diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index 4e9ab497..2c3dce63 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -132,9 +132,13 @@ def main_router(): ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans) ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_ip6 ) - udp_torrent_tracker = { - 'tracker.ccc.de':[['2001:67c:20a0:7::2',80]], - 'tracker.istole.it':[['2a00:1a28:1151:6:230:48ff:fed4:ee8c',80]], + udp_torrent_tracker={ + 'tracker.openbittorrent.com':gethostbyname('tracker.openbittorrent.com')[1], + 'tracker.ccc.de':gethostbyname('tracker.ccc.de')[1], + 'tracker.istole.it':gethostbyname('tracker.istole.it')[1], + 'tracker.publicbt.com':gethostbyname('tracker.publicbt.com')[1], + 'tracker.1337x.org':gethostbyname('tracker.1337x.org')[1], + 'fr33domtracker.h33t.com':gethostbyname('fr33domtracker.h33t.com')[1], } # Les blacklistes @@ -160,10 +164,10 @@ def main_router(): ip6tables.filter.tracker_torrent('-j REJECT --reject-with icmp6-adm-prohibited') ip6tables.filter.forward('-p tcp -m string --algo kmp --string "GET /" -j TRACKER_TORRENT') ip6tables.filter.forward('-p tcp -m string --algo kmp --string "get /" -j TRACKER_TORRENT') - for tracker in udp_torrent_tracker.values(): - for dest in tracker: - ip6tables.filter.forward('-p udp -d %s --dport %s -j LOG --log-level notice --log-prefix "TRACKER_TORRENT: "' % (dest[0],dest[1])) - ip6tables.filter.forward('-p udp -d %s --dport %s -j REJECT --reject-with icmp6-adm-prohibited' % (dest[0],dest[1])) + for tracker in udp_torrent_tracker.keys(): + for dest in udp_torrent_tracker[tracker]: + ip6tables.filter.forward('-p udp -d %s -j LOG --log-level notice --log-prefix "TRACKER:%s "' % (dest,(tracker[:20]) if len(tracker) > 20 else tracker)) + ip6tables.filter.forward('-p udp -d %s -j REJECT --reject-with icmp6-adm-prohibited' % dest) ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT') diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py index 1f56d471..558a3e55 100755 --- a/gestion/gen_confs/firewall_new.py +++ b/gestion/gen_confs/firewall_new.py @@ -40,6 +40,7 @@ from iptools import AddrInNet, NetSubnets, IpSubnet from config import NETs, mac_komaz, mac_wifi, mac_titanic, mac_g, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire from ipset import IpsetError, Ipset from lc_ldap import lc_ldap +from ipt import gethostbyname syslog.openlog('firewall') debug = 1 @@ -455,7 +456,8 @@ class firewall_komaz(firewall_crans) : 'udp_CRANS_VERS_EXT': [ ':136','140:'] } - ports_virus = { 'tcp' : [ 135, 445 ] , 'udp' : [] } + # on retire 445 et 135 en tcp car plein de mac se font deconnecter + ports_virus = { 'tcp' : [ ] , 'udp' : [] } # Filtrage du peer to peer # Apple et WinMX desactives car possibilite de fausse detection par ipp2p @@ -473,10 +475,12 @@ class firewall_komaz(firewall_crans) : ] udp_torrent_tracker={ - 'tracker.openbittorrent.com':[['95.215.62.26',80],['95.215.62.5',80]], - 'tracker.ccc.de':[['195.54.164.83',80]], - 'tracker.istole.it':[['192.121.121.30',80]], - 'tracker.publicbt.com':[['95.211.88.54',80],['95.211.88.49',80],['95.211.88.51',80]], + 'tracker.openbittorrent.com':gethostbyname('tracker.openbittorrent.com')[0], + 'tracker.ccc.de':gethostbyname('tracker.ccc.de')[0], + 'tracker.istole.it':gethostbyname('tracker.istole.it')[0], + 'tracker.publicbt.com':gethostbyname('tracker.publicbt.com')[0], + 'tracker.1337x.org':gethostbyname('tracker.1337x.org')[0], + 'fr33domtracker.h33t.com':gethostbyname('fr33domtracker.h33t.com')[0], } @@ -1188,9 +1192,10 @@ class firewall_komaz(firewall_crans) : iptables('-A FILTRE_P2P -m ipp2p --%s -j REJECT --reject-with icmp-admin-prohibited' % filtre[0]) self.anim.cycle() #on rejetes les trackeur udp les plus connus - for tracker in self.udp_torrent_tracker.values(): - for dest in tracker: - iptables('-A FILTRE_P2P -p udp -d %s --dport %s -j REJECT --reject-with icmp-admin-prohibited' % (dest[0],dest[1])) + for tracker in self.udp_torrent_tracker.keys(): + for dest in self.udp_torrent_tracker[tracker]: + iptables('-A FILTRE_P2P -p udp -d %s -j LOG --log-level notice --log-prefix "TRACKER:%s "' % (dest,(tracker[:20]) if len(tracker) > 20 else tracker)) + iptables('-A FILTRE_P2P -p udp -d %s -j REJECT --reject-with icmp-admin-prohibited' % dest) #On log les requetes a des trackers torrents puis on les rejetes iptables("-A TRACKER_FILTER -m string --algo kmp ! --string \"info_hash=\" -j ACCEPT") diff --git a/gestion/ipt.py b/gestion/ipt.py index 39717932..1e6f795a 100755 --- a/gestion/ipt.py +++ b/gestion/ipt.py @@ -20,7 +20,7 @@ # along with this program. If not, see . -import os, re, syslog, cPickle +import os, re, syslog, cPickle, socket from ldap_crans import crans_ldap, hostname from commands import getstatusoutput @@ -69,6 +69,18 @@ db = crans_ldap() # ############################################################################## +def gethostbyname(hostname): + hosts4=[] + hosts6=[] + try : + for host in socket.getaddrinfo(hostname,None,socket.AF_INET,socket.IPPROTO_IP,socket.AI_CANONNAME): + hosts4.append(host[4][0]) + except(socket.gaierror): pass + try : + for host in socket.getaddrinfo(hostname,None,socket.AF_INET6,socket.IPPROTO_IP,socket.AI_CANONNAME): + hosts6.append(host[4][0]) + except(socket.gaierror): pass + return (hosts4,hosts6) class Chain(object): ''' Classe regroupant toutes les règles du firewall '''