re2o/firewall
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: re2o:master
Branches Tags
re2o:master
re2o:crans
...
pull from: re2o:crans
Branches Tags
re2o:crans
re2o:master
Sign in to create a new pull request.

6 commits
master ... crans

Author SHA1 Message Date
Gabriel Detraz
9adb949793 Adaptation des fonctions pour portail captif accueil 2018-08-25 18:31:53 +02:00
Charlie Jacomme
b03a49d5d3 force option 2018-08-09 18:13:46 +02:00
Charlie Jacomme
f1ea7f354d no tls on adm 2018-08-09 15:22:24 +02:00
Charlie Jacomme
3f5eeca68e bug fixes 2018-08-09 15:21:43 +02:00
grisel-davy
3ecb33fda4 ajout du force et interface avec les regen services 2018-08-08 20:20:00 +02:00
Charlie Jacomme
2aa28c0b19 sub module on crans git 2018-08-06 20:29:16 +02:00
2 changed files with 41 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitmodules vendored
View file

@ -1,3 +1,3 @@
[submodule "re2oapi"]
path = re2oapi
url = https://gitlab.federez.net/re2o/re2oapi.git
url = https://gitlab.crans.org/nounous/re2o-re2oapi.git

70
main.py
View file

@ -15,19 +15,23 @@ import argparse
import firewall_config
import sys
import os
path =(os.path.dirname(os.path.abspath(__file__)))
config = ConfigParser()
config.read('config.ini')
config.read(path+'/config.ini')
api_hostname = config.get('Re2o', 'hostname')
api_password = config.get('Re2o', 'password')
api_username = config.get('Re2o', 'username')
api_client = Re2oAPIClient(api_hostname, api_username, api_password)
api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
client_hostname = socket.gethostname().split('.', 1)[0]
class iptables:
def __init__(self):
self.nat4 = "\n*nat"
@ -44,6 +48,7 @@ class iptables:
self.role = getattr(firewall_config, 'role', None)
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
self.nat_settings = getattr(firewall_config, 'nat', None)
self.portail_settings = getattr(firewall_config, 'portail', None)
def commit(self, chain):
self.add(chain, "COMMIT\n")
@ -329,29 +334,25 @@ class iptables:
self.init_filter(subtable, decision="-")
self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
for ip in self.config.accueil_route.keys():
if 'tcp' in self.config.accueil_route[ip]:
self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
if 'udp' in self.config.accueil_route[ip]:
self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
for protocol in self.portail_settings['autorized_hosts']:
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
self.add_in_subtable("filter4", subtable, """-j REJECT""")
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
"""Nat les connexions derrière l'ip de la machine du portail"""
"""Redirige les connexion 80 et 443 vers l'ip cible"""
self.init_nat(subtable, decision="-")
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys():
if 'tcp' in self.config.accueil_route[ip]:
self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
if 'udp' in self.config.accueil_route[ip]:
self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']})
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']})
for protocol in self.portail_settings['autorized_hosts']:
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
for ip_range, destination in self.portail_settings['ip_redirect'].items():
for protocol, ip in destination.items():
for ip_dest, ports in ip.items():
self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
"""Nat les connexions derrière l'ip de la machine du portail"""
@ -359,11 +360,9 @@ class iptables:
for interface in self.interfaces_settings['sortie']:
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys():
if 'tcp' in self.config.accueil_route[ip]:
self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
if 'udp' in self.config.accueil_route[ip]:
self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
for protocol in self.portail_settings['autorized_hosts']:
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))
def accept_established(self, subtable='ESTABLISHED-CONN'):
"""Accepte les connexions déjà établies"""
@ -619,13 +618,7 @@ class iptables:
"""Retire la mac de la blacklist"""
self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true")
parser.add_argument("action", help="Mode reconnus : start, stop ou restart")
args = parser.parse_args()
def run(args):
table = iptables()
if args.verbose:
table.verbose = True
@ -634,4 +627,21 @@ if __name__ == '__main__':
table.do_action()
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true")
parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?")
parser.add_argument("--force", help="Force l'action", action="store_true")
args = parser.parse_args()
if args.force:
run(args)
for service in api_client.list("services/regen/"):
if service['hostname'] == client_hostname and \
service['service_name'] == 'firewall' and \
service['need_regen']:
run(args)
api_client.patch(service['api_url'], data={'need_regen': False})