Commit 39c84f0e authored by Hamza Dely's avatar Hamza Dely

[IPv6] Changement du préfixe utilisé en production

parent fd969432
......@@ -11,6 +11,6 @@ NAS_NAME=atree.wifi.crans.org
#SERVER=127.0.0.1
SERVER=pea.v6.wifi.crans.org
SERVER=138.231.136.35
SERVER=[2a01:240:fe3d:c04:0:70ff:fe65:6103]
SERVER=[2a06:e042:100:c04:0:70ff:fe65:6103]
SERVER=localhost
radtest -t mschap -x -4 $MAC $PASSWORD $SERVER 18 $SECRET $SECRET $NAS_NAME
......@@ -334,7 +334,7 @@ mac_titanic = 'aa:73:65:63:6f:76'
routeurs_du_crans = {
'routeur_main' : 'odlyd',
'routeur_secondary' : 'sable',
}
}
#: Serveur principal de bcfg2
bcfg2_main = "bcfg2.adm.crans.org"
......@@ -550,58 +550,58 @@ ipv6_machines_speciales = {
# Les préfixes ipv6 publics
prefix = {
'subnet' : [
'2a01:240:fe3d::/48',
'2a06:e042:100::/40',
],
'serveurs' : [
'2a01:240:fe3d:4::/64',
'2a06:e042:100:4::/64',
],
'adherents' : [
'2a01:240:fe3d:4::/64',
'2a06:e042:100:4::/64',
],
'fil' : [
'2a01:240:fe3d:4::/64',
'2a06:e042:100:4::/64',
],
'adm' : [
'2a01:240:fe3d:c804::/64',
'2a06:e042:100:c804::/64',
],
'adm-v6' : [
'2a01:240:fe3d:c804::/64',
'2a06:e042:100:c804::/64',
],
'switches' :[
'fd01:240:fe3d:c804::/64',
],
'wifi' : [
'2a01:240:fe3d:c04::/64',
'2a06:e042:100:c04::/64',
],
'serveurs-v6' : [
'2a01:240:fe3d:c04::/64',
'2a06:e042:100:c04::/64',
],
'adherents-v6' : [
'2a01:240:fe3d:4::/64',
'2a06:e042:100:4::/64',
],
'wifi-adh-v6' : [
'2a01:240:fe3d:c04::/64',
'2a06:e042:100:c04::/64',
],
'personnel-ens' : [
'2a01:240:fe3d:4::/64',
'2a06:e042:100:4::/64',
],
'federez' : [
'2a01:240:fe3d:8::/64',
'2a06:e042:100:8::/64',
],
'sixxs2' : [
'2a01:240:fe00:68::/64',
'he-ipv6' : [
'2001:470:11:40::/64',
],
'evenementiel' : [
'2a01:240:fe3d:d2::/64',
'2a06:e042:100:d2::/64',
],
'bornes' : [
'2a01:240:fe3d:c04::/64',
'2a06:e042:100:c04::/64',
],
'wifi-adh' : [
'2a01:240:fe3d:c04::/64',
'2a06:e042:100:c04::/64',
],
'wifi-serveurs' : [
'2a01:240:fe3d:c04::/64',
'2a06:e042:100:c04::/64',
],
'v6only' : [
'2001:470:c8b9:a4::/64',
......
......@@ -125,7 +125,7 @@ def main_router():
dev_crans = iface6('fil')
dev_wifi = iface6('wifi')
dev_ip6 = iface6('sixxs2')
dev_ip6 = iface6('he-ipv6')
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6)
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi)
......@@ -139,8 +139,8 @@ def main_router():
ip6tables.filter.forward('-o %s -p tcp -d 2a00:1450:4006::/32 -j REJECT --reject-with icmp6-addr-unreachable' % dev_ip6)
# Ipv6 sur évènementiel, on ne laisse sortir que si ça vient de la mac d'ytrap-llatsni
ip6tables.filter.forward('-o %s -d 2a01:240:fe3d:d2::/64 -j ACCEPT' % dev_crans)
ip6tables.filter.forward('-o %s -m mac --mac-source 00:00:6c:69:69:01 -s 2a01:240:fe3d:d2::/64 -j ACCEPT' % dev_ip6)
ip6tables.filter.forward('-o %s -d 2a06:e042:100:d2::/64 -j ACCEPT' % dev_crans)
ip6tables.filter.forward('-o %s -m mac --mac-source 00:00:6c:69:69:01 -s 2a06:e042:100:d2::/64 -j ACCEPT' % dev_ip6)
# Les blacklistes
# Si on les met après la règle conntrack, une connexion existante ne sera
......
......@@ -215,7 +215,7 @@ class Update(object):
if ip_proto == 4:
dev_ext = iface('ens')
elif ip_proto == 6:
dev_ext = iface6('sixxs2')
dev_ext = iface6('he-ipv6')
net = ""
for r in rids:
if not r:
......@@ -853,7 +853,7 @@ def ingress_filtering(ipt):
''' Réalise un filtre sur les plages d'IP susceptibles d'être routées '''
ip_proto = ipt.version()
if ip_proto == 6:
dev_ext = iface6('sixxs2')
dev_ext = iface6('he-ipv6')
# d'abord sur l'interface sur le réseau Cr@ns, on ne route que les
# paquet dans le bon subnet.
ipt.filter.ingress_filtering('-o %s -s %s -j RETURN' % (dev_ext,
......
......@@ -145,7 +145,7 @@ def is_crans(ip):
"""
# Pour titanic
ip = netaddr.IPAddress(ip)
if str(ip) in [ '138.231.136.14', '2a01:240:fe3d:4:a873:65ff:fe63:6f75']:
if str(ip) in [ '138.231.136.14', '2a06:e042:100:4:a873:65ff:fe63:6f75']:
return False
if re.match(NETs_regexp['all'], str(ip)) or ip in netaddr.IPNetwork(prefix['subnet'][0]):
return True
......
......@@ -51,8 +51,8 @@ hosts_plugins = {
"komaz": {
"coretemp": "/usr/scripts/munin/coretemp",
"machines": "machines",
"if_sixxs2": "/usr/share/munin/plugins/if_",
"if_err_sixxs2": "/usr/share/munin/plugins/if_err_",
"if_he-ipv6": "/usr/share/munin/plugins/if_",
"if_err_he-ipv6": "/usr/share/munin/plugins/if_err_",
"if_crans.2": "/usr/share/munin/plugins/if_",
"if_err_crans.2": "/usr/share/munin/plugins/if_err_",
"if_crans.3": "/usr/share/munin/plugins/if_",
......@@ -61,8 +61,8 @@ hosts_plugins = {
"if_err_crans.21": "/usr/share/munin/plugins/if_err_",
},
"odlyd": {
"if_sixxs": "/usr/share/munin/plugins/if_",
"if_err_sixxs": "/usr/share/munin/plugins/if_err_",
"if_he-ipv6": "/usr/share/munin/plugins/if_",
"if_err_he-ipv6": "/usr/share/munin/plugins/if_err_",
"if_crans.2": "/usr/share/munin/plugins/if_",
"if_err_crans.2": "/usr/share/munin/plugins/if_err_",
"if_crans.3": "/usr/share/munin/plugins/if_",
......
......@@ -43,8 +43,8 @@ ip6tables -t mangle -A PREROUTING -i eth0 -m state --state NEW -j LOG --log-pre
ip6tables -A FORWARD -p icmp -j ACCEPT
# On accept les ip crans
ip6tables -A FORWARD -i eth0 -s 2a01:240:fe3d::/56 -d 2a01:240:fe3d:d2::/64 -j ACCEPT
ip6tables -A FORWARD -i eth1 -d 2a01:240:fe3d::/56 -s 2a01:240:fe3d:d2::/64 -j ACCEPT
ip6tables -A FORWARD -i eth0 -s 2a06:e042:100::/56 -d 2a06:e042:100:d2::/64 -j ACCEPT
ip6tables -A FORWARD -i eth1 -d 2a06:e042:100::/56 -s 2a06:e042:100:d2::/64 -j ACCEPT
# On permet de contacter toutes les ips en sortie
ip6tables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# On accepte tout ce qui vient d'odlyd
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment