crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Les machines accessibles aux adhérentsne devront laisser passer que

Browse source 
certains services vers le vlan adm. Pour l'instant, hardcodéedans la
classe parente, on matche sur les uid pour les services de vert.
ce sera plutot mettre dans chaque classe, en fonction de l'install.
A terme, d'ailleurs, vert (zamok) ne sera meme plus accessible aux adhérents.

darcs-hash:20050521224302-f163d-7adc92b18773077552adfa89c8032e99d9054230.gz
This commit is contained in:
segaud 2005-05-22 00:43:02 +02:00
parent 4267abe904
commit c78754d3e4
1 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

19
gestion/gen_confs/firewall_crans.py
View file

@ -73,6 +73,8 @@ class firewall_crans :
zone_serveur="138.231.136.0/28" zone_serveur="138.231.136.0/28"
vlan_adm="138.231.144.0/28" vlan_adm="138.231.144.0/28"
adm_uids = [ 0, 1, 38, 103, 105, 106, 111, 112 ]
mac_wifi = '00:0c:f1:fa:f1:4b' mac_wifi = '00:0c:f1:fa:f1:4b'
limit = " -m limit --limit 10/s --limit-burst 10 " limit = " -m limit --limit 10/s --limit-burst 10 "
@ -125,7 +127,7 @@ class firewall_crans :
def nat_table(self) : def nat_table(self) :
self.anim = anim(' Structure de la table nat') self.anim = anim(' Structure de la table nat')
for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] : for chaine in [ 'TEST_MAC-IP', 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST', 'SERV_OUT_ADM' ] :
iptables('-t nat -N %s' % chaine) iptables('-t nat -N %s' % chaine)
iptables("-t nat -P PREROUTING ACCEPT") iptables("-t nat -P PREROUTING ACCEPT")
@ -134,11 +136,14 @@ class firewall_crans :
iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST") iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST")
iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_SRC") iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_SRC")
iptables("-t nat -A PREROUTING -j TEST_MAC-IP") iptables("-t nat -A PREROUTING -j TEST_MAC-IP")
iptables("-t nat -A OUTPUT -d %s -j SERV_OUT_ADM" % self.vlan_adm)
iptables("-t nat -P PREROUTING DROP") iptables("-t nat -P PREROUTING DROP")
iptables("-t nat -P OUTPUT ACCEPT")
print OK print OK
def nat_table_tweaks(self) : def nat_table_tweaks(self) :
return return
def filter_table(self) : def filter_table(self) :
self.anim = anim(' Structure de la table filter') self.anim = anim(' Structure de la table filter')
print OK print OK
@ -147,6 +152,9 @@ class firewall_crans :
return return
def start_fw_funcs(self) : def start_fw_funcs(self) :
self.exception_catcher(self.reseaux_non_routables)
self.exception_catcher(self.test_mac_ip)
self.exception_catcher(self.serv_out_adm)
return return
def enable_route(self) : def enable_route(self) :
@ -239,6 +247,15 @@ class firewall_crans :
self.exception_catcher(procedure) self.exception_catcher(procedure)
def serv_out_adm(self) :
self.anim = anim(' Output vers VLAN adm', len(self.adm_uids))
for uid in self.adm_uids :
self.anim.cycle()
iptables("-t nat -A SERV_OUT_ADM -m owner --uid-owner %d -j ACCEPT" % uid)
iptables("-t nat -A SERV_OUT_ADM -j DROP")
self.anim.reinit()
print OK
def __test_mac_ip(self,machine): def __test_mac_ip(self,machine):
ip=machine.ip() ip=machine.ip()
mac=machine.mac() mac=machine.mac()