crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall4] Pettry_print pour le pare-feu de zamok et on autorise les nounoun à acceder à adm

Browse source
This commit is contained in:
Valentin Samir 2013-04-09 15:40:17 +02:00
parent ccdc2e2336
commit c433ec1950
1 changed files with 13 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

19
gestion/gen_confs/firewall4.py
View file

@ -933,10 +933,7 @@ class firewall_zamok(firewall_base):
chain='ADMIN-VLAN' chain='ADMIN-VLAN'
if table == 'filter': if table == 'filter':
for user in adm_users: pretty_print(table, chain)
try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
except KeyError: print "Utilisateur %s inconnu" % user
# ldap et dns toujours joinable # ldap et dns toujours joinable
self.add(table, chain, '-p tcp --dport ldap -j ACCEPT') self.add(table, chain, '-p tcp --dport ldap -j ACCEPT')
self.add(table, chain, '-p tcp --dport domain -j ACCEPT') self.add(table, chain, '-p tcp --dport domain -j ACCEPT')
@ -945,8 +942,16 @@ class firewall_zamok(firewall_base):
# Pour le nfs (le paquet à laisser passer n'a pas d'owner) # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
self.add(table, chain, '-d daath.adm.crans.org -j ACCEPT') self.add(table, chain, '-d daath.adm.crans.org -j ACCEPT')
for user in adm_users:
try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
except KeyError: print "Utilisateur %s inconnu" % user
for nounou in conn.search("droits=%s" % lc_ldap.attributs.nounou):
self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0])
# Rien d'autre ne passe # Rien d'autre ne passe
self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited') self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited')
print OK
if apply: if apply:
self.apply(table, chain) self.apply(table, chain)
@ -963,12 +968,14 @@ class firewall_zamok(firewall_base):
chain='BLACKLIST-OUTPUT' chain='BLACKLIST-OUTPUT'
if table == 'filter': if table == 'filter':
self.add(table, chain, '-d 127.0.0.1/8 -j ACCEPT') pretty_print(table, chain)
self.add(table, chain, '-d 127.0.0.1/8 -j RETURN')
for net in NETs['all']: for net in NETs['all']:
self.add(table, chain, '-d %s -j ACCEPT' % net) self.add(table, chain, '-d %s -j RETURN' % net)
for adh in self.blacklisted_adherents(): for adh in self.blacklisted_adherents():
if 'uidNumber' in adh.attrs.keys(): if 'uidNumber' in adh.attrs.keys():
self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0]) self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
print OK
if apply: if apply:
self.apply(table, chain) self.apply(table, chain)