crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall4] Blacklists hard avant la conntrack et pas de QoS en zone ENS et vers OVH (test de connexion de secours)

Browse source
This commit is contained in:
Valentin Samir 2013-04-09 15:38:26 +02:00
parent 6b0f322716
commit ccdc2e2336
1 changed files with 10 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
gestion/gen_confs/firewall4.py
View file

@ -506,13 +506,13 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-i lo -j ACCEPT') self.add(table, chain, '-i lo -j ACCEPT')
self.add(table, chain, '-p icmp -j ACCEPT') self.add(table, chain, '-p icmp -j ACCEPT')
self.add(table, chain, '-j %s' % self.admin_vlan(table)) self.add(table, chain, '-j %s' % self.admin_vlan(table))
self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT') self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True)) self.add(table, chain, '-j %s' % self.reseaux_non_routable(table, fill_ipset=True))
self.add(table, chain, '-j %s' % self.blacklist_soft(table)) self.add(table, chain, '-j %s' % self.blacklist_soft(table))
for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']: for net in NETs['all'] + NETs['adm'] + NETs['personnel-ens']:
self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain)) self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain))
self.add(table, chain, '-i %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-o %s -j %s' % (dev['out'], blacklist_hard_chain))
self.add(table, chain, '-j %s' % self.connexion_secours(table)) self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.connexion_appartement(table)) self.add(table, chain, '-j %s' % self.connexion_appartement(table))
self.add(table, chain, '-j %s' % self.ingress_filtering(table)) self.add(table, chain, '-j %s' % self.ingress_filtering(table))
@ -807,9 +807,17 @@ class firewall_komaz(firewall_base_routeur):
if table == 'mangle': if table == 'mangle':
pretty_print(table, chain) pretty_print(table, chain)
# Pas de QoS vers/depuis la zone ENS
self.add(table, chain, '-d 138.231.0.0/16 -s 138.231.0.0/16 -j RETURN')
# Idem pour le ftp
self.add(table, chain, '-d 138.231.136.98 -j RETURN') self.add(table, chain, '-d 138.231.136.98 -j RETURN')
self.add(table, chain, '-s 138.231.136.98 -j RETURN') self.add(table, chain, '-s 138.231.136.98 -j RETURN')
# Idem vers OVH pour le test de la connection de secours
self.add(table, chain, '-d 91.121.84.138 -j RETURN')
self.add(table, chain, '-s 91.121.84.138 -j RETURN')
# Classification par defaut pour tous les paquets # Classification par defaut pour tous les paquets
for net in NETs['all']: for net in NETs['all']:
self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:10' % (dev['out'], net)) self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:10' % (dev['out'], net))