Commit d1bee435 authored by Gabriel Detraz's avatar Gabriel Detraz

Filtrage sur appartement

parent 086f91f2
...@@ -109,7 +109,7 @@ def basic_fw(): ...@@ -109,7 +109,7 @@ def basic_fw():
ip6tables.filter.ieui64('! -s %s -j RETURN' % net) ip6tables.filter.ieui64('! -s %s -j RETURN' % net)
# Correspondance MAC-IP # Correspondance MAC-IP
mac_ip(ip6tables, machines, ['fil', 'adherents-v6', 'adm', 'wifi', 'wifi-adh-v6', 'serveurs']) mac_ip(ip6tables, machines, ['fil', 'adherents-v6', 'adm', 'wifi', 'wifi-adh-v6', 'serveurs', 'personnel-ens'])
def main_router(): def main_router():
...@@ -127,6 +127,7 @@ def main_router(): ...@@ -127,6 +127,7 @@ def main_router():
dev_wifi = iface6('wifi') dev_wifi = iface6('wifi')
dev_ip6 = iface6('he-ipv6') dev_ip6 = iface6('he-ipv6')
dev_federez = iface6('federez') dev_federez = iface6('federez')
dev_personnel = iface6('personnel-ens')
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6) ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_ip6)
ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi) ip6tables.mangle.forward("-o %s -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" % dev_wifi)
...@@ -152,6 +153,7 @@ def main_router(): ...@@ -152,6 +153,7 @@ def main_router():
blacklist(ip6tables) blacklist(ip6tables)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans) ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_crans)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_wifi) ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_wifi)
ip6tables.filter.forward('-i %s -j BLACKLIST_SRC' % dev_personnel)
ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6) ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
#tracker_torrent(ip6tables) #tracker_torrent(ip6tables)
...@@ -169,11 +171,12 @@ def main_router(): ...@@ -169,11 +171,12 @@ def main_router():
ip6tables.filter.forward('-j INGRESS_FILTERING') ip6tables.filter.forward('-j INGRESS_FILTERING')
# Pour les autres connections # Pour les autres connections
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]: for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6', 'personnel-ens'] if not 'v6' in i]:
ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' + ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
type_m.upper())) type_m.replace('-','').upper()))
ip6tables.filter.forward('-i %s -j MAC' % dev_crans) ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
ip6tables.filter.forward('-i %s -j MAC' % dev_wifi) ip6tables.filter.forward('-i %s -j MAC' % dev_wifi)
ip6tables.filter.forward('-i %s -j MAC' % dev_personnel)
# Rien ne passe vers adm # Rien ne passe vers adm
# est ce que du local est gêné par le règle ? # est ce que du local est gêné par le règle ?
...@@ -183,7 +186,7 @@ def main_router(): ...@@ -183,7 +186,7 @@ def main_router():
ip6tables.filter.forward('-m rt --rt-type 0 -j REJECT') ip6tables.filter.forward('-m rt --rt-type 0 -j REJECT')
# Ouverture des ports # Ouverture des ports
ports(dev_ip6, [dev_crans, dev_wifi, dev_federez]) ports(dev_ip6, [dev_crans, dev_wifi, dev_federez, dev_personnel])
# On met en place le forwarding # On met en place le forwarding
enable_forwarding(6) enable_forwarding(6)
...@@ -210,7 +213,7 @@ def routeur_nat64(): ...@@ -210,7 +213,7 @@ def routeur_nat64():
ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT') ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT')
# Pour les autres connections # Pour les autres connections
for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6'] if not 'v6' in i]: for type_m in [i for i in ['fil', 'adherents-v6', 'wifi', 'wifi-adh-v6', 'personnel'] if not 'v6' in i]:
ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' + ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' +
type_m.upper())) type_m.upper()))
ip6tables.filter.forward('-i %s -j MAC' % dev_crans) ip6tables.filter.forward('-i %s -j MAC' % dev_crans)
......
...@@ -93,6 +93,7 @@ class Table(object): ...@@ -93,6 +93,7 @@ class Table(object):
self.macserveurs = Chain() self.macserveurs = Chain()
self.macadherentsv6 = Chain() self.macadherentsv6 = Chain()
self.macwifiadhv6 = Chain() self.macwifiadhv6 = Chain()
self.macpersonnelens = Chain()
self.extadherentsv6 = Chain() self.extadherentsv6 = Chain()
self.extwifiadhv6 = Chain() self.extwifiadhv6 = Chain()
self.cransadherentsv6 = Chain() self.cransadherentsv6 = Chain()
...@@ -817,7 +818,7 @@ def mac_ip(ipt, machines, types_machines): ...@@ -817,7 +818,7 @@ def mac_ip(ipt, machines, types_machines):
try: try:
dev = iface6(type_m) dev = iface6(type_m)
ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0], ipt.filter.input('-i %s -s %s -j %s' % (dev, prefix[type_m][0],
'MAC' + type_m.upper())) 'MAC' + type_m.replace('-','').upper()))
ipt.filter.input('-i %s -j IEUI64' % dev) ipt.filter.input('-i %s -j IEUI64' % dev)
except NoIface as e: except NoIface as e:
sys.stderr.write("NoIface: %s" % e) sys.stderr.write("NoIface: %s" % e)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment