From c78754d3e4bde42804975b9588af0a222d665b41 Mon Sep 17 00:00:00 2001 From: segaud Date: Sun, 22 May 2005 00:43:02 +0200 Subject: [PATCH] =?UTF-8?q?Les=20machines=20accessibles=20aux=20adh=C3=A9r?= =?UTF-8?q?entsne=20devront=20laisser=20passer=20que?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit certains services vers le vlan adm. Pour l'instant, hardcodéedans la classe parente, on matche sur les uid pour les services de vert. ce sera plutot mettre dans chaque classe, en fonction de l'install. A terme, d'ailleurs, vert (zamok) ne sera meme plus accessible aux adhérents. darcs-hash:20050521224302-f163d-7adc92b18773077552adfa89c8032e99d9054230.gz --- gestion/gen_confs/firewall_crans.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gestion/gen_confs/firewall_crans.py b/gestion/gen_confs/firewall_crans.py index 736362fd..9a562458 100755 --- a/gestion/gen_confs/firewall_crans.py +++ b/gestion/gen_confs/firewall_crans.py @@ -72,6 +72,8 @@ class firewall_crans : """ zone_serveur="138.231.136.0/28" vlan_adm="138.231.144.0/28" + + adm_uids = [ 0, 1, 38, 103, 105, 106, 111, 112 ] mac_wifi = '00:0c:f1:fa:f1:4b' @@ -125,7 +127,7 @@ class firewall_crans : def nat_table(self) : self.anim = anim(' Structure de la table nat') - for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] : + for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST', 'SERV_OUT_ADM' ] : iptables('-t nat -N %s' % chaine) iptables("-t nat -P PREROUTING ACCEPT") @@ -134,11 +136,14 @@ class firewall_crans : iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST") iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_SRC") iptables("-t nat -A PREROUTING -j TEST_MAC-IP") + iptables("-t nat -A OUTPUT -d %s -j SERV_OUT_ADM" % self.vlan_adm) iptables("-t nat -P PREROUTING DROP") + iptables("-t nat -P OUTPUT ACCEPT") print OK def nat_table_tweaks(self) : return + def filter_table(self) : self.anim = anim(' Structure de la table filter') print OK @@ -147,6 +152,9 @@ class firewall_crans : return def start_fw_funcs(self) : + self.exception_catcher(self.reseaux_non_routables) + self.exception_catcher(self.test_mac_ip) + self.exception_catcher(self.serv_out_adm) return def enable_route(self) : @@ -238,6 +246,15 @@ class firewall_crans : print OK self.exception_catcher(procedure) + + def serv_out_adm(self) : + self.anim = anim(' Output vers VLAN adm', len(self.adm_uids)) + for uid in self.adm_uids : + self.anim.cycle() + iptables("-t nat -A SERV_OUT_ADM -m owner --uid-owner %d -j ACCEPT" % uid) + iptables("-t nat -A SERV_OUT_ADM -j DROP") + self.anim.reinit() + print OK def __test_mac_ip(self,machine): ip=machine.ip()