From d22aef6d3e967c6094ff737686d2ea2ecb16531e Mon Sep 17 00:00:00 2001 From: salles Date: Tue, 25 Apr 2006 15:02:22 +0200 Subject: [PATCH] On utilise encore plus la conf pour gnrer le firewall darcs-hash:20060425130222-72cb0-8665c03e99151bbb39c52799c74286ea30f931c0.gz --- gestion/gen_confs/firewall.py | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/gestion/gen_confs/firewall.py b/gestion/gen_confs/firewall.py index d589b413..e53fb3dd 100755 --- a/gestion/gen_confs/firewall.py +++ b/gestion/gen_confs/firewall.py @@ -33,7 +33,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet, subnets, IpSubnet -from config import mac_komaz, mac_wifi, conf_fw, p2p +from config import NETs, mac_komaz, mac_wifi, conf_fw, p2p syslog.openlog('firewall') debug = 1 @@ -98,8 +98,8 @@ class firewall_crans : faut pour mettre en place un fw basique n'effectuant que la verif MAC-IP. """ - zone_serveur="138.231.136.0/28" - vlan_adm="138.231.144.0/24" + zone_serveur = NETs['serveurs'][0] + vlan_adm = NETs['vlan-adm'][0] adm_users = [ "root", "identd", "daemon", "postfix", "freerad", "amavis", "nut", "respbats", "list", "sqlgrey"] @@ -487,7 +487,7 @@ class firewall_komaz(firewall_crans) : # Proxy transparent iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur) iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " + - "-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK " + + "-s %s -d \! %s -j MARK " % (NETs['fil'][0], NETs['wifi'][0]) + "--set-mark %s" % conf_fw.mark['proxy']) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) @@ -948,10 +948,9 @@ class firewall_zamok(firewall_crans) : iptables("-t nat -P PREROUTING ACCEPT") iptables("-t nat -A PREROUTING -i lo -j ACCEPT") iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP") - - iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP") - iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP") - iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP") + + for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] : + iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net) iptables("-t filter -A OUTPUT -o lo -j ACCEPT") # pour une connection entrante venant du VLAN adm, il faut que le ACK @@ -1004,9 +1003,8 @@ class firewall_rouge(firewall_crans) : iptables("-t nat -A PREROUTING -i lo -j ACCEPT") iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP") - iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP") - iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP") - iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP") + for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] : + iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net) iptables("-t nat -P PREROUTING ACCEPT") iptables("-t nat -P OUTPUT ACCEPT") @@ -1046,9 +1044,8 @@ class firewall_vert(firewall_crans) : iptables("-t nat -A PREROUTING -i lo -j ACCEPT") iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP") - iptables("-t nat -A PREROUTING -s 138.231.136.0/21 -j TEST_MAC-IP") - iptables("-t nat -A PREROUTING -s 138.231.144.0/24 -j TEST_MAC-IP") - iptables("-t nat -A PREROUTING -s 138.231.148.0/22 -j TEST_MAC-IP") + for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] : + iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net) iptables("-t nat -P PREROUTING ACCEPT") iptables("-t nat -P OUTPUT ACCEPT")