[firewall_new.py] Zamok est sous squeeze

Ignore-this: 8cc380cac1774cf64cc29cb229678267 darcs-hash:20120302230418-3a55a-c78f593b6e03054364ed3256d2bc5600e2831808.gz
2012-03-03 00:04:18 +01:00 · 2012-03-03 00:04:18 +01:00 · fcdd7034dc
commit fcdd7034dc
parent eb7d1e45c2
1 changed files with 13 additions and 5 deletions
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@ -715,6 +715,8 @@ class firewall_komaz(firewall_crans) :
                'BLACKLIST_DST' , 'FILTRE_P2P', 'INGRESS_FILTERING',
                'TEST_VIRUS_FLOOD', 'LOG_VIRUS', 'LOG_FLOOD','LOG_TRACKER','TRACKER_FILTER' ] :
            iptables('-N %s' % chaine)
+        iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
+        iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
        iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
        iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
        iptables("-A FORWARD -j INGRESS_FILTERING")
@ -732,8 +734,6 @@ class firewall_komaz(firewall_crans) :
        iptables("-A INGRESS_FILTERING -i ens -j DROP")
        iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) )
        iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )
-        iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
-        iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
        iptables("-A FORWARD -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
        iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
        iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
@ -1197,11 +1197,19 @@ class firewall_zamok(firewall_crans) :

    def nat_table(self) :
        self.anim = anim('\tStructure de la table nat')
-        iptables('-t filter -N SERV_OUT_ADM')
+       

        iptables("-t nat -P PREROUTING ACCEPT")
        iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
-        iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
+        
+        iptables("-t nat -P PREROUTING ACCEPT")
+        print OK
+        
+    def filter_table(self):
+        self.anim = anim('\tStructure de la table filter')
+        iptables('-t filter -N SERV_OUT_ADM')
+        iptables('-t filter -N TEST_MAC-IP')
+        iptables("-t filter -A OUTPUT -d 224.0.0.0/4 -j DROP")

        # <!> à placer dans filter
        #for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] :
@ -1215,7 +1223,7 @@ class firewall_zamok(firewall_crans) :
        iptables("-t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT")
        iptables("-t filter -A OUTPUT -o %s -j SERV_OUT_ADM" % self.eth_adm)

-        iptables("-t nat -P PREROUTING ACCEPT")
+        
        iptables("-t filter -P OUTPUT ACCEPT")
        print OK