Commit a7b7bc5f authored by Benjamin Graillot's avatar Benjamin Graillot
Browse files

Pare-feu des machines des adhérents via re2o

parent db086eaf
#!/bin/env python3
import argparse
import configparser
import ipaddress
import json
import os
......@@ -8,6 +9,8 @@ import subprocess
import jinja2
import ldap
import re2oapi
path = os.path.dirname(os.path.abspath(__file__))
......@@ -88,14 +91,57 @@ if __name__ == "__main__":
udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
re2o_config = configparser.ConfigParser()
re2o_config.read(os.path.join(path, 're2o-config.ini'))
api_hostname = re2o_config.get('Re2o', 'hostname')
api_password = re2o_config.get('Re2o', 'password')
api_username = re2o_config.get('Re2o', 'username')
api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
interface_ports = api_client.list("firewall/interface-ports/")
ports_openings_adh = []
for interface in interface_ports:
for ip in [ ipaddress.ip_address(interface['ipv4']) ] + [ ipaddress.ip_address(ipv6['ipv6']) for ipv6 in interface['ipv6'] ]:
tcp_ports_in = []
for opening in interface['port_lists']:
for port_range in opening['tcp_ports_in']:
tcp_ports_in.append((port_range['begin'], port_range['end']))
if tcp_ports_in:
tcp_ports_in = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in tcp_ports_in )
ports_openings_adh.append('ip{ip_version} daddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_in))
tcp_ports_out = []
for opening in interface['port_lists']:
for port_range in opening['tcp_ports_out']:
tcp_ports_out.append((port_range['begin'], port_range['end']))
if tcp_ports_out:
tcp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in tcp_ports_out )
ports_openings_adh.append('ip{ip_version} saddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_out))
udp_ports_in = []
for opening in interface['port_lists']:
for port_range in opening['udp_ports_in']:
udp_ports_in.append((port_range['begin'], port_range['end']))
if udp_ports_in:
udp_ports_in = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_in )
ports_openings_adh.append('ip{ip_version} daddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_in))
udp_ports_out = []
for opening in interface['port_lists']:
for port_range in opening['udp_ports_out']:
udp_ports_out.append((port_range['begin'], port_range['end']))
if udp_ports_out:
udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
ports_openings_adh.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
with open(os.path.join(path, 'templates', 'nftables.conf.j2')) as firewall_template:
template = jinja2.Template(firewall_template.read())
nat = { subnet: nat_map(networks[subnet], ipaddress.ip_network(config['NAT'][subnet])) for subnet in config['NAT'] }
if args.export:
print(template.render(nat=nat, ports_openings=ports_openings))
print(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
else:
with open('/etc/nftables.conf') as nftables:
nftables.write(template.render(nat=nat, ports_openings=ports_openings))
nftables.write(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
subprocess.run(['systemctl', 'reload', 'nftables'])
[Re2o]
hostname = re2o
username = firewall
password = changeme
from .re2oapi import *
from .client import ApiSendMail, Re2oAPIClient
from . import exceptions
__all__ = ['Re2oAPIClient', 'ApiSendMail', 'exceptions']
This diff is collapsed.
class APIClientGenericError(ValueError):
template = "{}"
def __init__(self, *data):
self.data = data
self.message = self.template.format(*data)
super(APIClientGenericError, self).__init__(self.message)
class InvalidCredentials(APIClientGenericError):
template = "The credentials for {}@{} are not valid."
class PermissionDenied(APIClientGenericError):
template = "The {} request to '{}' was denied for {}."
class TokenFileNotFound(APIClientGenericError):
template = "Token file at {} not found."
class TokenFileNotReadable(APIClientGenericError):
template = "Token file at {} is not a JSON readable file."
class TokenNotInTokenFile(APIClientGenericError):
template = "Token for {}@{} not found in token file ({})."
......@@ -57,6 +57,9 @@ table inet filter {
# Ouvetures de ports des serveurs du CRANS
{% for rule in ports_openings %} {{ rule }}
{% endfor %}
# Ouvetures de ports des machines des adhérents
{% for rule in ports_openings_adh %} {{ rule }}
{% endfor %}
reject
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment