diff --git a/main.py b/main.py index ae3e745..f5802af 100755 --- a/main.py +++ b/main.py @@ -36,6 +36,7 @@ class iptables: self.mangle6 = "\n*mangle" self.filter6 = "\n*filter" self.subnet_ports = api_client.list("firewall/subnet-ports/") + self.interface_ports = api_client.list("firewall/interface-ports/") self.verbose = False self.action = None self.export = False @@ -250,59 +251,56 @@ class iptables: else: chain = "filter6" - self.init_filter(subtable, decision="-") for interface in self.interfaces['sortie']: self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type) + def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction): + """Règles générales, fonction de factorisation""" + if ip_type == '4': + self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports)) + if ip_type == '6': + self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports)) + + #Ajout des règles générales for subnet in self.subnet_ports: ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"]) if ports: - if ip_type == '4': - self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) - if ip_type == '6': - self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) + add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"]) - if ports: - self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) + if ports: + add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"]) - if ports: - self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) + if ports: + add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) - if ports: - self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) - - #Ajout des règles générales - for realm in self.config_firewall.ports_realm[ip_type]: - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['output']) if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['input']) - if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['output']) - if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['input']) - if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) + add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src') + for interface in self.interface_ports: + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]]) + if ports: + self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]]) + if ports: + self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]]) + if ports: + self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]]) + if ports: + self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) - #Ajout des machines avec ouvertures particulières - for machine in self.conn.search(u'(&(portTCPout=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPout']))) - for machine in self.conn.search(u'(&(portTCPin=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPin']))) - for machine in self.conn.search(u'(&(portUDPout=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPout']))) - for machine in self.conn.search(u'(&(portUDPin=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPin']))) #Rejet du reste self.add_in_subtable(chain, subtable, """-j REJECT""") @@ -635,11 +633,4 @@ if __name__ == '__main__': table.do_action() -sw = Switch() -for switch in all_switchs: - sw.switch = switch - sw.gen_conf_and_write() - try: - sw.apply_conf() - except: - print("Erreur dans l'application de la conf pour " + switch["short_name"]) +