crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

On rcupre les valeurs de dbit et de numro de mark dans la config gnrale

Browse source 
On dcoupe le proxy transparent de sila dans les deux tables disponibles

darcs-hash:20060424143716-72cb0-4af039668227303b49b17d0982e35600d11f43f7.gz
This commit is contained in:
salles 2006-04-24 16:37:16 +02:00
parent aa62b19efc
commit fbcf1f7431
1 changed files with 59 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

87
gestion/gen_confs/firewall.py
View file

@ -33,7 +33,7 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi
from affich_tools import *
from commands import getstatusoutput
from iptools import AddrInNet
from config import mac_komaz, mac_wifi
from config import mac_komaz, mac_wifi, conf_fw, p2p
syslog.openlog('firewall')
debug = 1
@ -462,12 +462,6 @@ class firewall_komaz(firewall_crans) :
liste_reseaux_non_routables = [ '10.0.0.0/8', '172.16.0.0/12',
'169.254.0.0/16', '192.168.0.0/16', '224.0.0.0/4']
# Valeur des débits autorisés pour le p2p
machines = db.search('*')['machine']
debit_p2p_max = 1000000 #"1mbit"
debit_p2p_adh = debit_p2p_max/(len(machines)+1)
def reseaux_non_routables(self) :
""" Construction de RESEAUX_NON_ROUTABLES_{DST,SRC} """
self.anim = anim('\tFiltrage ip non routables',len(self.liste_reseaux_non_routables))
@ -482,7 +476,16 @@ class firewall_komaz(firewall_crans) :
from affich_tools import anim, cprint, OK
self.anim = anim('\tStructure de la table mangle')
iptables("-t mangle -F POSTROUTING")
# On crée les chaines de sous-réseaux
iptables("-t mangle -F PREROUTING")
# Proxy transparent
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " +
"-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK " +
"--set-mark %s" % conf_fw.mark['proxy'])
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
# On crée les chaines de sous-réseaux
#TODO : utiliser une variable de config pour la liste des /24
for subnet in range(136,145)+range(148,152) :
try :
iptables("-t mangle -N SUBNET-%s_24" % subnet)
@ -493,7 +496,18 @@ class firewall_komaz(firewall_crans) :
iptables("-t mangle -A POSTROUTING -o crans -d 138.231.%s.0/24 -j SUBNET-%s_24" % (subnet, subnet))
print OK
# On marque les paquets bittorrent uniquement
iptables("-t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark")
iptables("-t mangle -A PREROUTING -p tcp -m mark ! --mark 0x0 " +
"-j ACCEPT")
iptables("-t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK " +
"--set-mark %s" % conf_fw.mark['bittorrent'])
iptables("-t mangle -A PREROUTING -p tcp -m mark " +
"--mark %s -j CONNMARK --save-mark" % conf_fw.mark['bittorrent'])
adherents = db.search('paiement=ok')['adherent']
# On calcule le débit garanti pour un adhérent
debit_adh = p2p.debit_max/(len(adherents)+1)
a = anim('\tGénération des classes de filtrage p2p', len(adherents))
warn = ''
@ -507,8 +521,8 @@ class firewall_komaz(firewall_crans) :
# On construit les classes et qdisc de base
# La partie principale qui définit le comportement par défaut
tc("qdisc add dev %s root handle 1: htb" % interface)
tc("class add dev %s parent 1: classid 1:1 htb rate %s ceil %s" % (interface, self.debit_p2p_max, self.debit_p2p_max))
tc("class add dev %s parent 1:1 classid 1:9998 htb rate %s ceil %s" % (interface, self.debit_p2p_adh, self.debit_p2p_max))
tc("class add dev %s parent 1: classid 1:1 htb rate %s ceil %s" % (interface, p2p.debit_max, p2p.debit_max))
tc("class add dev %s parent 1:1 classid 1:9998 htb rate %s ceil %s" % (interface, debit_adh, p2p.debit_max))
tc("qdisc add dev %s parent 1:9998 handle 9999: sfq perturb 10" % interface)
# On construit ensuite les classes et qdisc pour chaque adhérent
for adherent in adherents :
@ -516,20 +530,24 @@ class firewall_komaz(firewall_crans) :
class_id = int(adherent.id())+1 # On ne peut pas reprendre le numéro 1
qdisc_id = class_id+5000 # Il nous faut un n° inférieur à 9998 unique
for interface in [self.eth_ext, self.eth_int] :
tc("class add dev %s parent 1:1 classid 1:%d htb rate %s ceil %s" % (interface, class_id, self.debit_p2p_adh, self.debit_p2p_max))
tc("class add dev %s parent 1:1 classid 1:%d htb rate %s ceil %s" % (interface, class_id, debit_adh, p2p.debit_max))
tc("qdisc add dev %s parent 1:%d handle %d: sfq perturb 10" % (interface, class_id, qdisc_id))
# Classification des adhérents dans leur classe respective
for machine in adherent.machines() :
ip = machine.ip()
subnet = machine.ip().split('.')[2]
iptables("-t mangle -A SUBNET-%s_24 -o crans -d %s -m mark --mark 1 -j CLASSIFY --set-class 1:%s" % (subnet, ip, class_id))
iptables("-t mangle -A SUBNET-%s_24 -o ens -s %s -m mark --mark 1 -j CLASSIFY --set-class 1:%s" % (subnet, ip, class_id))
iptables("-t mangle -A SUBNET-%s_24 -o crans -d %s -m mark " % (subnet, ip) +
"--mark %s -j CLASSIFY --set-class 1:%s" % (conf_fw.mark['bittorrent'], class_id))
iptables("-t mangle -A SUBNET-%s_24 -o ens -s %s -m mark " % (subnet, ip) +
"--mark %s -j CLASSIFY --set-class 1:%s" % (conf_fw.mark['bittorrent'], class_id))
# Par défaut on envoit les paquets dans la classe 9998
iptables("-t mangle -A POSTROUTING -o crans -m mark --mark 1 -j CLASSIFY --set-class 1:9998")
iptables("-t mangle -A POSTROUTING -o ens -m mark --mark 1 -j CLASSIFY --set-class 1:9998")
iptables("-t mangle -A POSTROUTING -o crans -m mark " +
"--mark %s -j CLASSIFY --set-class 1:9998" % conf_fw.mark['bittorrent'])
iptables("-t mangle -A POSTROUTING -o ens -m mark " +
"--mark %s -j CLASSIFY --set-class 1:9998" % conf_fw.mark['bittorrent'])
print OK
print "\n"
def nat_table(self) :
self.anim = anim('\tStructure de la table nat')
@ -556,11 +574,18 @@ class firewall_komaz(firewall_crans) :
iptables("-t mangle -F PREROUTING")
iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 " +
"-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK --set-mark 2")
iptables("-t nat -A PREROUTING -p tcp -m mark --mark 2 -j DNAT " +
"--to-destination 138.231.144.10:3128")
"-s 138.231.136.0/21 -d \! 138.231.148.0/22 -j MARK " +
"--set-mark %s" % conf_fw.mark['proxy'])
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
"-j DNAT --to-destination 138.231.144.10:3128")
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
print OK
def proxy_transparent(self):
# Proxy transparent
iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
"-j DNAT --to-destination 138.231.144.10:3128")
def filter_table_tweaks(self) :
self.anim = anim('\tRègles spécifiques à komaz')
for chaine in [ 'ADMIN_VLAN', 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' , 'FILTRE_P2P' ] :
@ -579,7 +604,7 @@ class firewall_komaz(firewall_crans) :
iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
# Proxy transparent
iptables("-I FORWARD -m mark --mark 2 -j ACCEPT")
iptables("-I FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
print OK
def classe_p2p_maj(self,ip_list=['138.231.137.170']) :
@ -626,8 +651,10 @@ class firewall_komaz(firewall_crans) :
else :
# Il faut supprimer cette entrée
option = '-D'
iptables("-t mangle %s SUBNET-%s_24 -o ens -s %s -m mark --mark 1 -j CLASSIFY --set-class 1:%s" % (option, subnet, ip, class_id))
iptables("-t mangle %s SUBNET-%s_24 -o crans -d %s -m mark --mark 1 -j CLASSIFY --set-class 1:%s" % (option, subnet, ip, class_id))
iptables("-t mangle %s SUBNET-%s_24 -o ens -s %s -m mark " % (option, subnet, ip) +
"--mark %s -j CLASSIFY --set-class 1:%s" % (conf_fw.mark['bittorrent'], class_id))
iptables("-t mangle %s SUBNET-%s_24 -o crans -d %s -m mark " % (option, subnet, ip) +
"--mark %s -j CLASSIFY --set-class 1:%s" % (conf_fw.mark['bittorrent'], class_id))
except IptablesError, c:
warn += str(c) + '\n'
except KeyError :
@ -667,7 +694,6 @@ class firewall_komaz(firewall_crans) :
print OK
def start_fw_funcs(self) :
self.exception_catcher(self.classe_p2p_maj)
self.exception_catcher(self.log_chaines)
self.exception_catcher(self.test_virus_flood)
self.exception_catcher(self.reseaux_non_routables)
@ -1041,15 +1067,20 @@ class firewall_vert(firewall_crans) :
class firewall_sila(firewall_rouge):
"""Comme pour rouge, avec le proxy transparent en plus"""
def nat_table(self):
firewall_rouge.nat_table(self)
def mangle_table(self):
# Pour le proxy transparent
iptables("-t nat -I PREROUTING -i crans.2 -m mark --mark 2 -j ACCEPT")
iptables("-t mangle -F PREROUTING")
iptables("-t mangle -i crans.2 -A PREROUTING -p tcp --destination-port 3128 " +
"--destination 138.231.144.10 " +
"-m mac --mac-source %s -j MARK --set-mark 2" % mac_komaz)
"-m mac --mac-source %s " % mac_komaz +
"-j MARK --set-mark %s" % conf_fw.mark['proxy'])
iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
def nat_table(self):
firewall_rouge.nat_table(self)
# Pour le proxy transparent
iptables("-t nat -I PREROUTING -i crans.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
firewall_bleu = firewall_zamok
if __name__ == '__main__' :