From fcdd7034dc54dd4110c2f74b36d7a8af4c755ac2 Mon Sep 17 00:00:00 2001
From: Valentin Samir <samir@crans.org>
Date: Sat, 3 Mar 2012 00:04:18 +0100
Subject: [PATCH] [firewall_new.py] Zamok est sous squeeze

Ignore-this: 8cc380cac1774cf64cc29cb229678267

darcs-hash:20120302230418-3a55a-c78f593b6e03054364ed3256d2bc5600e2831808.gz
---
 gestion/gen_confs/firewall_new.py | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/gestion/gen_confs/firewall_new.py b/gestion/gen_confs/firewall_new.py
index 518acee2..8719e3fc 100755
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@@ -715,6 +715,8 @@ class firewall_komaz(firewall_crans) :
                 'BLACKLIST_DST' , 'FILTRE_P2P', 'INGRESS_FILTERING',
                 'TEST_VIRUS_FLOOD', 'LOG_VIRUS', 'LOG_FLOOD','LOG_TRACKER','TRACKER_FILTER' ] :
             iptables('-N %s' % chaine)
+        iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
+        iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
         iptables("-A FORWARD -s ! %s -d ! %s -j FILTRE_P2P" % (self.zone_serveur, self.zone_serveur) )
         iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
         iptables("-A FORWARD -j INGRESS_FILTERING")
@@ -732,8 +734,6 @@ class firewall_komaz(firewall_crans) :
         iptables("-A INGRESS_FILTERING -i ens -j DROP")
         iptables("-A FORWARD -i %s -d %s -j ADMIN_VLAN" % (self.eth_int, self.vlan_adm) )
         iptables("-A FORWARD -i %s -d %s -j REJECT" % (self.eth_ext, self.vlan_adm) )
-        iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
-        iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
         iptables("-A FORWARD -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
         iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
         iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
@@ -1197,11 +1197,19 @@ class firewall_zamok(firewall_crans) :
 
     def nat_table(self) :
         self.anim = anim('\tStructure de la table nat')
-        iptables('-t filter -N SERV_OUT_ADM')
+       
 
         iptables("-t nat -P PREROUTING ACCEPT")
         iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
-        iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
+        
+        iptables("-t nat -P PREROUTING ACCEPT")
+        print OK
+        
+    def filter_table(self):
+        self.anim = anim('\tStructure de la table filter')
+        iptables('-t filter -N SERV_OUT_ADM')
+        iptables('-t filter -N TEST_MAC-IP')
+        iptables("-t filter -A OUTPUT -d 224.0.0.0/4 -j DROP")
 
         # <!> à placer dans filter
         #for net in NETs['fil'] + NETs['adm'] + NETs['wifi'] :
@@ -1215,7 +1223,7 @@ class firewall_zamok(firewall_crans) :
         iptables("-t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT")
         iptables("-t filter -A OUTPUT -o %s -j SERV_OUT_ADM" % self.eth_adm)
 
-        iptables("-t nat -P PREROUTING ACCEPT")
+        
         iptables("-t filter -P OUTPUT ACCEPT")
         print OK