Commit d1bee435 authored by Gabriel Detraz's avatar Gabriel Detraz

Filtrage sur appartement

parent 086f91f2
......@@ -109,7 +109,7 @@ def basic_fw():
ip6tables.filter.ieui64('! -s %s -j RETURN' % net)
# Correspondance MAC-IP
mac_ip(ip6tables, machines, ['fil', 'adherents-v6', 'adm', 'wifi', 'wifi-adh-v6', 'serveurs'])
mac_ip(ip6tables, machines, ['fil', 'adherents-v6', 'adm', 'wifi', 'wifi-adh-v6', 'serveurs', 'personnel-ens'])
def main_router():
......@@ -127,6 +127,7 @@ def main_router():
dev_wifi = iface6('wifi')
dev_ip6 = iface6('he-ipv6')
dev_federez = iface6('federez')
dev_personnel = iface6('personnel-ens')
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6)
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi)
......@@ -152,6 +153,7 @@ def main_router():
blacklist(ip6tables)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_wifi)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_personnel)
ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
#tracker_torrent(ip6tables)
......@@ -169,11 +171,12 @@ def main_router():
ip6tables.filter.forward('-j INGRESS_FILTERING')
# Pour les autres connections
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]:
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6', 'personnel-ens'] if not 'v6' in i]:
ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
type_m.upper()))
type_m.replace('-','').upper()))
ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
ip6tables.filter.forward('-i %s -j MAC' % dev_wifi)
ip6tables.filter.forward('-i %s -j MAC' % dev_personnel)
# Rien ne passe vers adm
# est ce que du local est gêné par le règle ?
......@@ -183,7 +186,7 @@ def main_router():
ip6tables.filter.forward('-m rt --rt-type 0 -j REJECT')
# Ouverture des ports
ports(dev_ip6, [dev_crans, dev_wifi, dev_federez])
ports(dev_ip6, [dev_crans, dev_wifi, dev_federez, dev_personnel])
# On met en place le forwarding
enable_forwarding(6)
......@@ -210,7 +213,7 @@ def routeur_nat64():
ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
# Pour les autres connections
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]:
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6', 'personnel'] if not 'v6' in i]:
ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
type_m.upper()))
ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
......
......@@ -93,6 +93,7 @@ class Table(object):
self.macserveurs = Chain()
self.macadherentsv6 = Chain()
self.macwifiadhv6 = Chain()
self.macpersonnelens = Chain()
self.extadherentsv6 = Chain()
self.extwifiadhv6 = Chain()
self.cransadherentsv6 = Chain()
......@@ -817,7 +818,7 @@ def mac_ip(ipt, machines, types_machines):
try:
dev = iface6(type_m)
ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0],
'MAC' + type_m.upper()))
'MAC' + type_m.replace('-','').upper()))
ipt.filter.input('-i %s -j IEUI64' % dev)
except NoIface as e:
sys.stderr.write("NoIface: %s" % e)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment