Adaptation des fonctions pour portail captif accueil

force option
no tls on adm
2018-08-25 18:31:53 +02:00 · 2018-08-09 18:13:46 +02:00 · 2018-08-09 15:22:24 +02:00 · 2018-08-09 15:21:43 +02:00 · 2018-08-08 20:20:00 +02:00 · 2018-08-06 20:29:16 +02:00
2 changed files with 41 additions and 31 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +1,3 @@
 [submodule "re2oapi"]
 	path = re2oapi
-	url = https://gitlab.federez.net/re2o/re2oapi.git
+	url = https://gitlab.crans.org/nounous/re2o-re2oapi.git
--- a/main.py
+++ b/main.py
@ -15,19 +15,23 @@ import argparse
 import firewall_config
 import sys
 import os
 path =(os.path.dirname(os.path.abspath(__file__)))
 config = ConfigParser()
-config.read('config.ini')
+config.read(path+'/config.ini')
 api_hostname = config.get('Re2o', 'hostname')
 api_password = config.get('Re2o', 'password')
 api_username = config.get('Re2o', 'username')
-api_client = Re2oAPIClient(api_hostname, api_username, api_password)
+api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
 client_hostname = socket.gethostname().split('.', 1)[0]
 class iptables:
    def __init__(self):
        self.nat4 = "\n*nat"
@ -44,6 +48,7 @@ class iptables:
        self.role = getattr(firewall_config, 'role', None)
        self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
        self.nat_settings = getattr(firewall_config, 'nat', None)
        self.portail_settings = getattr(firewall_config, 'portail', None)
    def commit(self, chain):
        self.add(chain, "COMMIT\n")
@ -329,29 +334,25 @@ class iptables:
        self.init_filter(subtable, decision="-")
        self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
-        for ip in self.config.accueil_route.keys():
+        for protocol in self.portail_settings['autorized_hosts']:
-            if 'tcp' in self.config.accueil_route[ip]:
+            for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
-                self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
+                self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
            if 'udp' in self.config.accueil_route[ip]:
                self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
        self.add_in_subtable("filter4", subtable, """-j REJECT""")
    def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
-        """Nat les connexions derrière l'ip de la machine du portail"""
+        """Redirige les connexion 80 et 443 vers l'ip cible"""
        self.init_nat(subtable, decision="-")
        for interface in self.interfaces_settings['routable']:
            self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
-        for ip in self.config.accueil_route.keys():
+        for protocol in self.portail_settings['autorized_hosts']:
-            if 'tcp' in self.config.accueil_route[ip]:
+            for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
-                self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
+                self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
-            if 'udp' in self.config.accueil_route[ip]:
+        for ip_range, destination in self.portail_settings['ip_redirect'].items():
-                self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
+            for protocol, ip in destination.items():
-        self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']})
+                for ip_dest, ports in ip.items():
-        self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
+                    self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))
        self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
        self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']})
    def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
        """Nat les connexions derrière l'ip de la machine du portail"""
@ -359,11 +360,9 @@ class iptables:
        for interface in self.interfaces_settings['sortie']:
            self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
-        for ip in self.config.accueil_route.keys():
+        for protocol in self.portail_settings['autorized_hosts']:
-            if 'tcp' in self.config.accueil_route[ip]:
+            for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
-                self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
+                self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))
            if 'udp' in self.config.accueil_route[ip]:
                self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
    def accept_established(self, subtable='ESTABLISHED-CONN'):
        """Accepte les connexions déjà établies"""
@ -619,13 +618,7 @@ class iptables:
        """Retire la mac de la blacklist"""
        self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
-
+def run(args):
 if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
    parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true")
    parser.add_argument("action", help="Mode reconnus : start, stop ou restart")
    args = parser.parse_args()
    table = iptables()
    if args.verbose:
        table.verbose = True
@ -634,4 +627,21 @@ if __name__ == '__main__':
    table.do_action()
 if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
    parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true")
    parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?")
    parser.add_argument("--force", help="Force l'action", action="store_true")
    args = parser.parse_args()
    if args.force:
        run(args)
    for service in api_client.list("services/regen/"):
        if service['hostname'] == client_hostname and \
            service['service_name'] == 'firewall' and \
            service['need_regen']:
            run(args)
            api_client.patch(service['api_url'], data={'need_regen': False})
Author	SHA1	Message	Date
Gabriel Detraz	9adb949793	Adaptation des fonctions pour portail captif accueil	2018-08-25 18:31:53 +02:00
Charlie Jacomme	b03a49d5d3	force option	2018-08-09 18:13:46 +02:00
Charlie Jacomme	f1ea7f354d	no tls on adm	2018-08-09 15:22:24 +02:00
Charlie Jacomme	3f5eeca68e	bug fixes	2018-08-09 15:21:43 +02:00
grisel-davy	3ecb33fda4	ajout du force et interface avec les regen services	2018-08-08 20:20:00 +02:00
Charlie Jacomme	2aa28c0b19	sub module on crans git	2018-08-06 20:29:16 +02:00