[gestion/gen_conf/firewall*] renommage de conf_fw en config.firewall
This commit is contained in:
Vincent Le Gallic
parent
2d23ea5085
commit
c371496e74
3 changed files with 52 additions and 50 deletions
|
|
@ -35,7 +35,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
|
|||
from affich_tools import *
|
||||
from commands import getstatusoutput
|
||||
from iptools import AddrInNet, NetSubnets, IpSubnet
|
||||
from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users
|
||||
from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users
|
||||
import config.firewall
|
||||
syslog.openlog('firewall')
|
||||
|
||||
debug = 1
|
||||
|
|
@ -516,12 +517,12 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
|
||||
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
|
||||
"-s %s -d ! %s -j MARK --set-mark %s" %
|
||||
(NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy']))
|
||||
(NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy']))
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
|
||||
conf_fw.mark['proxy'])
|
||||
config.firewall.mark['proxy'])
|
||||
|
||||
# Parametres pour iptables/tc
|
||||
mark = conf_fw.mark['bittorrent']
|
||||
mark = config.firewall.mark['bittorrent']
|
||||
debit_adh = p2p.debit_adh
|
||||
debit_max = p2p.debit_max
|
||||
eth_ext = self.eth_ext
|
||||
|
|
@ -555,14 +556,14 @@ class firewall_komaz(firewall_crans) :
|
|||
|
||||
# On crée les chaînes de sous-réseaux
|
||||
for net in NETs['all']:
|
||||
for mask in conf_fw.mask:
|
||||
for mask in config.firewall.mask:
|
||||
for subnet in NetSubnets(net, mask):
|
||||
index = conf_fw.mask.index(mask)
|
||||
index = config.firewall.mask.index(mask)
|
||||
if index == 0:
|
||||
prev_chain = "POSTROUTING"
|
||||
else:
|
||||
ip = subnet.split('/')[0]
|
||||
prev_subnet = IpSubnet(ip, conf_fw.mask[index-1])
|
||||
prev_subnet = IpSubnet(ip, config.firewall.mask[index-1])
|
||||
prev_chain = "SUBNET-%s" % prev_subnet
|
||||
next_chain = "SUBNET-%s" % subnet
|
||||
redirect_chain('mangle', prev_chain, next_chain, subnet)
|
||||
|
|
@ -612,7 +613,7 @@ class firewall_komaz(firewall_crans) :
|
|||
# if not AddrInNet(ip, NETs['all']):
|
||||
# # Cas particulier d'une machine ayant une IP non CRANS
|
||||
# continue
|
||||
# subnet = IpSubnet(machine.ip(), conf_fw.mask[-1])
|
||||
# subnet = IpSubnet(machine.ip(), config.firewall.mask[-1])
|
||||
# iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s "
|
||||
# "-j CLASSIFY --set-class 1:%(class_id)s" % locals())
|
||||
# iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s "
|
||||
|
|
@ -656,7 +657,7 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-t nat -P OUTPUT ACCEPT")
|
||||
|
||||
# Proxy transparent
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] +
|
||||
"-j DNAT --to-destination 10.231.136.9:3128")
|
||||
print OK
|
||||
|
||||
|
|
@ -683,7 +684,7 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
|
||||
|
||||
# Proxy transparent
|
||||
iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
print OK
|
||||
|
||||
def classes_p2p_maj(self, ip_list):
|
||||
|
|
@ -708,7 +709,7 @@ class firewall_komaz(firewall_crans) :
|
|||
warn = ''
|
||||
|
||||
# Parametres pour iptables/tc
|
||||
mark = conf_fw.mark['bittorrent']
|
||||
mark = config.firewall.mark['bittorrent']
|
||||
debit_adh = p2p.debit_adh
|
||||
debit_max = p2p.debit_max
|
||||
eth_ext = self.eth_ext
|
||||
|
|
@ -725,7 +726,7 @@ class firewall_komaz(firewall_crans) :
|
|||
if not machines:
|
||||
# Il faut supprimer cette entrée
|
||||
iptables_option = '-D'
|
||||
subnet = IpSubnet(ip, conf_fw.mask[-1])
|
||||
subnet = IpSubnet(ip, config.firewall.mask[-1])
|
||||
all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n')
|
||||
regles = [line for line in all_regles if ip in line]
|
||||
# On sélectionne la première qui doit contenir ce que l'on veut
|
||||
|
|
@ -739,7 +740,7 @@ class firewall_komaz(firewall_crans) :
|
|||
machine = machines[0]
|
||||
adherent = machine.proprietaire()
|
||||
ip = machine.ip()
|
||||
subnet = IpSubnet(ip, conf_fw.mask[-1])
|
||||
subnet = IpSubnet(ip, config.firewall.mask[-1])
|
||||
# On ne peut pas reprendre le numéro 1
|
||||
class_id = int(adherent.id()) + 1
|
||||
# On cree la classe et la qdisc s'il elles n'existent pas deja
|
||||
|
|
@ -1248,13 +1249,13 @@ class firewall_sable(firewall_rouge):
|
|||
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
|
||||
"--destination 10.231.136.9 " +
|
||||
"-m mac --mac-source %s " % mac_komaz +
|
||||
"-j MARK --set-mark %s" % conf_fw.mark['proxy'])
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
"-j MARK --set-mark %s" % config.firewall.mark['proxy'])
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
|
||||
# On marque les paquets venant du vlan radin vers de l'https
|
||||
# pour qu'ils soient nattés
|
||||
iptables("-t mangle -A PREROUTING -i eth0.%d -p tcp -m tcp --dport 443 -j MARK --set-mark %s" %
|
||||
(vlans["radin"], conf_fw.mark["https-radin"]))
|
||||
(vlans["radin"], config.firewall.mark["https-radin"]))
|
||||
|
||||
def filter_table(self):
|
||||
iptables("-t filter -F")
|
||||
|
|
@ -1268,7 +1269,7 @@ class firewall_sable(firewall_rouge):
|
|||
def nat_table(self):
|
||||
firewall_rouge.nat_table(self)
|
||||
# Proxy transparent pour le filiaire
|
||||
iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
|
||||
if_defaut = "eth0"
|
||||
if_radin = "eth0.%d" % vlans["radin"]
|
||||
|
|
@ -1287,7 +1288,7 @@ class firewall_sable(firewall_rouge):
|
|||
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
|
||||
|
||||
# Nat pour le https sur le vlan radin
|
||||
iptables("-t nat -A POSTROUTING -m mark --mark %s -j MASQUERADE" % conf_fw.mark["https-radin"])
|
||||
iptables("-t nat -A POSTROUTING -m mark --mark %s -j MASQUERADE" % config.firewall.mark["https-radin"])
|
||||
|
||||
# Limite de débit sur le vlan radin
|
||||
try:
|
||||
|
|
@ -1366,7 +1367,7 @@ class firewall_gordon(firewall_crans) :
|
|||
#~ "-d ! 138.231.136.0/21 " +
|
||||
#~ ("-i %s " % self.eth_wifi) +
|
||||
#~ "-p tcp -m tcp --dport 80 " +
|
||||
#~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
|
||||
#~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy'])
|
||||
print OK
|
||||
|
||||
def post_start_hook(self) :
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import sys, re, os, pwd
|
|||
sys.path.append('/usr/scripts/gestion')
|
||||
|
||||
from ldap_crans import hostname
|
||||
from config import conf_fw, rid, prefix, role, file_pickle, open_ports, p2p
|
||||
from config import rid, prefix, role, file_pickle, open_ports, p2p
|
||||
from config import authorized_icmpv6, mac_wifi, adm_only, adm_users
|
||||
from ipt import *
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
|
|||
from affich_tools import *
|
||||
from commands import getstatusoutput
|
||||
from iptools import AddrInNet, NetSubnets, IpSubnet
|
||||
from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire
|
||||
from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire
|
||||
import config.firewall
|
||||
from ipset import IpsetError, Ipset
|
||||
from lc_ldap import lc_ldap
|
||||
from ipt import gethostbyname
|
||||
|
|
@ -551,9 +552,9 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
|
||||
#~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
|
||||
#~ "-s %s -d ! %s -j MARK --set-mark %s" %
|
||||
#~ (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy']))
|
||||
#~ (NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy']))
|
||||
#~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
|
||||
#~ conf_fw.mark['proxy'])
|
||||
#~ config.firewall.mark['proxy'])
|
||||
iptables("-t mangle -N BLACKLIST_SOFT")
|
||||
for ip_fil in NETs['fil']:
|
||||
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
|
||||
|
|
@ -562,16 +563,16 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
|
||||
"-s %s -d ! %s -j BLACKLIST_SOFT" %
|
||||
(NETs['wifi'][0], '138.231.136.0/21'))
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
|
||||
|
||||
#connection de secours
|
||||
iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (conf_fw.mark['secours']))
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours'])
|
||||
iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (config.firewall.mark['secours']))
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours'])
|
||||
|
||||
# Parametres pour iptables/tc
|
||||
mark = conf_fw.mark['bittorrent']
|
||||
debit_max = conf_fw.debit_max
|
||||
mark = config.firewall.mark['bittorrent']
|
||||
debit_max = config.firewall.debit_max
|
||||
debit_max_semi=debit_max/2
|
||||
eth_ext = self.eth_ext
|
||||
eth_int = self.eth_int
|
||||
|
|
@ -614,14 +615,14 @@ class firewall_komaz(firewall_crans) :
|
|||
|
||||
# On crée les chaînes de sous-réseaux
|
||||
for net in NETs['all']:
|
||||
for mask in conf_fw.mask:
|
||||
for mask in config.firewall.mask:
|
||||
for subnet in NetSubnets(net, mask):
|
||||
index = conf_fw.mask.index(mask)
|
||||
index = config.firewall.mask.index(mask)
|
||||
if index == 0:
|
||||
prev_chain = "POSTROUTING"
|
||||
else:
|
||||
ip = subnet.split('/')[0]
|
||||
prev_subnet = IpSubnet(ip, conf_fw.mask[index-1])
|
||||
prev_subnet = IpSubnet(ip, config.firewall.mask[index-1])
|
||||
prev_chain = "SUBNET-%s" % prev_subnet
|
||||
next_chain = "SUBNET-%s" % subnet
|
||||
redirect_chain('mangle', prev_chain, next_chain, subnet)
|
||||
|
|
@ -683,12 +684,12 @@ class firewall_komaz(firewall_crans) :
|
|||
self.mangle_table()
|
||||
|
||||
# On desactive la QoS lorsque le debit augmente
|
||||
if not conf_fw.debit_jour:
|
||||
if not config.firewall.debit_jour:
|
||||
return
|
||||
|
||||
# Parametres pour iptables/tc
|
||||
mark = conf_fw.mark['bittorrent']
|
||||
debit_max = conf_fw.debit_max
|
||||
mark = config.firewall.mark['bittorrent']
|
||||
debit_max = config.firewall.debit_max
|
||||
debit_max_semi=debit_max/2
|
||||
eth_ext = self.eth_ext
|
||||
eth_int = self.eth_int
|
||||
|
|
@ -718,7 +719,7 @@ class firewall_komaz(firewall_crans) :
|
|||
if not AddrInNet(ip, NETs['all']):
|
||||
# Cas particulier d'une machine ayant une IP non CRANS
|
||||
continue
|
||||
subnet = IpSubnet(machine.ip(), conf_fw.mask[-1])
|
||||
subnet = IpSubnet(machine.ip(), config.firewall.mask[-1])
|
||||
iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s "
|
||||
"-j CLASSIFY --set-class 1:%(class_id)s" % locals())
|
||||
iptables("-t mangle -A SUBNET-%(subnet)s -o ens -s %(ip)s "
|
||||
|
|
@ -752,7 +753,7 @@ class firewall_komaz(firewall_crans) :
|
|||
# iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
|
||||
|
||||
# Proxy transparent pour deconnexion soft
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] +
|
||||
"-j DNAT --to-destination 10.231.136.4:3128")
|
||||
|
||||
# Appartement ENS
|
||||
|
|
@ -760,7 +761,7 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
|
||||
|
||||
#Connection de secours
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
|
||||
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['secours'] +
|
||||
"-j DNAT --to-destination 10.231.136.4:3129")
|
||||
print OK
|
||||
|
||||
|
|
@ -775,7 +776,7 @@ class firewall_komaz(firewall_crans) :
|
|||
iptables("-A FORWARD -i tun-ovh -j ACCEPT")
|
||||
iptables("-A FORWARD -d 224.0.0.0/4 -j DROP")
|
||||
# Proxy transparent, pour les deconnexion soft
|
||||
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
#iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
|
||||
for net in NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
|
||||
iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
|
||||
|
|
@ -790,7 +791,7 @@ class firewall_komaz(firewall_crans) :
|
|||
#Connection de secours
|
||||
# on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid
|
||||
iptables("-A FORWARD -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 443 -m condition --condition secours -j REJECT")
|
||||
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours'])
|
||||
iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours'])
|
||||
|
||||
iptables("-P FORWARD ACCEPT")
|
||||
|
||||
|
|
@ -871,9 +872,9 @@ class firewall_komaz(firewall_crans) :
|
|||
warn = ''
|
||||
|
||||
# Parametres pour iptables/tc
|
||||
mark = conf_fw.mark['bittorrent']
|
||||
debit_max = conf_fw.debit_max
|
||||
debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate
|
||||
mark = config.firewall.mark['bittorrent']
|
||||
debit_max = config.firewall.debit_max
|
||||
debit_adh = int(config.firewall.debit_max / 1200.) # XXX: guesstimate
|
||||
eth_ext = self.eth_ext
|
||||
eth_int = self.eth_int
|
||||
eth_wifi = self.eth_wifi
|
||||
|
|
@ -889,7 +890,7 @@ class firewall_komaz(firewall_crans) :
|
|||
if not machines:
|
||||
# Il faut supprimer cette entrée
|
||||
iptables_option = '-D'
|
||||
subnet = IpSubnet(ip, conf_fw.mask[-1])
|
||||
subnet = IpSubnet(ip, config.firewall.mask[-1])
|
||||
all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n')
|
||||
regles = [line for line in all_regles if ip in line]
|
||||
# On sélectionne la première qui doit contenir ce que l'on veut
|
||||
|
|
@ -903,7 +904,7 @@ class firewall_komaz(firewall_crans) :
|
|||
machine = machines[0]
|
||||
adherent = machine.proprietaire()
|
||||
ip = machine.ip()
|
||||
subnet = IpSubnet(ip, conf_fw.mask[-1])
|
||||
subnet = IpSubnet(ip, config.firewall.mask[-1])
|
||||
# On ne peut pas reprendre le numéro 1
|
||||
class_id = int(adherent.id()) + 1
|
||||
# On cree la classe et la qdisc s'il elles n'existent pas deja
|
||||
|
|
@ -1203,8 +1204,8 @@ class firewall_komaz(firewall_crans) :
|
|||
self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft))
|
||||
for machine in blacklist_soft:
|
||||
self.anim.cycle()
|
||||
#~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy']))
|
||||
rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), conf_fw.mark['proxy']))
|
||||
#~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), config.firewall.mark['proxy']))
|
||||
rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(), config.firewall.mark['proxy']))
|
||||
self.anim.reinit()
|
||||
rules.append('COMMIT\n')
|
||||
f = open('/tmp/ipt_blacklist', 'w')
|
||||
|
|
@ -1452,14 +1453,14 @@ class firewall_sable(firewall_redisdead):
|
|||
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
|
||||
"--destination 10.231.136.9 " +
|
||||
"-m mac --mac-source %s " % mac_komaz +
|
||||
"-j MARK --set-mark %s" % conf_fw.mark['proxy'])
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
"-j MARK --set-mark %s" % config.firewall.mark['proxy'])
|
||||
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
|
||||
|
||||
def nat_table(self):
|
||||
firewall_redisdead.nat_table(self)
|
||||
# Proxy transparent pour le filiaire
|
||||
iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
|
||||
iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
|
||||
if_defaut = "eth0"
|
||||
if_radin = "eth0.%d" % vlans["radin"]
|
||||
if_accueil = "eth0.%d" % vlans["accueil"]
|
||||
|
|
@ -1541,7 +1542,7 @@ class firewall_gordon(firewall_crans) :
|
|||
#~ "-d ! 138.231.136.0/21 " +
|
||||
#~ ("-i %s " % self.eth_wifi) +
|
||||
#~ "-p tcp -m tcp --dport 80 " +
|
||||
#~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
|
||||
#~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy'])
|
||||
print OK
|
||||
|
||||
def post_start_hook(self) :
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue