6 +457,32 @@ class firewall_komaz(firewall_base):
return
def test_mac_ip_dispatch(self, func, machine):
"""Détermine à quel set de mac-ip appliquer la fonction func (add, delete, append, ...)"""
ips = machine['ipHostNumber']
for ip in ips:
# Si la machines est sur le réseau des adhérents
if AddrInNet(str(ip), NETs['wifi']):
func('adh', "%s,%s" % (ip, machine['macAddress'][0]))
elif AddrInNet(str(ip), NETs['fil']):
func('adh', "%s,%s" % (ip, machine['macAddress'][0]))
# Si la machine est sur le réseau admin
elif AddrInNet(str(ip), NETs['adm']):
func('adm', "%s,%s" % (ip, machine['macAddress'][0]))
# Si la machine est sur le réseaux des appartements de l'ENS
elif AddrInNet(str(ip), NETs['personnel-ens']):
func('app', "%s,%s" % (ip, machine['macAddress'][0]))
def test_mac_ip(self, table=None, fill_ipset=False, apply=False):
chain = super(self.__class__, self).test_mac_ip()
if table == 'filter':
for key in ['out', 'tun-ovh' ]:
self.add(table, chain, '-i %s -j RETURN' % dev[key])
return super(self.__class__, self).test_mac_ip(table, fill_ipset, apply)
def log_all(self, table=None, apply=False):
chain = 'LOG_ALL'
@ -592,13 +608,9 @@ class firewall_komaz(firewall_base):
def blacklist_soft_maj(self, ip_list):
for ip in ip_list:
machine = db.search("ipHostNumber=%s" % ip)
if not machine:
try: self.ipset['blacklist']['soft'].delete(ip)
except IpsetError: pass
else:
machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_sanctions_soft):
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
try: self.ipset['blacklist']['soft'].add(ip)
except IpsetError: pass
else:
@ -697,6 +709,13 @@ class firewall_komaz(firewall_base):
if table == 'filter':
pretty_print(table, chain)
for net in NETs['adherents'] + NETs['wifi-adh'] + NETs['personnel-ens']:
for proto in config.firewall.ports_default.keys():
if config.firewall.ports_default[proto]['output']:
self.add(table, chain, '-p %s -s %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['output'])))
if config.firewall.ports_default[proto]['input']:
self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['input'])))
for machine in self.machines():
for ip in machine['ipHostNumber']:
if 'portTCPout' in machine.attrs.keys():
@ -708,13 +727,6 @@ class firewall_komaz(firewall_base):
if 'portUDPin' in machine.attrs.keys():
add_ports(ip,'udp','in')
for net in NETs['adherents'] + NETs['wifi-adh'] + NETs['personnel-ens']:
for proto in config.firewall.ports_default.keys():
if config.firewall.ports_default[proto]['output']:
self.add(table, chain, '-p %s -s %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['output'])))
if config.firewall.ports_default[proto]['input']:
self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['input'])))
self.add(table, chain, '-j REJECT')
print OK