diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index b38aca69..e7c8edb4 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -118,7 +118,7 @@ class firewall_crans : limit = " -m limit --limit 10/s --limit-burst 10 " log_template = '-m limit --limit 1/s --limit-burst 1 -j LOG --log-level notice --log-prefix ' - filtre_flood = '-m hashlimit --hashlimit 20/second --hashlimit-mode srcip,dstip,dstport --hashlimit-name flood' + filtre_flood = '-m hashlimit --hashlimit 100/second --hashlimit-mode srcip,dstip,dstport --hashlimit-name flood' machines = [] debug = 1 @@ -610,8 +610,8 @@ class firewall_komaz(firewall_crans) : # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) # Proxy transparent - iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + - "-j DNAT --to-destination 10.231.136.9:3128") + #~ iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + + #~ "-j DNAT --to-destination 10.231.136.9:3128") print OK def filter_table(self) : @@ -674,6 +674,8 @@ class firewall_komaz(firewall_crans) : # Proxy transparent iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + iptables('-I FORWARD -o ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "') + iptables('-I FORWARD -i ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "') print OK def classes_p2p_maj(self, ip_list): @@ -1229,17 +1231,17 @@ class firewall_sable(firewall_rouge): iptables("-t mangle -F PREROUTING") # Pour le proxy transparent - iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + - "--destination 10.231.136.9 " + - "-m mac --mac-source %s " % mac_komaz + - "-j MARK --set-mark %s" % conf_fw.mark['proxy']) - iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + # iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + + #~ "--destination 10.231.136.9 " + + #~ "-m mac --mac-source %s " % mac_komaz + + #~ "-j MARK --set-mark %s" % conf_fw.mark['proxy']) + # iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) def nat_table(self): firewall_rouge.nat_table(self) # Proxy transparent pour le filiaire - iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + # iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) if_defaut = "eth0" if_radin = "eth0.%d" % vlans["radin"] @@ -1247,15 +1249,15 @@ class firewall_sable(firewall_rouge): if_isolement = "eth0.%d" % vlans["isolement"] # Proxy transparent pour le wifi - iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut + - " -d ! 138.231.136.0/24 -j DNAT --to-destination" + - " 138.231.136.9:3128") + # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut + + #~ " -d ! 138.231.136.0/24 -j DNAT --to-destination" + + #~ " 138.231.136.9:3128") # Proxy transparent pour les vlans radin et accueil - for interface in [if_accueil, if_isolement]: - iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface) - iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface) - iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) + #~ for interface in [if_accueil, if_isolement]: + #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface) + #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface) + #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) def post_start_hook(self) : self.anim = anim("\tMise en place du routage")