Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Nounous
firewall
Commits
5fdcd194
Commit
5fdcd194
authored
Jul 28, 2020
by
Benjamin Graillot
Browse files
Arguments et commentaires
parent
a7b7bc5f
Changes
2
Hide whitespace changes
Inline
Side-by-side
firewall.json
View file @
5fdcd194
...
...
@@ -6,5 +6,7 @@
"NAT"
:
{
"srv-nat"
:
"185.230.79.64/26"
,
"adh-nat"
:
"185.230.77.0/24"
}
},
"ldap_url"
:
"ldaps://172.16.1.1"
}
firewall.py
View file @
5fdcd194
#!/bin/env python3
import
argparse
import
configparser
import
getpass
import
ipaddress
import
json
import
os
...
...
@@ -16,6 +17,9 @@ path = os.path.dirname(os.path.abspath(__file__))
def
nat_map
(
private_subnet
,
public_subnet
):
"""
Divise private_subnet en subnets de même taille et map ces subnets derrière les ip de public_subnet
"""
nat_subnets
=
[
nat_subnet
for
nat_subnet
in
private_subnet
.
subnets
(
prefixlen_diff
=
public_subnet
.
num_addresses
.
bit_length
()
-
1
)
]
return
list
(
zip
(
nat_subnets
,
public_subnet
))
...
...
@@ -24,15 +28,25 @@ if __name__ == "__main__":
parser
=
argparse
.
ArgumentParser
(
description
=
"Generate firewall from LDAP"
,
)
parser
.
add_argument
(
"-e"
,
"--export"
,
help
=
"Exporte le contenu des pare-feu"
,
action
=
"store_true"
)
parser
.
add_argument
(
"-e"
,
"--export"
,
help
=
"Exporte le contenu des pare-feu sur la sortie standard"
,
action
=
"store_true"
)
parser
.
add_argument
(
"-l"
,
"--ldap-server"
,
help
=
"URL de la base ldap à contacter"
,
type
=
str
,
default
=
None
)
parser
.
add_argument
(
"-r"
,
"--re2o-server"
,
help
=
"Nom du serveur re2o à contacter"
,
type
=
str
,
default
=
None
)
parser
.
add_argument
(
"-u"
,
"--re2o-user"
,
help
=
"Utilisateur re2o"
,
type
=
str
,
default
=
None
)
parser
.
add_argument
(
"-p"
,
"--re2o-password"
,
help
=
"Demande le mot de passe de l'utilisateur re2o"
,
action
=
"store_true"
)
args
=
parser
.
parse_args
()
with
open
(
os
.
path
.
join
(
path
,
"firewall.json"
))
as
config_file
:
config
=
json
.
load
(
config_file
)
base
=
ldap
.
initialize
(
'ldaps://172.16.1.1/'
)
base
.
set_option
(
ldap
.
OPT_X_TLS_REQUIRE_CERT
,
ldap
.
OPT_X_TLS_ALLOW
)
base
.
set_option
(
ldap
.
OPT_X_TLS_NEWCTX
,
0
)
if
args
.
ldap_server
is
not
None
:
config
[
'ldap_url'
]
=
args
.
ldap_server
base
=
ldap
.
initialize
(
config
[
'ldap_url'
])
if
config
[
'ldap_url'
].
startswith
(
'ldaps://'
):
# On ne vérifie pas le certificat pour le LDAPS
base
.
set_option
(
ldap
.
OPT_X_TLS_REQUIRE_CERT
,
ldap
.
OPT_X_TLS_ALLOW
)
base
.
set_option
(
ldap
.
OPT_X_TLS_NEWCTX
,
0
)
hosts_query_id
=
base
.
search
(
"ou=hosts,dc=crans,dc=org"
,
ldap
.
SCOPE_SUBTREE
,
"objectClass=ipHost"
)
hosts_query
=
base
.
result
(
hosts_query_id
)
services_query_id
=
base
.
search
(
"ou=services,dc=crans,dc=org"
,
ldap
.
SCOPE_SUBTREE
,
"objectClass=ipService"
)
...
...
@@ -42,6 +56,7 @@ if __name__ == "__main__":
networks
=
{}
# On récupère les subnets depuis la base LDAP, en particulier les subnet natés pour la génération du nat
for
dn
,
entry
in
networks_query
[
1
]:
networks
[
entry
[
'cn'
][
0
].
decode
(
'utf-8'
)]
=
ipaddress
.
ip_network
(
entry
[
'ipNetworkNumber'
][
0
].
decode
(
'utf-8'
)
+
'/'
+
entry
[
'ipNetmaskNumber'
][
0
].
decode
(
'utf-8'
))
...
...
@@ -49,6 +64,7 @@ if __name__ == "__main__":
for
dn
,
entry
in
services_query
[
1
]:
if
'description'
in
entry
:
# C'est une range de port, le port final est dans la description du service
ports
=
(
int
(
entry
[
'ipServicePort'
][
0
]),
int
(
entry
[
'description'
][
0
]))
else
:
port
=
int
(
entry
[
'ipServicePort'
][
0
])
...
...
@@ -66,6 +82,7 @@ if __name__ == "__main__":
elif
len
(
domain
)
==
4
:
subnet
=
domain
[
1
]
if
'description'
not
in
entry
:
# Pas d'ouverture de port : on utilise l'ouverture par défaut du subnet
if
subnet
in
config
[
'DEFAULT_SERVICES'
]:
opening
=
config
[
'DEFAULT_SERVICES'
][
subnet
]
else
:
...
...
@@ -94,14 +111,23 @@ if __name__ == "__main__":
re2o_config
=
configparser
.
ConfigParser
()
re2o_config
.
read
(
os
.
path
.
join
(
path
,
're2o-config.ini'
))
api_hostname
=
re2o_config
.
get
(
'Re2o'
,
'hostname'
)
api_password
=
re2o_config
.
get
(
'Re2o'
,
'password'
)
api_username
=
re2o_config
.
get
(
'Re2o'
,
'username'
)
if
args
.
re2o_server
is
not
None
:
api_hostname
=
args
.
re2o_server
else
:
api_hostname
=
re2o_config
.
get
(
'Re2o'
,
'hostname'
)
if
args
.
re2o_user
is
not
None
:
api_username
=
args
.
re2o_user
else
:
api_username
=
re2o_config
.
get
(
'Re2o'
,
'username'
)
if
args
.
re2o_password
:
api_password
=
getpass
.
getpass
(
'Re2o password: '
)
else
:
api_password
=
re2o_config
.
get
(
'Re2o'
,
'password'
)
api_client
=
re2oapi
.
Re2oAPIClient
(
api_hostname
,
api_username
,
api_password
,
use_tls
=
False
)
interface_ports
=
api_client
.
list
(
"firewall/interface-ports/"
)
ports_openings_adh
=
[]
ports_openings_adh
=
[]
# les ouvertures de ports des serveurs des adhérents
for
interface
in
interface_ports
:
for
ip
in
[
ipaddress
.
ip_address
(
interface
[
'ipv4'
])
]
+
[
ipaddress
.
ip_address
(
ipv6
[
'ipv6'
])
for
ipv6
in
interface
[
'ipv6'
]
]:
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment