Commit 43627558 authored by Valentin Samir's avatar Valentin Samir
Browse files

[firewall4, generale, config] Un nouveau pare-feu sur zamok

parent 88954758
......@@ -14,6 +14,10 @@ dev = {
'adm' : 'crans.2',
'tun-ovh' : 'tun-ovh'
},
'zamok': {
'fil' : 'crans',
'adm' : 'crans.2'
}
}
#: Pour marquer les paquets
......
......@@ -12,8 +12,9 @@ if os.getuid() != 0:
sys.stderr.write(coul("Il faut être root pour utiliser le firewall\n", 'gras'))
sys.exit(1)
from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic
from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users
import pwd
import config.firewall
import lc_ldap
import socket
......@@ -91,6 +92,12 @@ class firewall_base(object) :
print >> sys.stderr, 'Objet %s inconnu blacklisté' % a.__class__.__name__
return self._blacklisted_machines
def blacklisted_adherents(self):
if self._blacklisted_adherents:
return self._blacklisted_adherents
self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(), self.adherents())
return self._blacklisted_adherents
def add(self, table, chain, rule):
if not chain in self.chain_list[table]:
self.chain_list[table].append(chain)
......@@ -172,6 +179,7 @@ class firewall_base(object) :
self._machines = None
self._adherents = None
self._blacklisted_machines = None
self._blacklisted_adherents = None
self.chain_list={
'raw':['OUTPUT', 'PREROUTING'],
......@@ -808,9 +816,107 @@ class firewall_komaz(firewall_base):
return chain
class firewall_zamok(firewall_base):
def __init__(self):
super(self.__class__, self).__init__()
self.reloadable.update({
'admin_vlan' : self.admin_vlan,
'blacklist_output' : self.blacklist_output,
})
self.use_ipset.extend([])
self.use_tc.extend([])
def raw_table(self):
table = 'raw'
super(self.__class__, self).raw_table()
return
def mangle_table(self):
table = 'mangle'
super(self.__class__, self).mangle_table()
return
def filter_table(self):
table = 'filter'
super(self.__class__, self).filter_table()
chain = 'OUTPUT'
self.add(table, chain , '-d 224.0.0.0/4 -j DROP')
admin_vlan_chain = self.admin_vlan(table)
for net in NETs['adm']:
self.add(table, chain, '-d %s -j %s' % (net, admin_vlan_chain))
self.add(table, chain, '-o lo -j ACCEPT')
self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
self.add(table, chain, '-j %s' % self.blacklist_output(table))
return
def nat_table(self):
table = 'nat'
super(self.__class__, self).raw_table()
return
def admin_vlan(self, table=None, apply=False):
chain='ADMIN-VLAN'
if table == 'filter':
for user in adm_users:
try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
except KeyError: print "Utilisateur %s inconnu" % user
# ldap et dns toujours joinable
self.add(table, chain, '-p tcp --dport ldap -j ACCEPT')
self.add(table, chain, '-p tcp --dport domain -j ACCEPT')
self.add(table, chain, '-p udp --dport domain -j ACCEPT')
# Pour le nfs (le paquet à laisser passer n'a pas d'owner)
self.add(table, chain, '-d daath.adm.crans.org -j ACCEPT')
# Rien d'autre ne passe
self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited')
if apply:
self.apply(table, chain)
return chain
def blacklist_maj(self, ips):
anim('\tMise à jour des blacklists')
self.blacklist_output('filter', apply=True)
self.blacklist_hard_maj(ips)
print OK
def blacklist_output(self, table=None, apply=False):
chain='BLACKLIST'
if table == 'filter':
self.add(table, chain, '-d 127.0.0.1/8 -j ACCEPT')
for net in NETs['all']:
self.add(table, chain, '-d %s -j ACCEPT' % net)
for adh in self.blacklisted_adherents():
if 'uidNumber' in adh.attrs.keys():
self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
if apply:
self.apply(table, chain)
return chain
if __name__ == '__main__' :
firewall = {
'komaz' : firewall_komaz,
'zamok' : firewall_zamok,
}
# Chaînes pouvant être recontruites
if hostname in firewall.keys():
......
......@@ -42,18 +42,18 @@ class base_reconfigure:
'macip': [ 'redisdead-macip', 'zamok-macip', 'sable-macip', 'komaz-macip', 'gordon-macip',
'routeur-macip' ],
# 'droits': [ 'rouge-droits', 'ragnarok-droits' ],
'bl_carte_etudiant':['komaz-blacklist'],
'bl_chbre_invalide':['komaz-blacklist'],
'blacklist_mail_invalide':['komaz-blacklist'],
'blacklist_virus':['komaz-blacklist'],
'blacklist_warez':['komaz-blacklist'],
'blacklist_ipv6_ra':['komaz-blacklist'],
'blacklist_upload': ['komaz-blacklist', 'zamok-blacklist' ],
'blacklist_p2p': ['komaz-blacklist', 'zamok-blacklist' ],
'blacklist_autodisc_virus':['komaz-blacklist'],
'blacklist_autodisc_upload': ['komaz-blacklist', 'zamok-blacklist'],
'blacklist_autodisc_p2p': ['komaz-blacklist', 'zamok-blacklist'],
'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist', 'dns' ],
'bl_carte_etudiant': [ 'komaz-blacklist', 'zamok-blacklist' ],
'bl_chbre_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_mail_invalide': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_virus': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_warez': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_ipv6_ra': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_upload': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_autodisc_virus': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_autodisc_upload': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_autodisc_p2p': [ 'komaz-blacklist', 'zamok-blacklist' ],
'blacklist_bloq': [ 'komaz-blacklist', 'zamok-blacklist' ],
'del_user': [ 'daath-del_user', 'owl-del_user', 'zamok-del_user' ]
}
#Y R U Aliasing !
......@@ -215,9 +215,9 @@ class zamok(base_reconfigure):
from adherents import del_user
self._do(del_user(args))
def blacklist(self):
from firewall import firewall_zamok
firewall_zamok().blacklist()
def blacklist(self, ips):
from firewall4 import firewall_zamok
firewall_zamok().blacklist_maj(ips)
class daath(base_reconfigure):
def home(self, args):
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment