Maintenance électrique le 12 août, nos services, et y compris Gitlab, seront fortement impactés autour de cette date. Retour à un état normal prévu dans le milieu de la semaine prochaine.

Commit 09e0006d authored by chirac's avatar chirac

Adaptation du nat, et des réglages interfaces au fichier de settings python firewall

parent 837873ee
......@@ -13,6 +13,8 @@ import subprocess
import socket
import argparse
import firewall_config
config = ConfigParser()
config.read('config.ini')
......@@ -40,9 +42,8 @@ class iptables:
self.action = None
self.export = False
self.role = config.get('Firewall', 'role').split(',')
self.interfaces_sortie = config.get('Firewall', 'interfaces_sortie').split(',')
self.interfaces_routable = config.get('Firewall', 'interfaces_routable').split(',')
self.interfaces_admin = config.get('Firewall', 'interfaces_admin').split(',')
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
self.nat_settings = getattr(firewall_config, 'nat', None)
def commit(self, chain):
self.add(chain, "COMMIT\n")
......@@ -176,12 +177,10 @@ class iptables:
print("Mangle : Réglage correct du MSS")
self.mss()
elif table == "nat":
if self.verbose:
print("Nat : priv fil")
# self.nat_prive_ip('fil')
if self.verbose:
print("Nat : priv wifi")
# self.nat_prive_ip('wifi')
for nat_to_do in self.nat_settings:
if self.verbose:
print("Nat : priv" + nat_to_do['name'])
self.nat_prive_ip(nat_to_do)
def portail(self, table):
if table == "filter":
......@@ -255,7 +254,7 @@ class iptables:
chain = "filter6"
self.init_filter(subtable, decision="-")
for interface in self.interfaces_sortie:
for interface in self.interfaces_settings['sortie']:
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
......@@ -312,7 +311,7 @@ class iptables:
def accept_freerad_from_server(self, subtable='RADIUS-SERVER'):
"""Accepte uniquement le trafique venant des serveurs radius federez"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_sortie:
for interface in self.interfaces_settings['sortie']:
self.jump_traficfrom("filter", interface, "INPUT", subtable)
for server in self.config_firewall.radius_server:
self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port'])))
......@@ -322,7 +321,7 @@ class iptables:
def reseaux_non_routables(self, subtable='ADM-NETWORK'):
"""Bloc le trafic vers les réseaux non routables"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_admin:
for interface in self.interfaces_settings['admin']:
self.jump_traficto("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-j REJECT""")
......@@ -342,7 +341,7 @@ class iptables:
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
"""Nat les connexions derrière l'ip de la machine du portail"""
self.init_nat(subtable, decision="-")
for interface in self.interfaces_routable:
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys():
......@@ -358,7 +357,7 @@ class iptables:
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
"""Nat les connexions derrière l'ip de la machine du portail"""
self.init_nat(subtable, decision="-")
for interface in self.interfaces_sortie:
for interface in self.interfaces_settings['sortie']:
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys():
......@@ -395,7 +394,7 @@ class iptables:
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_routable:
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "INPUT", subtable)
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
......@@ -403,7 +402,7 @@ class iptables:
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_sortie:
for interface in self.interfaces_settings['sortie']:
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
......@@ -411,7 +410,7 @@ class iptables:
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_sortie:
for interface in self.interfaces_settings['sortie']:
self.jump_traficto("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""")
......@@ -426,9 +425,9 @@ class iptables:
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_sortie:
for interface in self.interfaces_settings['sortie']:
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
for interface in self.interfaces_routable:
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "INPUT", subtable)
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""")
......@@ -443,13 +442,13 @@ class iptables:
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
for interface in self.interfaces_routable:
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_routable:
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "INPUT", subtable)
for machine in self.conn.allMachines():
......@@ -460,7 +459,7 @@ class iptables:
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
ici on filtre les users uid sur un serveur et non leurs ip"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_routable:
for interface in self.interfaces_settings['routable']:
self.jump_traficto("filter", interface, "OUTPUT", subtable)
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
......@@ -470,7 +469,7 @@ class iptables:
def forbid_adm(self, subtable='ADMIN-VLAN'):
"""Interdit aux users non admin de parler sur les vlans admin"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_admin:
for interface in self.interfaces_settings['admin']:
self.jump_traficto("filter", interface, "OUTPUT", subtable)
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
......@@ -503,11 +502,11 @@ class iptables:
def nat_prive_ip(self, nat_type):
"""Nat filaire en v4"""
subtable = "CONNEXION-NAT-" + nat_type.upper()
subtable = "CONNEXION-NAT-" + nat_type['name'].upper()
self.init_nat(subtable, decision="-")
self.jump_all_trafic("nat", "POSTROUTING", subtable)
nat_prive_ip_plage = self.config_firewall.nat_prive_ip_plage[nat_type]
nat_prive_ip_plage = nat_type['ip_sources']
for nat_ip_range in range(1, 26):
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range )
self.init_nat(range_name, decision="-")
......@@ -524,18 +523,18 @@ class iptables:
port_low = 10000 + 2000*(nat_private_ip%26)
port_high = port_low + 1999
subrange_name = range_name + '_' + str(hex(nat_private_ip/16)[2:])
subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:])
# On nat
for interface in self.config_firewall.nat_pub_ip_plage[nat_type]:
ip_nat = '.'.join(self.config_firewall.nat_pub_ip_plage[nat_type][interface].split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26)
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, self.dev[interface], ip_nat + ':' + str(port_low) + '-' + str(port_high)))
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, self.dev[interface], ip_nat + ':' + str(port_low) + '-' + str(port_high)))
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26)
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1
# Ne pas oublier de loguer ce qui sort de cette ip
for interface in self.config_firewall.nat_pub_ip_plage[nat_type]:
self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (self.dev[interface],) + '.'.join(self.config_firewall.nat_pub_ip_plage[nat_type][interface].split('.')[:3]) + '.250')
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250')
def gen_mangle(self, empty=False):
"""Génération de la chaine mangle"""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment