diff --git a/gestion/gen_confs/firewall_crans.py b/gestion/gen_confs/firewall_crans.py index 736362fd..9a562458 100755 --- a/gestion/gen_confs/firewall_crans.py +++ b/gestion/gen_confs/firewall_crans.py @@ -72,6 +72,8 @@ class firewall_crans : """ zone_serveur="138.231.136.0/28" vlan_adm="138.231.144.0/28" + + adm_uids = [ 0, 1, 38, 103, 105, 106, 111, 112 ] mac_wifi = '00:0c:f1:fa:f1:4b' @@ -125,7 +127,7 @@ class firewall_crans : def nat_table(self) : self.anim = anim(' Structure de la table nat') - for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] : + for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST', 'SERV_OUT_ADM' ] : iptables('-t nat -N %s' % chaine) iptables("-t nat -P PREROUTING ACCEPT") @@ -134,11 +136,14 @@ class firewall_crans : iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST") iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_SRC") iptables("-t nat -A PREROUTING -j TEST_MAC-IP") + iptables("-t nat -A OUTPUT -d %s -j SERV_OUT_ADM" % self.vlan_adm) iptables("-t nat -P PREROUTING DROP") + iptables("-t nat -P OUTPUT ACCEPT") print OK def nat_table_tweaks(self) : return + def filter_table(self) : self.anim = anim(' Structure de la table filter') print OK @@ -147,6 +152,9 @@ class firewall_crans : return def start_fw_funcs(self) : + self.exception_catcher(self.reseaux_non_routables) + self.exception_catcher(self.test_mac_ip) + self.exception_catcher(self.serv_out_adm) return def enable_route(self) : @@ -238,6 +246,15 @@ class firewall_crans : print OK self.exception_catcher(procedure) + + def serv_out_adm(self) : + self.anim = anim(' Output vers VLAN adm', len(self.adm_uids)) + for uid in self.adm_uids : + self.anim.cycle() + iptables("-t nat -A SERV_OUT_ADM -m owner --uid-owner %d -j ACCEPT" % uid) + iptables("-t nat -A SERV_OUT_ADM -j DROP") + self.anim.reinit() + print OK def __test_mac_ip(self,machine): ip=machine.ip()