Commit 1fbb723e authored by Gabriel Detraz's avatar Gabriel Detraz

Maj de limit_connexion , filtre en entrée pour les machines adh et en sortie pour tout le monde

parent 47713a07
......@@ -122,7 +122,8 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-j %s' % self.connexion_wififederez(table))
self.add(table, chain, '-j %s' % self.ingress_filtering(table))
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table, ttl=30, counter_name="SSH2"))
self.add(table, chain, '-j %s' % self.limit_connexion(table))
self.add(table, chain, '-o %s -j %s' % (dev['out'], self.limit_connexion(table, ip_track='srcip')))
self.add(table, chain, '-i %s -d %s -j %s' % ( dev['out'], ','.join(base.config.NETs['adherents'] + base.config.NETs['wifi-adh'] + base.config.NETs['personnel-ens']), self.limit_connexion(table, ip_track='dstip')))
self.add(table, chain, '-i %s -j %s' % (dev['out'], self.filtrage_ports(table)))
self.add(table, chain, '-o %s -j %s' % (dev['out'], self.filtrage_ports(table)))
return
......@@ -172,13 +173,20 @@ class firewall(base.firewall_routeur):
self.apply(table, chain)
return chain
def limit_connexion(self, table=None, apply=False):
chain = 'LIMIT-CONNEXION'
def limit_connexion(self, table=None, apply=False, ip_track='srcip'):
chain = 'LIMIT-CONNEXION-%s' % ip_track.upper()
if table == 'filter':
pretty_print(table, chain)
self.add(table, chain, '-p udp -m limit --limit 400/sec --limit-burst 800 -j RETURN')
self.add(table, chain, '-p tcp -m state --state NEW -m limit --limit 400/min --limit-burst 800 -j RETURN')
self.add(table, chain, '-m hashlimit -p udp --hashlimit-name LIMIT_UDP_%s_CONNEXION --hashlimit-mode %s --hashlimit-upto 400/sec --hashlimit-burst 800 -j RETURN' % (ip_track.upper(), ip_track))
self.add(table, chain,'-m hashlimit -p udp --hashlimit-name LIMIT_UDP_%s_CONNEXION_LOG --hashlimit-mode %s --hashlimit-upto 5/hour -j LOG --log-prefix "CONNEXION_LIMIT_UDP_%s "' % (ip_track.upper(), ip_track, ip_track.upper()))
self.add(table, chain, '-p udp -j REJECT')
self.add(table, chain, '-m hashlimit -p tcp -m state --state NEW --hashlimit-name LIMIT_TCP_%s_CONNEXION --hashlimit-mode %s --hashlimit-upto 2000/min --hashlimit-burst 4000 -j RETURN' % (ip_track.upper(), ip_track))
self.add(table, chain,'-m hashlimit -p tcp -m state --state NEW --hashlimit-name LIMIT_TCP_%s_CONNEXION_LOG --hashlimit-mode %s --hashlimit-upto 5/hour -j LOG --log-prefix "CONNEXION_LIMIT_TCP_%s "' % (ip_track.upper(), ip_track, ip_track.upper()))
self.add(table, chain, '-p tcp -m state --state NEW -j REJECT')
self.add(table, chain, '-m hashlimit --hashlimit-name LIMIT_OTHER_%s_CONNEXION --hashlimit-mode %s --hashlimit-upto 400/sec --hashlimit-burst 800 -j RETURN' % (ip_track.upper(), ip_track))
self.add(table, chain,'-m hashlimit --hashlimit-name LIMIT_OTHER_%s_CONNEXION_LOG --hashlimit-mode %s --hashlimit-upto 5/hour -j LOG --log-prefix "CONNEXION_LIMIT "' % (ip_track.upper(), ip_track))
self.add(table, chain, '-j REJECT')
print OK
if apply:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment