diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index 4a8ee1eb5d12766cb5aaa15f1a30494b6e374dc4..f8d2d46c6bbac62db42eace05ddde4b57ccb8b89 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -109,7 +109,7 @@ def basic_fw(): ip6tables.filter.ieui64('! -s %s -j RETURN' % net) # Correspondance MAC-IP - mac_ip(ip6tables, machines, ['fil', 'adherents-v6', 'adm', 'wifi', 'wifi-adh-v6', 'serveurs']) + mac_ip(ip6tables, machines, ['fil', 'adherents-v6', 'adm', 'wifi', 'wifi-adh-v6', 'serveurs', 'personnel-ens']) def main_router(): @@ -127,6 +127,7 @@ def main_router(): dev_wifi = iface6('wifi') dev_ip6 = iface6('he-ipv6') dev_federez = iface6('federez') + dev_personnel = iface6('personnel-ens') ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6) ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi) @@ -152,6 +153,7 @@ def main_router(): blacklist(ip6tables) ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans) ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_wifi) + ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_personnel) ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6) #tracker_torrent(ip6tables) @@ -169,11 +171,12 @@ def main_router(): ip6tables.filter.forward('-j INGRESS_FILTERING') # Pour les autres connections - for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]: + for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6', 'personnel-ens'] if not 'v6' in i]: ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' + - type_m.upper())) + type_m.replace('-','').upper())) ip6tables.filter.forward('-i %s -j MAC' % dev_crans) ip6tables.filter.forward('-i %s -j MAC' % dev_wifi) + ip6tables.filter.forward('-i %s -j MAC' % dev_personnel) # Rien ne passe vers adm # est ce que du local est gêné par le règle ? @@ -183,7 +186,7 @@ def main_router(): ip6tables.filter.forward('-m rt --rt-type 0 -j REJECT') # Ouverture des ports - ports(dev_ip6, [dev_crans, dev_wifi, dev_federez]) + ports(dev_ip6, [dev_crans, dev_wifi, dev_federez, dev_personnel]) # On met en place le forwarding enable_forwarding(6) @@ -210,7 +213,7 @@ def routeur_nat64(): ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT') # Pour les autres connections - for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]: + for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6', 'personnel'] if not 'v6' in i]: ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' + type_m.upper())) ip6tables.filter.forward('-i %s -j MAC' % dev_crans) diff --git a/gestion/ipt.py b/gestion/ipt.py index c6e6f5c4e4e6b878ed6e2edbdccd9ffa93dd1b43..eee842efe4c15f484dfdfd7857dd23c6732809b7 100644 --- a/gestion/ipt.py +++ b/gestion/ipt.py @@ -93,6 +93,7 @@ class Table(object): self.macserveurs = Chain() self.macadherentsv6 = Chain() self.macwifiadhv6 = Chain() + self.macpersonnelens = Chain() self.extadherentsv6 = Chain() self.extwifiadhv6 = Chain() self.cransadherentsv6 = Chain() @@ -817,7 +818,7 @@ def mac_ip(ipt, machines, types_machines): try: dev = iface6(type_m) ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0], - 'MAC' + type_m.upper())) + 'MAC' + type_m.replace('-','').upper())) ipt.filter.input('-i %s -j IEUI64' % dev) except NoIface as e: sys.stderr.write("NoIface: %s" % e)