On utilise encore plus la conf pour gnrer le firewall

darcs-hash:20060425130222-72cb0-8665c03e99151bbb39c52799c74286ea30f931c0.gz
2006-04-25 15:02:22 +02:00 · 2006-04-25 15:02:22 +02:00 · d22aef6d3e
commit d22aef6d3e
parent 0a4fa3b539
1 changed files with 11 additions and 14 deletions
--- a/gestion/gen_confs/firewall.py
+++ b/gestion/gen_confs/firewall.py
@ -33,7 +33,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi
 from affich_tools import *
 from commands import getstatusoutput
 from iptools import AddrInNet, subnets, IpSubnet
-from config import mac_komaz, mac_wifi, conf_fw, p2p
+from config import NETs, mac_komaz, mac_wifi, conf_fw, p2p
 syslog.openlog('firewall')

 debug = 1
@ -98,8 +98,8 @@ class firewall_crans :
          faut pour mettre en place un fw basique n'effectuant que la
          verif MAC-IP.
    """
-    zone_serveur="138.231.136.0/28"
-    vlan_adm="138.231.144.0/24"
+    zone_serveur = NETs['serveurs'][0]
+    vlan_adm = NETs['vlan-adm'][0]

    adm_users = [ "root", "identd", "daemon", "postfix", "freerad", "amavis", "nut", "respbats", "list", "sqlgrey"]
                      
@ -487,7 +487,7 @@ class firewall_komaz(firewall_crans) :
        # Proxy transparent
        iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
        iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " +
-                 "-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK " +
+                 "-s %s -d \! %s -j MARK " % (NETs['fil'][0], NETs['wifi'][0]) +
                 "--set-mark %s" % conf_fw.mark['proxy'])
        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])

@ -948,10 +948,9 @@ class firewall_zamok(firewall_crans) :
        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
        iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
-
-        iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
+        
+        for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] :
+            iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net)
        iptables("-t filter -A OUTPUT -o lo -j ACCEPT")

        # pour une connection entrante venant du VLAN adm, il faut que le ACK
@ -1004,9 +1003,8 @@ class firewall_rouge(firewall_crans) :
        iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
        iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
        
-        iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
+        for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] :
+            iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net)

        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -P OUTPUT ACCEPT")
@ -1046,9 +1044,8 @@ class firewall_vert(firewall_crans) :
        iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
        iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")

-        iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP")
-        iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP")
+        for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] :
+            iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net)

        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -P OUTPUT ACCEPT")