crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[gestion/gen_conf/firewall*] renommage de conf_fw en config.firewall

Browse source
This commit is contained in:
Vincent Le Gallic 2013-03-26 17:55:58 +01:00
parent 2d23ea5085
commit c371496e74
3 changed files with 52 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

39
gestion/gen_confs/firewall.py
View file

@ -35,7 +35,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
from affich_tools import * from affich_tools import *
from commands import getstatusoutput from commands import getstatusoutput
from iptools import AddrInNet, NetSubnets, IpSubnet from iptools import AddrInNet, NetSubnets, IpSubnet
from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users
import config.firewall
syslog.openlog('firewall') syslog.openlog('firewall')
debug = 1 debug = 1
@ -516,12 +517,12 @@ class firewall_komaz(firewall_crans) :
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
"-s %s -d ! %s -j MARK --set-mark %s" % "-s %s -d ! %s -j MARK --set-mark %s" %
(NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) (NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy']))
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
conf_fw.mark['proxy']) config.firewall.mark['proxy'])
# Parametres pour iptables/tc # Parametres pour iptables/tc
mark = conf_fw.mark['bittorrent'] mark = config.firewall.mark['bittorrent']
debit_adh = p2p.debit_adh debit_adh = p2p.debit_adh
debit_max = p2p.debit_max debit_max = p2p.debit_max
eth_ext = self.eth_ext eth_ext = self.eth_ext
@ -555,14 +556,14 @@ class firewall_komaz(firewall_crans) :
# On crée les chaînes de sous-réseaux # On crée les chaînes de sous-réseaux
for net in NETs['all']: for net in NETs['all']:
for mask in conf_fw.mask: for mask in config.firewall.mask:
for subnet in NetSubnets(net, mask): for subnet in NetSubnets(net, mask):
index = conf_fw.mask.index(mask) index = config.firewall.mask.index(mask)
if index == 0: if index == 0:
prev_chain = "POSTROUTING" prev_chain = "POSTROUTING"
else: else:
ip = subnet.split('/')[0] ip = subnet.split('/')[0]
prev_subnet = IpSubnet(ip, conf_fw.mask[index-1]) prev_subnet = IpSubnet(ip, config.firewall.mask[index-1])
prev_chain = "SUBNET-%s" % prev_subnet prev_chain = "SUBNET-%s" % prev_subnet
next_chain = "SUBNET-%s" % subnet next_chain = "SUBNET-%s" % subnet
redirect_chain('mangle', prev_chain, next_chain, subnet) redirect_chain('mangle', prev_chain, next_chain, subnet)
@ -612,7 +613,7 @@ class firewall_komaz(firewall_crans) :
# if not AddrInNet(ip, NETs['all']): # if not AddrInNet(ip, NETs['all']):
# # Cas particulier d'une machine ayant une IP non CRANS # # Cas particulier d'une machine ayant une IP non CRANS
# continue # continue
# subnet = IpSubnet(machine.ip(), conf_fw.mask[-1]) # subnet = IpSubnet(machine.ip(), config.firewall.mask[-1])
# iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s " # iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s "
# "-j CLASSIFY --set-class 1:%(class_id)s" % locals()) # "-j CLASSIFY --set-class 1:%(class_id)s" % locals())
# iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s " # iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s "
@ -656,7 +657,7 @@ class firewall_komaz(firewall_crans) :
iptables("-t nat -P OUTPUT ACCEPT") iptables("-t nat -P OUTPUT ACCEPT")
# Proxy transparent # Proxy transparent
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] +
"-j DNAT --to-destination 10.231.136.9:3128") "-j DNAT --to-destination 10.231.136.9:3128")
print OK print OK
@ -683,7 +684,7 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext ) iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
# Proxy transparent # Proxy transparent
iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
print OK print OK
def classes_p2p_maj(self, ip_list): def classes_p2p_maj(self, ip_list):
@ -708,7 +709,7 @@ class firewall_komaz(firewall_crans) :
warn = '' warn = ''
# Parametres pour iptables/tc # Parametres pour iptables/tc
mark = conf_fw.mark['bittorrent'] mark = config.firewall.mark['bittorrent']
debit_adh = p2p.debit_adh debit_adh = p2p.debit_adh
debit_max = p2p.debit_max debit_max = p2p.debit_max
eth_ext = self.eth_ext eth_ext = self.eth_ext
@ -725,7 +726,7 @@ class firewall_komaz(firewall_crans) :
if not machines: if not machines:
# Il faut supprimer cette entrée # Il faut supprimer cette entrée
iptables_option = '-D' iptables_option = '-D'
subnet = IpSubnet(ip, conf_fw.mask[-1]) subnet = IpSubnet(ip, config.firewall.mask[-1])
all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n') all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n')
regles = [line for line in all_regles if ip in line] regles = [line for line in all_regles if ip in line]
# On sélectionne la première qui doit contenir ce que l'on veut # On sélectionne la première qui doit contenir ce que l'on veut
@ -739,7 +740,7 @@ class firewall_komaz(firewall_crans) :
machine = machines[0] machine = machines[0]
adherent = machine.proprietaire() adherent = machine.proprietaire()
ip = machine.ip() ip = machine.ip()
subnet = IpSubnet(ip, conf_fw.mask[-1]) subnet = IpSubnet(ip, config.firewall.mask[-1])
# On ne peut pas reprendre le numéro 1 # On ne peut pas reprendre le numéro 1
class_id = int(adherent.id()) + 1 class_id = int(adherent.id()) + 1
# On cree la classe et la qdisc s'il elles n'existent pas deja # On cree la classe et la qdisc s'il elles n'existent pas deja
@ -1248,13 +1249,13 @@ class firewall_sable(firewall_rouge):
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
"--destination 10.231.136.9 " + "--destination 10.231.136.9 " +
"-m mac --mac-source %s " % mac_komaz + "-m mac --mac-source %s " % mac_komaz +
"-j MARK --set-mark %s" % conf_fw.mark['proxy']) "-j MARK --set-mark %s" % config.firewall.mark['proxy'])
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
# On marque les paquets venant du vlan radin vers de l'https # On marque les paquets venant du vlan radin vers de l'https
# pour qu'ils soient nattés # pour qu'ils soient nattés
iptables("-t mangle -A PREROUTING -i eth0.%d -p tcp -m tcp --dport 443 -j MARK --set-mark %s" % iptables("-t mangle -A PREROUTING -i eth0.%d -p tcp -m tcp --dport 443 -j MARK --set-mark %s" %
(vlans["radin"], conf_fw.mark["https-radin"])) (vlans["radin"], config.firewall.mark["https-radin"]))
def filter_table(self): def filter_table(self):
iptables("-t filter -F") iptables("-t filter -F")
@ -1268,7 +1269,7 @@ class firewall_sable(firewall_rouge):
def nat_table(self): def nat_table(self):
firewall_rouge.nat_table(self) firewall_rouge.nat_table(self)
# Proxy transparent pour le filiaire # Proxy transparent pour le filiaire
iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
if_defaut = "eth0" if_defaut = "eth0"
if_radin = "eth0.%d" % vlans["radin"] if_radin = "eth0.%d" % vlans["radin"]
@ -1287,7 +1288,7 @@ class firewall_sable(firewall_rouge):
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
# Nat pour le https sur le vlan radin # Nat pour le https sur le vlan radin
iptables("-t nat -A POSTROUTING -m mark --mark %s -j MASQUERADE" % conf_fw.mark["https-radin"]) iptables("-t nat -A POSTROUTING -m mark --mark %s -j MASQUERADE" % config.firewall.mark["https-radin"])
# Limite de débit sur le vlan radin # Limite de débit sur le vlan radin
try: try:
@ -1366,7 +1367,7 @@ class firewall_gordon(firewall_crans) :
#~ "-d ! 138.231.136.0/21 " + #~ "-d ! 138.231.136.0/21 " +
#~ ("-i %s " % self.eth_wifi) + #~ ("-i %s " % self.eth_wifi) +
#~ "-p tcp -m tcp --dport 80 " + #~ "-p tcp -m tcp --dport 80 " +
#~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) #~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy'])
print OK print OK
def post_start_hook(self) : def post_start_hook(self) :

2
gestion/gen_confs/firewall6.py
View file

@ -25,7 +25,7 @@ import sys, re, os, pwd
sys.path.append('/usr/scripts/gestion') sys.path.append('/usr/scripts/gestion')
from ldap_crans import hostname from ldap_crans import hostname
from config import conf_fw, rid, prefix, role, file_pickle, open_ports, p2p from config import rid, prefix, role, file_pickle, open_ports, p2p
from config import authorized_icmpv6, mac_wifi, adm_only, adm_users from config import authorized_icmpv6, mac_wifi, adm_only, adm_users
from ipt import * from ipt import *

61
gestion/gen_confs/firewall_new.py
View file

@ -37,7 +37,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
from affich_tools import * from affich_tools import *
from commands import getstatusoutput from commands import getstatusoutput
from iptools import AddrInNet, NetSubnets, IpSubnet from iptools import AddrInNet, NetSubnets, IpSubnet
from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire
import config.firewall
from ipset import IpsetError, Ipset from ipset import IpsetError, Ipset
from lc_ldap import lc_ldap from lc_ldap import lc_ldap
from ipt import gethostbyname from ipt import gethostbyname
@ -551,9 +552,9 @@ class firewall_komaz(firewall_crans) :
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
#~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " #~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
#~ "-s %s -d ! %s -j MARK --set-mark %s" % #~ "-s %s -d ! %s -j MARK --set-mark %s" %
#~ (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) #~ (NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy']))
#~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % #~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
#~ conf_fw.mark['proxy']) #~ config.firewall.mark['proxy'])
iptables("-t mangle -N BLACKLIST_SOFT") iptables("-t mangle -N BLACKLIST_SOFT")
for ip_fil in NETs['fil']: for ip_fil in NETs['fil']:
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
@ -562,16 +563,16 @@ class firewall_komaz(firewall_crans) :
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
"-s %s -d ! %s -j BLACKLIST_SOFT" % "-s %s -d ! %s -j BLACKLIST_SOFT" %
(NETs['wifi'][0], '138.231.136.0/21')) (NETs['wifi'][0], '138.231.136.0/21'))
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
#connection de secours #connection de secours
iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (conf_fw.mark['secours'])) iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (config.firewall.mark['secours']))
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours']) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours'])
# Parametres pour iptables/tc # Parametres pour iptables/tc
mark = conf_fw.mark['bittorrent'] mark = config.firewall.mark['bittorrent']
debit_max = conf_fw.debit_max debit_max = config.firewall.debit_max
debit_max_semi=debit_max/2 debit_max_semi=debit_max/2
eth_ext = self.eth_ext eth_ext = self.eth_ext
eth_int = self.eth_int eth_int = self.eth_int
@ -614,14 +615,14 @@ class firewall_komaz(firewall_crans) :
# On crée les chaînes de sous-réseaux # On crée les chaînes de sous-réseaux
for net in NETs['all']: for net in NETs['all']:
for mask in conf_fw.mask: for mask in config.firewall.mask:
for subnet in NetSubnets(net, mask): for subnet in NetSubnets(net, mask):
index = conf_fw.mask.index(mask) index = config.firewall.mask.index(mask)
if index == 0: if index == 0:
prev_chain = "POSTROUTING" prev_chain = "POSTROUTING"
else: else:
ip = subnet.split('/')[0] ip = subnet.split('/')[0]
prev_subnet = IpSubnet(ip, conf_fw.mask[index-1]) prev_subnet = IpSubnet(ip, config.firewall.mask[index-1])
prev_chain = "SUBNET-%s" % prev_subnet prev_chain = "SUBNET-%s" % prev_subnet
next_chain = "SUBNET-%s" % subnet next_chain = "SUBNET-%s" % subnet
redirect_chain('mangle', prev_chain, next_chain, subnet) redirect_chain('mangle', prev_chain, next_chain, subnet)
@ -683,12 +684,12 @@ class firewall_komaz(firewall_crans) :
self.mangle_table() self.mangle_table()
# On desactive la QoS lorsque le debit augmente # On desactive la QoS lorsque le debit augmente
if not conf_fw.debit_jour: if not config.firewall.debit_jour:
return return
# Parametres pour iptables/tc # Parametres pour iptables/tc
mark = conf_fw.mark['bittorrent'] mark = config.firewall.mark['bittorrent']
debit_max = conf_fw.debit_max debit_max = config.firewall.debit_max
debit_max_semi=debit_max/2 debit_max_semi=debit_max/2
eth_ext = self.eth_ext eth_ext = self.eth_ext
eth_int = self.eth_int eth_int = self.eth_int
@ -718,7 +719,7 @@ class firewall_komaz(firewall_crans) :
if not AddrInNet(ip, NETs['all']): if not AddrInNet(ip, NETs['all']):
# Cas particulier d'une machine ayant une IP non CRANS # Cas particulier d'une machine ayant une IP non CRANS
continue continue
subnet = IpSubnet(machine.ip(), conf_fw.mask[-1]) subnet = IpSubnet(machine.ip(), config.firewall.mask[-1])
iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s " iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s "
"-j CLASSIFY --set-class 1:%(class_id)s" % locals()) "-j CLASSIFY --set-class 1:%(class_id)s" % locals())
iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s " iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s "
@ -752,7 +753,7 @@ class firewall_komaz(firewall_crans) :
# iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
# Proxy transparent pour deconnexion soft # Proxy transparent pour deconnexion soft
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] +
"-j DNAT --to-destination 10.231.136.4:3128") "-j DNAT --to-destination 10.231.136.4:3128")
# Appartement ENS # Appartement ENS
@ -760,7 +761,7 @@ class firewall_komaz(firewall_crans) :
iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0]) iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
#Connection de secours #Connection de secours
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] + iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['secours'] +
"-j DNAT --to-destination 10.231.136.4:3129") "-j DNAT --to-destination 10.231.136.4:3129")
print OK print OK
@ -775,7 +776,7 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -i tun-ovh -j ACCEPT") iptables("-A FORWARD -i tun-ovh -j ACCEPT")
iptables("-A FORWARD -d 224.0.0.0/4 -j DROP") iptables("-A FORWARD -d 224.0.0.0/4 -j DROP")
# Proxy transparent, pour les deconnexion soft # Proxy transparent, pour les deconnexion soft
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
#iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT") #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']: for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int)) iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
@ -790,7 +791,7 @@ class firewall_komaz(firewall_crans) :
#Connection de secours #Connection de secours
# on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid # on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid
iptables("-A FORWARD -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 443 -m condition --condition secours -j REJECT") iptables("-A FORWARD -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 443 -m condition --condition secours -j REJECT")
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours']) iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours'])
iptables("-P FORWARD ACCEPT") iptables("-P FORWARD ACCEPT")
@ -871,9 +872,9 @@ class firewall_komaz(firewall_crans) :
warn = '' warn = ''
# Parametres pour iptables/tc # Parametres pour iptables/tc
mark = conf_fw.mark['bittorrent'] mark = config.firewall.mark['bittorrent']
debit_max = conf_fw.debit_max debit_max = config.firewall.debit_max
debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate debit_adh = int(config.firewall.debit_max / 1200.) # XXX: guesstimate
eth_ext = self.eth_ext eth_ext = self.eth_ext
eth_int = self.eth_int eth_int = self.eth_int
eth_wifi = self.eth_wifi eth_wifi = self.eth_wifi
@ -889,7 +890,7 @@ class firewall_komaz(firewall_crans) :
if not machines: if not machines:
# Il faut supprimer cette entrée # Il faut supprimer cette entrée
iptables_option = '-D' iptables_option = '-D'
subnet = IpSubnet(ip, conf_fw.mask[-1]) subnet = IpSubnet(ip, config.firewall.mask[-1])
all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n') all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n')
regles = [line for line in all_regles if ip in line] regles = [line for line in all_regles if ip in line]
# On sélectionne la première qui doit contenir ce que l'on veut # On sélectionne la première qui doit contenir ce que l'on veut
@ -903,7 +904,7 @@ class firewall_komaz(firewall_crans) :
machine = machines[0] machine = machines[0]
adherent = machine.proprietaire() adherent = machine.proprietaire()
ip = machine.ip() ip = machine.ip()
subnet = IpSubnet(ip, conf_fw.mask[-1]) subnet = IpSubnet(ip, config.firewall.mask[-1])
# On ne peut pas reprendre le numéro 1 # On ne peut pas reprendre le numéro 1
class_id = int(adherent.id()) + 1 class_id = int(adherent.id()) + 1
# On cree la classe et la qdisc s'il elles n'existent pas deja # On cree la classe et la qdisc s'il elles n'existent pas deja
@ -1203,8 +1204,8 @@ class firewall_komaz(firewall_crans) :
self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft)) self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft))
for machine in blacklist_soft: for machine in blacklist_soft:
self.anim.cycle() self.anim.cycle()
#~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), config.firewall.mark['proxy']))
rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy'])) rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), config.firewall.mark['proxy']))
self.anim.reinit() self.anim.reinit()
rules.append('COMMIT\n') rules.append('COMMIT\n')
f = open('/tmp/ipt_blacklist', 'w') f = open('/tmp/ipt_blacklist', 'w')
@ -1452,14 +1453,14 @@ class firewall_sable(firewall_redisdead):
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
"--destination 10.231.136.9 " + "--destination 10.231.136.9 " +
"-m mac --mac-source %s " % mac_komaz + "-m mac --mac-source %s " % mac_komaz +
"-j MARK --set-mark %s" % conf_fw.mark['proxy']) "-j MARK --set-mark %s" % config.firewall.mark['proxy'])
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
def nat_table(self): def nat_table(self):
firewall_redisdead.nat_table(self) firewall_redisdead.nat_table(self)
# Proxy transparent pour le filiaire # Proxy transparent pour le filiaire
iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
if_defaut = "eth0" if_defaut = "eth0"
if_radin = "eth0.%d" % vlans["radin"] if_radin = "eth0.%d" % vlans["radin"]
if_accueil = "eth0.%d" % vlans["accueil"] if_accueil = "eth0.%d" % vlans["accueil"]
@ -1541,7 +1542,7 @@ class firewall_gordon(firewall_crans) :
#~ "-d ! 138.231.136.0/21 " + #~ "-d ! 138.231.136.0/21 " +
#~ ("-i %s " % self.eth_wifi) + #~ ("-i %s " % self.eth_wifi) +
#~ "-p tcp -m tcp --dport 80 " + #~ "-p tcp -m tcp --dport 80 " +
#~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy']) #~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy'])
print OK print OK
def post_start_hook(self) : def post_start_hook(self) :