108 lines
4.1 KiB
Python
108 lines
4.1 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
import utils
|
|
import base
|
|
|
|
from utils import pretty_print, OK, anim
|
|
from base import dev
|
|
|
|
class firewall(base.firewall):
|
|
|
|
def __init__(self):
|
|
super(self.__class__, self).__init__()
|
|
|
|
self.reloadable.update({
|
|
'portail_captif_route' : self.portail_captif_route,
|
|
'portail_captif' : self.portail_captif,
|
|
})
|
|
|
|
self.use_ipset.extend([])
|
|
self.use_tc.extend([])
|
|
|
|
def raw_table(self):
|
|
table = 'raw'
|
|
super(self.__class__, self).raw_table()
|
|
return
|
|
|
|
def mangle_table(self):
|
|
table = 'mangle'
|
|
super(self.__class__, self).mangle_table()
|
|
return
|
|
|
|
def filter_table(self):
|
|
table = 'filter'
|
|
super(self.__class__, self).filter_table()
|
|
|
|
chain = 'FORWARD'
|
|
self.flush(table, chain)
|
|
self.add(table, chain, '-j %s' % self.portail_captif_route(table))
|
|
return
|
|
|
|
def nat_table(self):
|
|
table = 'nat'
|
|
super(self.__class__, self).raw_table()
|
|
|
|
chain = 'PREROUTING'
|
|
self.add(table, chain, '-j %s' % self.portail_captif(table))
|
|
|
|
chain = 'POSTROUTING'
|
|
self.add(table, chain, '-j %s' % self.portail_captif_route(table))
|
|
return
|
|
|
|
def portail_captif_route(self, table=None, apply=False):
|
|
"""PNAT les (ip,port) à laisser passer à travers le portail captif"""
|
|
chain = 'CAPTIF-ROUTE'
|
|
|
|
if table == 'filter':
|
|
pretty_print(table, chain)
|
|
for ip in base.config.accueil_route.keys():
|
|
for type in base.config.accueil_route[ip].keys():
|
|
if type in ['udp', 'tcp']:
|
|
self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j ACCEPT' % (type, ip, ','.join(base.config.accueil_route[ip][type])))
|
|
self.add(table, chain, '-p %s -s %s -m multiport --sports %s -j ACCEPT' % (type, ip, ','.join(base.config.accueil_route[ip][type])))
|
|
self.add(table, chain, '-j REJECT')
|
|
print OK
|
|
|
|
if table == 'nat':
|
|
pretty_print(table, chain)
|
|
#intranet et wiki pour le vlan accueil
|
|
for ip in base.config.accueil_route.keys():
|
|
for type in base.config.accueil_route[ip].keys():
|
|
if type in ['udp', 'tcp']:
|
|
for net in base.config.NETs['accueil']:
|
|
self.add(table, chain, '-s %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (net, type, ip, ','.join(base.config.accueil_route[ip][type])))
|
|
for net in base.config.NETs['isolement']:
|
|
self.add(table, chain, '-s %s -p %s -d %s -m multiport --dports %s -j MASQUERADE' % (net, type, ip, ','.join(base.config.accueil_route[ip][type])))
|
|
for net in base.config.NETs['personnel-ens']:
|
|
self.add(table, chain, '-i %s -s %s -j MASQUERADE' % (dev['app'], net))
|
|
print OK
|
|
|
|
if apply:
|
|
self.apply(table, chain)
|
|
return chain
|
|
|
|
def portail_captif(self, table=None, apply=False):
|
|
"""Redirige vers le portail captif"""
|
|
chain = 'PORTAIL-CAPTIF'
|
|
|
|
if table == 'nat':
|
|
pretty_print(table, chain)
|
|
for ip in base.config.accueil_route.keys():
|
|
for type in base.config.accueil_route[ip].keys():
|
|
if type in ['udp', 'tcp']:
|
|
self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (type, ip, ','.join(base.config.accueil_route[ip][type])))
|
|
|
|
for net in base.config.NETs['isolement']:
|
|
self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.52.0.10' % net)
|
|
|
|
for net in base.config.NETs['accueil']:
|
|
self.add(table, chain, '-p tcp -s %s --destination-port 80 -j DNAT --to-destination 10.51.0.10' % net)
|
|
self.add(table, chain, '-p udp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net)
|
|
self.add(table, chain, '-p tcp -s %s --dport 53 -j DNAT --to 10.51.0.10' % net)
|
|
print OK
|
|
|
|
if apply:
|
|
self.apply(table, chain)
|
|
return chain
|
|
|
|
|