Commit 7a3e46c6 authored by Gabriel Detraz's avatar Gabriel Detraz Committed by root

Nouveau nat sur le 10.53 avec ip zayo

parent 44b297e2
......@@ -19,7 +19,7 @@ class firewall(base.firewall_routeur):
'ssh_on_https' : self.ssh_on_https,
'connexion_secours' : self.connexion_secours,
'connexion_appartement' : self.connexion_appartement,
'connexion_wififederez' : self.connexion_wififederez,
'connexion_wifinew' : self.connexion_wifinew,
'blacklist_soft' : self.blacklist_soft,
'blacklist_upload' : self.blacklist_upload,
'reseaux_non_routable' : self.reseaux_non_routable,
......@@ -121,7 +121,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-s %s -j %s' % (net, mac_ip_chain))
self.add(table, chain, '-j %s' % self.connexion_secours(table))
self.add(table, chain, '-j %s' % self.connexion_appartement(table))
self.add(table, chain, '-j %s' % self.connexion_wififederez(table))
self.add(table, chain, '-j %s' % self.connexion_wifinew(table))
self.add(table, chain, '-j %s' % self.ingress_filtering(table))
self.add(table, chain, '-j %s' % self.limit_ssh_connexion(table, ttl=30, counter_name="SSH2"))
self.add(table, chain, '-o %s -j %s' % (dev['out'], self.limit_connexion(table, ip_track='srcip')))
......@@ -142,7 +142,7 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-j %s' % self.blacklist_hard(table))
chain = 'POSTROUTING'
self.add(table, chain, '-j %s' % self.connexion_wififederez(table))
self.add(table, chain, '-j %s' % self.connexion_wifinew(table))
self.add(table, chain, '-j %s' % self.connexion_appartement(table))
return
......@@ -358,15 +358,47 @@ class firewall(base.firewall_routeur):
self.apply(table, chain)
return chain
def connexion_wififederez(self, table=None, apply=False):
"""PNAT le vlan wififederez derrière wififederez.crans.org"""
chain = 'CONNEXION-WIFIFEDEREZ'
def connexion_wifinew(self, table=None, apply=False):
"""PNAT le vlan 22 WiFi New par connexion Zayo"""
chain = 'CONNEXION-NEW'
if table == 'nat':
pretty_print(table, chain)
for dev_key in ['out', 'fil', 'wifi']:
for net in base.config.NETs['federez']:
self.add(table, chain, '-o %s -s %s -j SNAT --to %s' % (dev[dev_key], net, base.config.firewall.nat_source['federez'][hostname]))
for nat_ip_range in range(1, 26):
range_name = 'nat53_' + str("%02d" % nat_ip_range )
self.add(table, chain, '-s 10.53.' + str(nat_ip_range) + '.0/24 -j ' + range_name)
for nat_ip_range in range(1, 26):
range_name = 'nat53_' + str("%02d" % nat_ip_range)
for nat_ip_subrange in range(16):
subrange_name = range_name + '_' + str(hex(nat_ip_subrange)[2:])
self.add(table, range_name, '-s 10.53.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name)
for nat_private_ip in range(256):
ip_src = '10.53.' + str(nat_ip_range) + '.' + str(nat_private_ip) + '/32'
ip_nat = '185.230.76.' + str(10*(nat_ip_range - 1) + nat_private_ip/25)
# Ip 0 à 249 : on nat sur une plage de 2000 ports
if nat_private_ip < 250:
port_low = 10000 + 2000*(nat_private_ip%25)
port_high = port_low + 1999
# Ip de 250 à 254 : nat sur 1000 ports
elif nat_private_ip < 255:
port_low = 60000 + 1000*(nat_private_ip%25)
port_high = port_low + 999
# Ip en 255 : nat sur 500 ports (pas grave elle n'est pas utilisée)
else:
port_low = 65000
port_high = 65535
subrange_name = range_name + '_' + str(hex(nat_private_ip/16)[2:])
# On nat
for dev_key in ['zayo', 'fil', 'wifi']:
self.add(table, subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, dev[dev_key], ip_nat + ':' + str(port_low) + '-' + str(port_high)))
self.add(table, subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, dev[dev_key], ip_nat + ':' + str(port_low) + '-' + str(port_high)))
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière odlyd
for dev_key in ['zayo', 'fil', 'wifi']:
self.add(table, chain, '-s 10.53.0.0/16 -o %s -j SNAT --to-source 185.230.76.250' % (dev[dev_key],))
print OK
if table == 'filter':
......@@ -615,11 +647,6 @@ class firewall(base.firewall_routeur):
self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:3' % (dev['app'], net))
self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:2' % (dev['out'], net))
# Classification pour federez wifi
for net in base.config.NETs['federez']:
self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:5' % (dev['federez'], net))
self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:4' % (dev['out'], net))
print OK
if run_tc:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment