crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[firewall_new] Mort à squid, on log les connections sur komaz, on monte la limite de flood à 100/s

Browse source 
Ignore-this: e2f6cbc17adbddd4c0cf10a60f2435af

darcs-hash:20111118015755-3a55a-0598ec8bcf9006269f9f96f029ededd5380c53f8.gz
This commit is contained in:
Valentin Samir 2011-11-18 02:57:55 +01:00
parent 52d2f752ca
commit f08476b6f8
1 changed files with 18 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

34
gestion/gen_confs/firewall_new.py
View file

@ -118,7 +118,7 @@ class firewall_crans :
limit = " -m limit --limit 10/s --limit-burst 10 " limit = " -m limit --limit 10/s --limit-burst 10 "
log_template = '-m limit --limit 1/s --limit-burst 1 -j LOG --log-level notice --log-prefix ' log_template = '-m limit --limit 1/s --limit-burst 1 -j LOG --log-level notice --log-prefix '
filtre_flood = '-m hashlimit --hashlimit 20/second --hashlimit-mode srcip,dstip,dstport --hashlimit-name flood' filtre_flood = '-m hashlimit --hashlimit 100/second --hashlimit-mode srcip,dstip,dstport --hashlimit-name flood'
machines = [] machines = []
debug = 1 debug = 1
@ -610,8 +610,8 @@ class firewall_komaz(firewall_crans) :
# iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int ) # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )
# Proxy transparent # Proxy transparent
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] + #~ iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
"-j DNAT --to-destination 10.231.136.9:3128") #~ "-j DNAT --to-destination 10.231.136.9:3128")
print OK print OK
def filter_table(self) : def filter_table(self) :
@ -674,6 +674,8 @@ class firewall_komaz(firewall_crans) :
# Proxy transparent # Proxy transparent
iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
iptables('-I FORWARD -o ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "')
iptables('-I FORWARD -i ens -m state --state NEW -j LOG --log-prefix "LOG_ALL "')
print OK print OK
def classes_p2p_maj(self, ip_list): def classes_p2p_maj(self, ip_list):
@ -1229,17 +1231,17 @@ class firewall_sable(firewall_rouge):
iptables("-t mangle -F PREROUTING") iptables("-t mangle -F PREROUTING")
# Pour le proxy transparent # Pour le proxy transparent
iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " + # iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
"--destination 10.231.136.9 " + #~ "--destination 10.231.136.9 " +
"-m mac --mac-source %s " % mac_komaz + #~ "-m mac --mac-source %s " % mac_komaz +
"-j MARK --set-mark %s" % conf_fw.mark['proxy']) #~ "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) # iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
def nat_table(self): def nat_table(self):
firewall_rouge.nat_table(self) firewall_rouge.nat_table(self)
# Proxy transparent pour le filiaire # Proxy transparent pour le filiaire
iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) # iptables("-t nat -I PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
if_defaut = "eth0" if_defaut = "eth0"
if_radin = "eth0.%d" % vlans["radin"] if_radin = "eth0.%d" % vlans["radin"]
@ -1247,15 +1249,15 @@ class firewall_sable(firewall_rouge):
if_isolement = "eth0.%d" % vlans["isolement"] if_isolement = "eth0.%d" % vlans["isolement"]
# Proxy transparent pour le wifi # Proxy transparent pour le wifi
iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut + # iptables("-t nat -A PREROUTING -i %s -p tcp --dport 80" %if_defaut +
" -d ! 138.231.136.0/24 -j DNAT --to-destination" + #~ " -d ! 138.231.136.0/24 -j DNAT --to-destination" +
" 138.231.136.9:3128") #~ " 138.231.136.9:3128")
# Proxy transparent pour les vlans radin et accueil # Proxy transparent pour les vlans radin et accueil
for interface in [if_accueil, if_isolement]: #~ for interface in [if_accueil, if_isolement]:
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface) #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 80 -j DNAT --to-destination 10.51.0.1:3128" % interface)
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface) #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 3128 -j ACCEPT" % interface)
iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface) #~ iptables("-t nat -i %s -A PREROUTING -p tcp --destination-port 443 -j ACCEPT" % interface)
def post_start_hook(self) : def post_start_hook(self) :
self.anim = anim("\tMise en place du routage") self.anim = anim("\tMise en place du routage")