#!/usr/bin/env python # -*- coding: iso-8859-1 -*- # The authors of this code are # Manuel Sabban # Frédéric Pauget # # Rewritten as an inherited class from firewallÃ_crans # by Mathieu Segaud # # Copyright (c) 2004 Manuel Sabban, Frédéric Pauget # Copyright (c) 2005 Mathieu Segaud # # Permission to use, copy, and modify this software with or without fee # is hereby granted, provided that this entire notice is included in # all source code copies of any software which is or includes a copy or # modification of this software. # # THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR # IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY # REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE # MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR # PURPOSE. """ Firewall de Bleu """ import sys sys.path.append('/usr/scripts/gestion') import syslog from firewall_crans import firewall_crans, IptablesError, iptables from lock import * from ldap_crans import crans_ldap, ann_scol, machine, crans, invite from affich_tools import * from commands import getstatusoutput from iptools import AddrInNet syslog.openlog('firewall') class firewall_bleu(firewall_crans) : """ Structure du firewall : table nat : rien pour l'instant table filter : FORWARD (policy par defaut : DROP) rien ne passe pas la chaine FORWARD INPUT (policy par defaut : ACCEPT pour l'instant) """ # interfaces physiques eth_pub = "eth0" eth_adm = "eth0.2" debug = 1 def nat_table_tweaks(self) : self.anim = anim(' règles spécifiques à bleu') iptables("-t nat -I PREROUTING 6 -d %s -j ACCEPT" % self.zone_serveur ) iptables("-t nat -I PREROUTING 7 -i %s -j ACCEPT" % self.eth_pub ) print OK def filter_table_tweaks(self) : self.anim = anim(' règles spécifiques à bleu') iptables("-P INPUT ACCEPT") iptables("-P FORWARD DROP") print OK def enable_route(self) : return def disable_route(self) : return def start_fw_funcs(self) : self.exception_catcher(self.test_mac_ip) def serveurs_maj_list_to_do(self) : return def adh_maj_list_to_do(self) : return def serveurs_maj(self) : return if __name__ == '__main__' : # Chaines pouvant être recontruites global chaines chaines = [ 'reseaux_non_routables', 'test_mac_ip' ] def __usage(txt=None) : if txt!=None : cprint(txt,'gras') print """Usage: %(p)s start : Construction du firewall. %(p)s restart : Reconstruction du firewall. %(p)s stop : Arrêt du firewall. %(p)s chaine : reconstruit les chaines Les chaines pouvant être reconstruites sont : %(chaines)s Pour reconfiguration d'IPs particulières, utiliser generate. """ % \ { 'p' : sys.argv[0].split('/')[-1] , 'chaines' : '\n '.join(chaines) } sys.exit(-1) # Bons arguments ? if len(sys.argv) == 1 : __usage() for arg in sys.argv[1:] : if arg in [ 'stop', 'restart', 'start' ] and len(sys.argv) != 2 : __usage("L'argument %s ne peut être employé que seul." % arg) if arg not in [ 'stop', 'restart', 'start' ] + chaines : __usage("L'argument %s est inconnu." % arg) fw = firewall_bleu() for arg in sys.argv[1:] : eval('fw.%s()' % arg)