diff --git a/gestion/gen_confs/firewall.py b/gestion/gen_confs/firewall.py index 2cfabf5b..2404c58e 100755 --- a/gestion/gen_confs/firewall.py +++ b/gestion/gen_confs/firewall.py @@ -35,7 +35,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet, NetSubnets, IpSubnet -from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users +from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users +import config.firewall syslog.openlog('firewall') debug = 1 @@ -516,12 +517,12 @@ class firewall_komaz(firewall_crans) : iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " "-s %s -d ! %s -j MARK --set-mark %s" % - (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) + (NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy'])) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % - conf_fw.mark['proxy']) + config.firewall.mark['proxy']) # Parametres pour iptables/tc - mark = conf_fw.mark['bittorrent'] + mark = config.firewall.mark['bittorrent'] debit_adh = p2p.debit_adh debit_max = p2p.debit_max eth_ext = self.eth_ext @@ -555,14 +556,14 @@ class firewall_komaz(firewall_crans) : # On crée les chaînes de sous-réseaux for net in NETs['all']: - for mask in conf_fw.mask: + for mask in config.firewall.mask: for subnet in NetSubnets(net, mask): - index = conf_fw.mask.index(mask) + index = config.firewall.mask.index(mask) if index == 0: prev_chain = "POSTROUTING" else: ip = subnet.split('/')[0] - prev_subnet = IpSubnet(ip, conf_fw.mask[index-1]) + prev_subnet = IpSubnet(ip, config.firewall.mask[index-1]) prev_chain = "SUBNET-%s" % prev_subnet next_chain = "SUBNET-%s" % subnet redirect_chain('mangle', prev_chain, next_chain, subnet) @@ -612,7 +613,7 @@ class firewall_komaz(firewall_crans) : # if not AddrInNet(ip, NETs['all']): # # Cas particulier d'une machine ayant une IP non CRANS # continue -# subnet = IpSubnet(machine.ip(), conf_fw.mask[-1]) +# subnet = IpSubnet(machine.ip(), config.firewall.mask[-1]) # iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s " # "-j CLASSIFY --set-class 1:%(class_id)s" % locals()) # iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s " @@ -656,7 +657,7 @@ class firewall_komaz(firewall_crans) : iptables("-t nat -P OUTPUT ACCEPT") # Proxy transparent - iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] + "-j DNAT --to-destination 10.231.136.9:3128") print OK @@ -683,7 +684,7 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext ) # Proxy transparent - iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) print OK def classes_p2p_maj(self, ip_list): @@ -708,7 +709,7 @@ class firewall_komaz(firewall_crans) : warn = '' # Parametres pour iptables/tc - mark = conf_fw.mark['bittorrent'] + mark = config.firewall.mark['bittorrent'] debit_adh = p2p.debit_adh debit_max = p2p.debit_max eth_ext = self.eth_ext @@ -725,7 +726,7 @@ class firewall_komaz(firewall_crans) : if not machines: # Il faut supprimer cette entrée iptables_option = '-D' - subnet = IpSubnet(ip, conf_fw.mask[-1]) + subnet = IpSubnet(ip, config.firewall.mask[-1]) all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n') regles = [line for line in all_regles if ip in line] # On sélectionne la première qui doit contenir ce que l'on veut @@ -739,7 +740,7 @@ class firewall_komaz(firewall_crans) : machine = machines[0] adherent = machine.proprietaire() ip = machine.ip() - subnet = IpSubnet(ip, conf_fw.mask[-1]) + subnet = IpSubnet(ip, config.firewall.mask[-1]) # On ne peut pas reprendre le numéro 1 class_id = int(adherent.id()) + 1 # On cree la classe et la qdisc s'il elles n'existent pas deja @@ -1248,13 +1249,13 @@ class firewall_sable(firewall_rouge): iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + "--destination 10.231.136.9 " + "-m mac --mac-source %s " % mac_komaz + - "-j MARK --set-mark %s" % conf_fw.mark['proxy']) - iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + "-j MARK --set-mark %s" % config.firewall.mark['proxy']) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) # On marque les paquets venant du vlan radin vers de l'https # pour qu'ils soient nattés iptables("-t mangle -A PREROUTING -i eth0.%d -p tcp -m tcp --dport 443 -j MARK --set-mark %s" % - (vlans["radin"], conf_fw.mark["https-radin"])) + (vlans["radin"], config.firewall.mark["https-radin"])) def filter_table(self): iptables("-t filter -F") @@ -1268,7 +1269,7 @@ class firewall_sable(firewall_rouge): def nat_table(self): firewall_rouge.nat_table(self) # Proxy transparent pour le filiaire - iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) if_defaut = "eth0" if_radin = "eth0.%d" % vlans["radin"] @@ -1287,7 +1288,7 @@ class firewall_sable(firewall_rouge): iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) # Nat pour le https sur le vlan radin - iptables("-t nat -A POSTROUTING -m mark --mark %s -j MASQUERADE" % conf_fw.mark["https-radin"]) + iptables("-t nat -A POSTROUTING -m mark --mark %s -j MASQUERADE" % config.firewall.mark["https-radin"]) # Limite de débit sur le vlan radin try: @@ -1366,7 +1367,7 @@ class firewall_gordon(firewall_crans) : #~ "-d ! 138.231.136.0/21 " + #~ ("-i %s " % self.eth_wifi) + #~ "-p tcp -m tcp --dport 80 " + - #~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) + #~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy']) print OK def post_start_hook(self) : diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index 71bcc9e3..72209762 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -25,7 +25,7 @@ import sys, re, os, pwd sys.path.append('/usr/scripts/gestion') from ldap_crans import hostname -from config import conf_fw, rid, prefix, role, file_pickle, open_ports, p2p +from config import rid, prefix, role, file_pickle, open_ports, p2p from config import authorized_icmpv6, mac_wifi, adm_only, adm_users from ipt import * diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 0d0ee6cb..577e4601 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -37,7 +37,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet, NetSubnets, IpSubnet -from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire +from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire +import config.firewall from ipset import IpsetError, Ipset from lc_ldap import lc_ldap from ipt import gethostbyname @@ -551,9 +552,9 @@ class firewall_komaz(firewall_crans) : iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) #~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " #~ "-s %s -d ! %s -j MARK --set-mark %s" % - #~ (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) + #~ (NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy'])) #~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % - #~ conf_fw.mark['proxy']) + #~ config.firewall.mark['proxy']) iptables("-t mangle -N BLACKLIST_SOFT") for ip_fil in NETs['fil']: iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " @@ -562,16 +563,16 @@ class firewall_komaz(firewall_crans) : iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " "-s %s -d ! %s -j BLACKLIST_SOFT" % (NETs['wifi'][0], '138.231.136.0/21')) - iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) #connection de secours - iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (conf_fw.mark['secours'])) - iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours']) + iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (config.firewall.mark['secours'])) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours']) # Parametres pour iptables/tc - mark = conf_fw.mark['bittorrent'] - debit_max = conf_fw.debit_max + mark = config.firewall.mark['bittorrent'] + debit_max = config.firewall.debit_max debit_max_semi=debit_max/2 eth_ext = self.eth_ext eth_int = self.eth_int @@ -614,14 +615,14 @@ class firewall_komaz(firewall_crans) : # On crée les chaînes de sous-réseaux for net in NETs['all']: - for mask in conf_fw.mask: + for mask in config.firewall.mask: for subnet in NetSubnets(net, mask): - index = conf_fw.mask.index(mask) + index = config.firewall.mask.index(mask) if index == 0: prev_chain = "POSTROUTING" else: ip = subnet.split('/')[0] - prev_subnet = IpSubnet(ip, conf_fw.mask[index-1]) + prev_subnet = IpSubnet(ip, config.firewall.mask[index-1]) prev_chain = "SUBNET-%s" % prev_subnet next_chain = "SUBNET-%s" % subnet redirect_chain('mangle', prev_chain, next_chain, subnet) @@ -683,12 +684,12 @@ class firewall_komaz(firewall_crans) : self.mangle_table() # On desactive la QoS lorsque le debit augmente - if not conf_fw.debit_jour: + if not config.firewall.debit_jour: return # Parametres pour iptables/tc - mark = conf_fw.mark['bittorrent'] - debit_max = conf_fw.debit_max + mark = config.firewall.mark['bittorrent'] + debit_max = config.firewall.debit_max debit_max_semi=debit_max/2 eth_ext = self.eth_ext eth_int = self.eth_int @@ -718,7 +719,7 @@ class firewall_komaz(firewall_crans) : if not AddrInNet(ip, NETs['all']): # Cas particulier d'une machine ayant une IP non CRANS continue - subnet = IpSubnet(machine.ip(), conf_fw.mask[-1]) + subnet = IpSubnet(machine.ip(), config.firewall.mask[-1]) iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s " "-j CLASSIFY --set-class 1:%(class_id)s" % locals()) iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s " @@ -752,7 +753,7 @@ class firewall_komaz(firewall_crans) : # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) # Proxy transparent pour deconnexion soft - iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] + "-j DNAT --to-destination 10.231.136.4:3128") # Appartement ENS @@ -760,7 +761,7 @@ class firewall_komaz(firewall_crans) : iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0]) #Connection de secours - iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] + + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['secours'] + "-j DNAT --to-destination 10.231.136.4:3129") print OK @@ -775,7 +776,7 @@ class firewall_komaz(firewall_crans) : iptables("-A FORWARD -i tun-ovh -j ACCEPT") iptables("-A FORWARD -d 224.0.0.0/4 -j DROP") # Proxy transparent, pour les deconnexion soft - iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']: iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) @@ -790,7 +791,7 @@ class firewall_komaz(firewall_crans) : #Connection de secours # on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid iptables("-A FORWARD -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 443 -m condition --condition secours -j REJECT") - iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours']) + iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours']) iptables("-P FORWARD ACCEPT") @@ -871,9 +872,9 @@ class firewall_komaz(firewall_crans) : warn = '' # Parametres pour iptables/tc - mark = conf_fw.mark['bittorrent'] - debit_max = conf_fw.debit_max - debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate + mark = config.firewall.mark['bittorrent'] + debit_max = config.firewall.debit_max + debit_adh = int(config.firewall.debit_max / 1200.) # XXX: guesstimate eth_ext = self.eth_ext eth_int = self.eth_int eth_wifi = self.eth_wifi @@ -889,7 +890,7 @@ class firewall_komaz(firewall_crans) : if not machines: # Il faut supprimer cette entrée iptables_option = '-D' - subnet = IpSubnet(ip, conf_fw.mask[-1]) + subnet = IpSubnet(ip, config.firewall.mask[-1]) all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n') regles = [line for line in all_regles if ip in line] # On sélectionne la première qui doit contenir ce que l'on veut @@ -903,7 +904,7 @@ class firewall_komaz(firewall_crans) : machine = machines[0] adherent = machine.proprietaire() ip = machine.ip() - subnet = IpSubnet(ip, conf_fw.mask[-1]) + subnet = IpSubnet(ip, config.firewall.mask[-1]) # On ne peut pas reprendre le numéro 1 class_id = int(adherent.id()) + 1 # On cree la classe et la qdisc s'il elles n'existent pas deja @@ -1203,8 +1204,8 @@ class firewall_komaz(firewall_crans) : self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft)) for machine in blacklist_soft: self.anim.cycle() - #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) - rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) + #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), config.firewall.mark['proxy'])) + rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), config.firewall.mark['proxy'])) self.anim.reinit() rules.append('COMMIT\n') f = open('/tmp/ipt_blacklist', 'w') @@ -1452,14 +1453,14 @@ class firewall_sable(firewall_redisdead): iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + "--destination 10.231.136.9 " + "-m mac --mac-source %s " % mac_komaz + - "-j MARK --set-mark %s" % conf_fw.mark['proxy']) - iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + "-j MARK --set-mark %s" % config.firewall.mark['proxy']) + iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) def nat_table(self): firewall_redisdead.nat_table(self) # Proxy transparent pour le filiaire - iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy']) if_defaut = "eth0" if_radin = "eth0.%d" % vlans["radin"] if_accueil = "eth0.%d" % vlans["accueil"] @@ -1541,7 +1542,7 @@ class firewall_gordon(firewall_crans) : #~ "-d ! 138.231.136.0/21 " + #~ ("-i %s " % self.eth_wifi) + #~ "-p tcp -m tcp --dport 80 " + - #~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) + #~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy']) print OK def post_start_hook(self) :