From 2aa28c0b197c84af3a19b6fb7632cbdf30886001 Mon Sep 17 00:00:00 2001 From: Charlie Jacomme Date: Mon, 6 Aug 2018 20:29:16 +0200 Subject: [PATCH 1/6] sub module on crans git --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 361b0a1..94389b4 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "re2oapi"] path = re2oapi - url = https://gitlab.federez.net/re2o/re2oapi.git + url = https://gitlab.crans.org/nounous/re2o-re2oapi.git From 3ecb33fda429bd26046e6b6c8fbd744de26ca973 Mon Sep 17 00:00:00 2001 From: grisel-davy Date: Wed, 8 Aug 2018 20:20:00 +0200 Subject: [PATCH 2/6] ajout du force et interface avec les regen services --- main.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/main.py b/main.py index 0d145a6..2b533c2 100755 --- a/main.py +++ b/main.py @@ -15,6 +15,8 @@ import argparse import firewall_config +import sys + config = ConfigParser() config.read('config.ini') @@ -26,7 +28,11 @@ api_client = Re2oAPIClient(api_hostname, api_username, api_password) client_hostname = socket.gethostname().split('.', 1)[0] - +for arg in sys.argv: + if arg=="--force": + table=iptables() + table.action="restart" + table.do_action() class iptables: def __init__(self): @@ -633,5 +639,10 @@ if __name__ == '__main__': table.export = args.export table.do_action() - +for service in api_client.list("services/regen/"): + if service['hostname'] == client_hostname and \ + service['service_name'] == 'firewall' and \ + service['need_regen']: + notif_end_adhesion(api_client) + api_client.patch(service['api_url'], data={'need_regen': False}) From 3f5eeca68ed978ea98010c2281780a8b506e849e Mon Sep 17 00:00:00 2001 From: Charlie Jacomme Date: Thu, 9 Aug 2018 15:21:43 +0200 Subject: [PATCH 3/6] bug fixes --- main.py | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/main.py b/main.py index 2b533c2..425160a 100755 --- a/main.py +++ b/main.py @@ -16,9 +16,12 @@ import argparse import firewall_config import sys +import os + +path =(os.path.dirname(os.path.abspath(__file__))) config = ConfigParser() -config.read('config.ini') +config.read(path+'/config.ini') api_hostname = config.get('Re2o', 'hostname') api_password = config.get('Re2o', 'password') @@ -28,11 +31,6 @@ api_client = Re2oAPIClient(api_hostname, api_username, api_password) client_hostname = socket.gethostname().split('.', 1)[0] -for arg in sys.argv: - if arg=="--force": - table=iptables() - table.action="restart" - table.do_action() class iptables: def __init__(self): @@ -625,13 +623,7 @@ class iptables: """Retire la mac de la blacklist""" self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode) - -if __name__ == '__main__': - parser = argparse.ArgumentParser() - parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true") - parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true") - parser.add_argument("action", help="Mode reconnus : start, stop ou restart") - args = parser.parse_args() +def run(args): table = iptables() if args.verbose: table.verbose = True @@ -639,10 +631,22 @@ if __name__ == '__main__': table.export = args.export table.do_action() -for service in api_client.list("services/regen/"): - if service['hostname'] == client_hostname and \ - service['service_name'] == 'firewall' and \ - service['need_regen']: - notif_end_adhesion(api_client) - api_client.patch(service['api_url'], data={'need_regen': False}) + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true") + parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true") + parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart") + args = parser.parse_args() + + for arg in sys.argv: + if arg=="--force": + run(args) + + for service in api_client.list("services/regen/"): + if service['hostname'] == client_hostname and \ + service['service_name'] == 'firewall' and \ + service['need_regen']: + run(args) + api_client.patch(service['api_url'], data={'need_regen': False}) From f1ea7f354ddc2ea06598ed7f9c0d1c1b076bfa61 Mon Sep 17 00:00:00 2001 From: Charlie Jacomme Date: Thu, 9 Aug 2018 15:22:24 +0200 Subject: [PATCH 4/6] no tls on adm --- main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.py b/main.py index 425160a..9c1b612 100755 --- a/main.py +++ b/main.py @@ -27,7 +27,7 @@ api_hostname = config.get('Re2o', 'hostname') api_password = config.get('Re2o', 'password') api_username = config.get('Re2o', 'username') -api_client = Re2oAPIClient(api_hostname, api_username, api_password) +api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False) client_hostname = socket.gethostname().split('.', 1)[0] From b03a49d5d3664c35a81b5b3a24f6a6a4fdd1f3f8 Mon Sep 17 00:00:00 2001 From: Charlie Jacomme Date: Thu, 9 Aug 2018 18:13:46 +0200 Subject: [PATCH 5/6] force option --- main.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.py b/main.py index 9c1b612..f5835fd 100755 --- a/main.py +++ b/main.py @@ -636,12 +636,12 @@ if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true") parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true") - parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart") + parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?") + parser.add_argument("--force", help="Force l'action", action="store_true") args = parser.parse_args() - for arg in sys.argv: - if arg=="--force": - run(args) + if args.force: + run(args) for service in api_client.list("services/regen/"): if service['hostname'] == client_hostname and \ From 9adb949793880d02ad7c31c770147659ec801ae1 Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Sat, 25 Aug 2018 18:31:32 +0200 Subject: [PATCH 6/6] Adaptation des fonctions pour portail captif accueil --- main.py | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/main.py b/main.py index f5835fd..fc004be 100755 --- a/main.py +++ b/main.py @@ -48,6 +48,7 @@ class iptables: self.role = getattr(firewall_config, 'role', None) self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) self.nat_settings = getattr(firewall_config, 'nat', None) + self.portail_settings = getattr(firewall_config, 'portail', None) def commit(self, chain): self.add(chain, "COMMIT\n") @@ -333,29 +334,25 @@ class iptables: self.init_filter(subtable, decision="-") self.jump_all_trafic("filter", "FORWARD", subtable, mode='4') - for ip in self.config.accueil_route.keys(): - if 'tcp' in self.config.accueil_route[ip]: - self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) - if 'udp' in self.config.accueil_route[ip]: - self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) + for protocol in self.portail_settings['autorized_hosts']: + for ip, ports in self.portail_settings['autorized_hosts'][protocol].items(): + self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports))) self.add_in_subtable("filter4", subtable, """-j REJECT""") def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"): - """Nat les connexions derrière l'ip de la machine du portail""" + """Redirige les connexion 80 et 443 vers l'ip cible""" self.init_nat(subtable, decision="-") for interface in self.interfaces_settings['routable']: self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4') - for ip in self.config.accueil_route.keys(): - if 'tcp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) - if 'udp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) - self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']}) - self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']}) - self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']}) - self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']}) + for protocol in self.portail_settings['autorized_hosts']: + for ip, ports in self.portail_settings['autorized_hosts'][protocol].items(): + self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports))) + for ip_range, destination in self.portail_settings['ip_redirect'].items(): + for protocol, ip in destination.items(): + for ip_dest, ports in ip.items(): + self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest)) def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"): """Nat les connexions derrière l'ip de la machine du portail""" @@ -363,11 +360,9 @@ class iptables: for interface in self.interfaces_settings['sortie']: self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4') - for ip in self.config.accueil_route.keys(): - if 'tcp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) - if 'udp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) + for protocol in self.portail_settings['autorized_hosts']: + for ip, ports in self.portail_settings['autorized_hosts'][protocol].items(): + self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports))) def accept_established(self, subtable='ESTABLISHED-CONN'): """Accepte les connexions déjà établies"""