diff --git a/gestion/classe_firewall.py b/gestion/classe_firewall.py index 05c32e1b..59869ea6 100755 --- a/gestion/classe_firewall.py +++ b/gestion/classe_firewall.py @@ -87,11 +87,11 @@ class firewall: """ for proto in ["tcp","udp"]: for i in range(len(config.port_default["%s_input" % proto])): - test("iptables -A DEFAULT_INPUT -p %s --dport "%proto+\ + os.system("iptables -A DEFAULT_INPUT -p %s --dport "%proto+\ config.port_default["%s_input" % proto][i]+\ " -j ACCEPT") for i in range(len(config.port_default["%s_output" % proto])): - test("iptables -A DEFAULT_OUTPUT -p %s --sport "%proto+\ + os.system("iptables -A DEFAULT_OUTPUT -p %s --sport "%proto+\ config.port_default["%s_output" % proto][i]+\ " -j ACCEPT") @@ -99,7 +99,7 @@ class firewall: def del_entree(self,ip): """ Détruit une entrée dans le firewall - Note: Il faut *tester lourdement* cette fonction. + Note: Il faut *os.systemer lourdement* cette fonction. """ try: os.system("iptables -L -n > /tmp/firewall") @@ -115,7 +115,8 @@ class firewall: chaine=tmp[1] count=0 if ip in line: - test("iptables -D %i %s"%(count,chaine)) + os.system("iptables -D %s %i"%(chaine,count)) + count=count-1 os.system("rm -f /tmp/firewall") def paire_macip(self,ip,mac): @@ -135,18 +136,22 @@ class firewall: for i in range(0,len(search)): self.paire_macip(search[i].ip(),search[i].mac()) barre.cycle() + barre.reinit() + print OK search=db.search('host=*.wifi.crans.org')['machine'] barre=anim("Filtrage mac-ip des machines wifi.",len(search)) for i in range(0,len(search)): self.paire_macip(search[i].ip(),'00:0c:f1:fa:f1:4b') barre.cycle() + barre.reinit() + print OK os.system("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\ " 138.231.136.0/21 -j ACCEPT") os.system("iptables -t nat -A PREROUTING -i %s -s \\!"%int_crans+\ " 138.231.148.0/22 -j ACCEPT") - for i in reseaux_non_routables: + for i in reseaux_non_routables: os.system("iptables -t nat -A PREROUTING -i %s -s %s"%(int_crans,i)+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ @@ -159,19 +164,19 @@ class firewall: (loglevel,logprefix_macip)) os.system("iptables -t nat -A PREROUTING -i %s -d %s -j DROP"%\ (int_crans,i)) - test("iptables -t nat -A PREROUTING -i %s -p tcp "%int_crans+\ + os.system("iptables -t nat -A PREROUTING -i %s -p tcp "%int_crans+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_macip)) - test("iptables -t nat -A PREROUTING -i %s -p tcp"%int_crans+\ - " -j REJECT --reject-with tcp-reset") - test("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ + os.system("iptables -t nat -A PREROUTING -i %s -p tcp"%int_crans+\ + " -j DROP") + os.system("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ " -m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ " -j LOG --log-level %s --log-prefix %s"%\ (loglevel,logprefix_macip)) - test("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ - " -j REJECT --reject-with icmp-port-unreachable") - + os.system("iptables -t nat -A PREROUTING -i %s -p udp"%int_crans+\ + " -j DROP") + def komaz(self): """ Crée les règles spécifiques à la machine komaz @@ -244,19 +249,19 @@ class firewall: else: blacklist+=entite.machines() for instance_machine in blacklist: - test("iptables -A BLACKLIST_INPUT -d %s"%\ + os.system("iptables -A BLACKLIST_INPUT -d %s"%\ instance_machine.ip().encode("iso-8859-15")+\ "-m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ - "-j LOG --log-level %s --log-prefix_macip %s"%\ + " -j LOG --log-level %s --log-prefix_macip %s"%\ (loglevel,logprefix_blacklist)) - test("iptables -A BLACKLIST_INPUT -d %s -j REJECT"%\ + os.system("iptables -A BLACKLIST_INPUT -d %s -j REJECT"%\ instance_machine.ip()) - test("iptables -A BLACKLIST_OUTPUT -s %s"%\ + os.system("iptables -A BLACKLIST_OUTPUT -s %s"%\ instance_machine.ip().encode("iso-8859-15")+\ "-m limit --limit %s --limit-burst %s"%(loglimit,logburst)+\ - "-j LOG --log-level %s --log-prefix_macip %s"%\ + " -j LOG --log-level %s --log-prefix_macip %s"%\ (loglevel,logprefix_blacklist)) - test("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\ + os.system("iptables -A BLACKLIST_OUTPUT -s %s -j REJECT"%\ instance_machine.ip()) os.system("iptables -A BLACKLIST_INPUT -j DEFAULT_INPUT") os.system("iptables -A BLACKLIST_OUTPUT -j DEFAULT_OUTPUT") @@ -289,9 +294,9 @@ class firewall: "%s -j ACCEPT"%limite_connexion) os.system("iptables -A ADHERENTS_OUTPUT -m state --state "+\ "ESTABLISHED -m limit --limit-burst "+\ - "%s-j ACCEPT"%limite_connexion) - test("iptables -A DEFAULT_INPUT -j ADHERENTS_INPUT") - test("iptables -A DEFAULT_OUTPUT -j ADHERENTS_OUTPUT") + "%s -j ACCEPT"%limite_connexion) + os.system("iptables -A DEFAULT_INPUT -j ADHERENTS_INPUT") + os.system("iptables -A DEFAULT_OUTPUT -j ADHERENTS_OUTPUT") db=crans_ldap() search=db.search('host=*.crans.org & portTCPin=*')['machine'] @@ -332,7 +337,7 @@ class firewall: def adherent(self,ip): """ Gère complètement l'ajout d'un adhérent dans le firewall - Tester la blacklist + os.systemer la blacklist """ db=crans_ldap() search=db.search('ip='+ip)['machine'] @@ -344,31 +349,31 @@ class firewall: wifi=False while (i