[ipt,firewall6,firewall_new] Mise à jour du blocage des tracker torrent udp, les port 445 et 135 sont retirer du trigger VIRUS (mais toujours bloqués)

Ignore-this: ea68ea4670ec109a2575a243c2e89ca6

darcs-hash:20121209172425-3a55a-3fb45d35a11fc552e0c1e786d181334272913123.gz

gestion/gen_confs/firewall6.py

@@ -132,9 +132,13 @@ def main_router():
     ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans)
     ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' %  dev_ip6 )
     
-    udp_torrent_tracker = {
-        'tracker.ccc.de':[['2001:67c:20a0:7::2',80]],
-        'tracker.istole.it':[['2a00:1a28:1151:6:230:48ff:fed4:ee8c',80]],
+    udp_torrent_tracker={
+        'tracker.openbittorrent.com':gethostbyname('tracker.openbittorrent.com')[1],
+        'tracker.ccc.de':gethostbyname('tracker.ccc.de')[1],
+        'tracker.istole.it':gethostbyname('tracker.istole.it')[1],
+        'tracker.publicbt.com':gethostbyname('tracker.publicbt.com')[1],
+        'tracker.1337x.org':gethostbyname('tracker.1337x.org')[1],
+        'fr33domtracker.h33t.com':gethostbyname('fr33domtracker.h33t.com')[1],
         }
 
     # Les blacklistes
@@ -160,10 +164,10 @@ def main_router():
     ip6tables.filter.tracker_torrent('-j REJECT --reject-with icmp6-adm-prohibited')
     ip6tables.filter.forward('-p tcp -m string --algo kmp --string "GET /" -j TRACKER_TORRENT')
     ip6tables.filter.forward('-p tcp -m string --algo kmp --string "get /" -j TRACKER_TORRENT')
-    for tracker in udp_torrent_tracker.values():
-        for dest in tracker:
-            ip6tables.filter.forward('-p udp -d %s --dport %s -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "' % (dest[0],dest[1]))
-            ip6tables.filter.forward('-p udp -d %s --dport %s -j REJECT --reject-with icmp6-adm-prohibited' % (dest[0],dest[1]))
+    for tracker in udp_torrent_tracker.keys():
+        for dest in udp_torrent_tracker[tracker]:
+            ip6tables.filter.forward('-p udp -d %s -j LOG --log-level notice --log-prefix "TRACKER:%s "' % (dest,(tracker[:20]) if len(tracker) > 20 else tracker))
+            ip6tables.filter.forward('-p udp -d %s -j REJECT --reject-with icmp6-adm-prohibited' % dest)
     
     ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
     

gestion/gen_confs/firewall_new.py

@@ -40,6 +40,7 @@ from iptools import AddrInNet, NetSubnets, IpSubnet
 from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire
 from ipset import IpsetError, Ipset
 from lc_ldap import lc_ldap
+from ipt import gethostbyname
 syslog.openlog('firewall')
 
 debug = 1
@@ -455,7 +456,8 @@ class firewall_komaz(firewall_crans) :
                       'udp_CRANS_VERS_EXT': [ ':136','140:'] }
 
 
-    ports_virus = { 'tcp' :  [ 135, 445 ] , 'udp' : [] }
+    # on retire 445 et 135 en tcp car plein de mac se font deconnecter
+    ports_virus = { 'tcp' :  [ ] , 'udp' : [] }
 
     # Filtrage du peer to peer
     # Apple et WinMX desactives car possibilite de fausse detection par ipp2p
@@ -473,10 +475,12 @@ class firewall_komaz(firewall_crans) :
             ]
             
     udp_torrent_tracker={
-        'tracker.openbittorrent.com':[['95.215.62.26',80],['95.215.62.5',80]],
-        'tracker.ccc.de':[['195.54.164.83',80]],
-        'tracker.istole.it':[['192.121.121.30',80]],
-        'tracker.publicbt.com':[['95.211.88.54',80],['95.211.88.49',80],['95.211.88.51',80]],
+        'tracker.openbittorrent.com':gethostbyname('tracker.openbittorrent.com')[0],
+        'tracker.ccc.de':gethostbyname('tracker.ccc.de')[0],
+        'tracker.istole.it':gethostbyname('tracker.istole.it')[0],
+        'tracker.publicbt.com':gethostbyname('tracker.publicbt.com')[0],
+        'tracker.1337x.org':gethostbyname('tracker.1337x.org')[0],
+        'fr33domtracker.h33t.com':gethostbyname('fr33domtracker.h33t.com')[0],
         }
 
 
@@ -1188,9 +1192,10 @@ class firewall_komaz(firewall_crans) :
             iptables('-A FILTRE_P2P -m ipp2p --%s -j REJECT --reject-with icmp-admin-prohibited' % filtre[0])
             self.anim.cycle()
         #on rejetes les trackeur udp les plus connus
-        for tracker in self.udp_torrent_tracker.values():
-            for dest in tracker:
-                iptables('-A FILTRE_P2P -p udp -d %s --dport %s -j REJECT --reject-with icmp-admin-prohibited' % (dest[0],dest[1]))
+        for tracker in self.udp_torrent_tracker.keys():
+            for dest in self.udp_torrent_tracker[tracker]:
+                iptables('-A FILTRE_P2P -p udp -d %s -j LOG --log-level notice --log-prefix "TRACKER:%s "' % (dest,(tracker[:20]) if len(tracker) > 20 else tracker))
+                iptables('-A FILTRE_P2P -p udp -d %s -j REJECT --reject-with icmp-admin-prohibited' % dest)
                  
         #On log les requetes a des trackers torrents puis on les rejetes
         iptables("-A TRACKER_FILTER  -m string --algo kmp ! --string \"info_hash=\" -j ACCEPT")

gestion/ipt.py

@@ -20,7 +20,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
-import os, re, syslog, cPickle
+import os, re, syslog, cPickle, socket
 
 from ldap_crans import crans_ldap, hostname
 from commands import getstatusoutput
@@ -69,6 +69,18 @@ db = crans_ldap()
 #
 ##############################################################################
 
+def gethostbyname(hostname):
+	hosts4=[]
+	hosts6=[]
+	try : 
+		for host in socket.getaddrinfo(hostname,None,socket.AF_INET,socket.IPPROTO_IP,socket.AI_CANONNAME):
+			hosts4.append(host[4][0])
+	except(socket.gaierror): pass
+	try : 
+		for host in socket.getaddrinfo(hostname,None,socket.AF_INET6,socket.IPPROTO_IP,socket.AI_CANONNAME):
+			hosts6.append(host[4][0])
+	except(socket.gaierror): pass
+	return (hosts4,hosts6)
 
 class Chain(object):
     ''' Classe regroupant toutes les règles du firewall '''