Commit 239a8dc5 authored by Pierre-Elliott Bécue's avatar Pierre-Elliott Bécue

Ne loggue que les paquets autorisés à passer.

parent d6e7a5ac
......@@ -75,11 +75,11 @@ class firewall(base.firewall_routeur):
super(self.__class__, self).mangle_table()
chain = 'PREROUTING'
self.add(table, chain, '-j %s' % self.log_all(table))
self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-p tcp -j CONNMARK --restore-mark')
chain = 'POSTROUTING'
self.add(table, chain, '-j %s' % self.log_all(table))
self.add(table, chain, '-j %s' % self.clamp_mss(table))
self.add(table,chain, '-j %s' % self.limitation_debit(table, run_tc=True))
self.add(table, chain, '-j %s' % self.blacklist_upload(table, fill_ipset=True))
......@@ -209,7 +209,7 @@ class firewall(base.firewall_routeur):
if table == 'mangle':
pretty_print(table, chain)
for device in dev.values():
self.add(table, chain, '-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % device)
self.add(table, chain, '-o %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % device)
print OK
if apply:
......
......@@ -131,9 +131,9 @@ def main_router():
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi)
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_crans)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_wifi)
ip6tables.mangle.prerouting('-i %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_ip6 )
ip6tables.mangle.postrouting('-o %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_crans)
ip6tables.mangle.postrouting('-o %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_wifi)
ip6tables.mangle.postrouting('-o %s -m state --state NEW -j LOG --log-prefix "LOG_ALL "' % dev_ip6 )
# On force le /32 de google à passer en ipv4 pour tester si ça soulage le tunnel ipv6
ip6tables.filter.forward('-o %s -p tcp -d 2a00:1450:4006::/32 -j REJECT --reject-with icmp6-addr-unreachable' % dev_ip6)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment