Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
R
re2o-firewall
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Nounous
re2o-firewall
Commits
09e0006d
Commit
09e0006d
authored
Aug 05, 2018
by
chirac
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Adaptation du nat, et des réglages interfaces au fichier de settings python firewall
parent
837873ee
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
31 additions
and
32 deletions
+31
-32
main.py
main.py
+31
-32
No files found.
main.py
View file @
09e0006d
...
...
@@ -13,6 +13,8 @@ import subprocess
import
socket
import
argparse
import
firewall_config
config
=
ConfigParser
()
config
.
read
(
'config.ini'
)
...
...
@@ -40,9 +42,8 @@ class iptables:
self
.
action
=
None
self
.
export
=
False
self
.
role
=
config
.
get
(
'Firewall'
,
'role'
).
split
(
','
)
self
.
interfaces_sortie
=
config
.
get
(
'Firewall'
,
'interfaces_sortie'
).
split
(
','
)
self
.
interfaces_routable
=
config
.
get
(
'Firewall'
,
'interfaces_routable'
).
split
(
','
)
self
.
interfaces_admin
=
config
.
get
(
'Firewall'
,
'interfaces_admin'
).
split
(
','
)
self
.
interfaces_settings
=
getattr
(
firewall_config
,
'interfaces_type'
,
None
)
self
.
nat_settings
=
getattr
(
firewall_config
,
'nat'
,
None
)
def
commit
(
self
,
chain
):
self
.
add
(
chain
,
"COMMIT
\n
"
)
...
...
@@ -176,12 +177,10 @@ class iptables:
print
(
"Mangle : Réglage correct du MSS"
)
self
.
mss
()
elif
table
==
"nat"
:
if
self
.
verbose
:
print
(
"Nat : priv fil"
)
# self.nat_prive_ip('fil')
if
self
.
verbose
:
print
(
"Nat : priv wifi"
)
# self.nat_prive_ip('wifi')
for
nat_to_do
in
self
.
nat_settings
:
if
self
.
verbose
:
print
(
"Nat : priv"
+
nat_to_do
[
'name'
])
self
.
nat_prive_ip
(
nat_to_do
)
def
portail
(
self
,
table
):
if
table
==
"filter"
:
...
...
@@ -255,7 +254,7 @@ class iptables:
chain
=
"filter6"
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_s
ortie
:
for
interface
in
self
.
interfaces_s
ettings
[
'sortie'
]
:
self
.
jump_traficto
(
"filter"
,
interface
,
"FORWARD"
,
subtable
,
mode
=
ip_type
)
self
.
jump_traficfrom
(
"filter"
,
interface
,
"FORWARD"
,
subtable
,
mode
=
ip_type
)
...
...
@@ -312,7 +311,7 @@ class iptables:
def
accept_freerad_from_server
(
self
,
subtable
=
'RADIUS-SERVER'
):
"""Accepte uniquement le trafique venant des serveurs radius federez"""
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_s
ortie
:
for
interface
in
self
.
interfaces_s
ettings
[
'sortie'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"INPUT"
,
subtable
)
for
server
in
self
.
config_firewall
.
radius_server
:
self
.
add_in_subtable
(
"filter4"
,
subtable
,
"""-s %s -p %s -m multiport --dports %s -j ACCEPT"""
%
(
server
[
'ipaddr'
],
server
[
'protocol'
],
','
.
join
(
server
[
'port'
])))
...
...
@@ -322,7 +321,7 @@ class iptables:
def
reseaux_non_routables
(
self
,
subtable
=
'ADM-NETWORK'
):
"""Bloc le trafic vers les réseaux non routables"""
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_
admin
:
for
interface
in
self
.
interfaces_
settings
[
'admin'
]
:
self
.
jump_traficto
(
"filter"
,
interface
,
"FORWARD"
,
subtable
)
self
.
add_in_subtable
(
"filter"
,
subtable
,
"""-j REJECT"""
)
...
...
@@ -342,7 +341,7 @@ class iptables:
def
capture_connexion_portail
(
self
,
subtable
=
"PORTAIL-CAPTIF-REDIRECT"
):
"""Nat les connexions derrière l'ip de la machine du portail"""
self
.
init_nat
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_
routable
:
for
interface
in
self
.
interfaces_
settings
[
'routable'
]
:
self
.
jump_traficfrom
(
"nat"
,
interface
,
"PREROUTING"
,
subtable
,
mode
=
'4'
)
for
ip
in
self
.
config
.
accueil_route
.
keys
():
...
...
@@ -358,7 +357,7 @@ class iptables:
def
nat_connexion_portail
(
self
,
subtable
=
"PORTAIL-CAPTIF-NAT"
):
"""Nat les connexions derrière l'ip de la machine du portail"""
self
.
init_nat
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_s
ortie
:
for
interface
in
self
.
interfaces_s
ettings
[
'sortie'
]
:
self
.
jump_traficto
(
"nat"
,
interface
,
"POSTROUTING"
,
subtable
,
mode
=
'4'
)
for
ip
in
self
.
config
.
accueil_route
.
keys
():
...
...
@@ -395,7 +394,7 @@ class iptables:
def
limit_ssh_connexion_input
(
self
,
subtable
=
'LIMIT-SSH-INPUT'
):
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_
routable
:
for
interface
in
self
.
interfaces_
settings
[
'routable'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"INPUT"
,
subtable
)
self
.
add_in_subtable
(
"filter"
,
subtable
,
"""-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set"""
)
...
...
@@ -403,7 +402,7 @@ class iptables:
def
limit_ssh_connexion_forward
(
self
,
subtable
=
'LIMIT-SSH-FORWARD'
):
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_s
ortie
:
for
interface
in
self
.
interfaces_s
ettings
[
'sortie'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"FORWARD"
,
subtable
)
self
.
add_in_subtable
(
"filter"
,
subtable
,
"""-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set"""
)
...
...
@@ -411,7 +410,7 @@ class iptables:
def
limit_connexion_srcip
(
self
,
subtable
=
'LIMIT-CONNEXION-SRCIP'
):
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_s
ortie
:
for
interface
in
self
.
interfaces_s
ettings
[
'sortie'
]
:
self
.
jump_traficto
(
"filter"
,
interface
,
"FORWARD"
,
subtable
)
self
.
add_in_subtable
(
"filter"
,
subtable
,
"""-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN"""
)
...
...
@@ -426,9 +425,9 @@ class iptables:
def
limit_connexion_dstip
(
self
,
subtable
=
'LIMIT-CONNEXION-DSTIP'
,
cible
=
'INPUT'
):
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_s
ortie
:
for
interface
in
self
.
interfaces_s
ettings
[
'sortie'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"FORWARD"
,
subtable
)
for
interface
in
self
.
interfaces_
routable
:
for
interface
in
self
.
interfaces_
settings
[
'routable'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"INPUT"
,
subtable
)
self
.
add_in_subtable
(
"filter"
,
subtable
,
"""-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN"""
)
...
...
@@ -443,13 +442,13 @@ class iptables:
def
blacklist_hard_forward
(
self
,
subtable
=
'BLACKLIST-HARD'
):
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
for
interface
in
self
.
interfaces_
routable
:
for
interface
in
self
.
interfaces_
settings
[
'routable'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"FORWARD"
,
subtable
)
def
blacklist_hard
(
self
,
subtable
=
'BLACKLIST-HARD'
):
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_
routable
:
for
interface
in
self
.
interfaces_
settings
[
'routable'
]
:
self
.
jump_traficfrom
(
"filter"
,
interface
,
"INPUT"
,
subtable
)
for
machine
in
self
.
conn
.
allMachines
():
...
...
@@ -460,7 +459,7 @@ class iptables:
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
ici on filtre les users uid sur un serveur et non leurs ip"""
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_
routable
:
for
interface
in
self
.
interfaces_
settings
[
'routable'
]
:
self
.
jump_traficto
(
"filter"
,
interface
,
"OUTPUT"
,
subtable
)
for
user
in
self
.
conn
.
search
(
u
'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))'
,
sizelimit
=
10000
):
...
...
@@ -470,7 +469,7 @@ class iptables:
def
forbid_adm
(
self
,
subtable
=
'ADMIN-VLAN'
):
"""Interdit aux users non admin de parler sur les vlans admin"""
self
.
init_filter
(
subtable
,
decision
=
"-"
)
for
interface
in
self
.
interfaces_
admin
:
for
interface
in
self
.
interfaces_
settings
[
'admin'
]
:
self
.
jump_traficto
(
"filter"
,
interface
,
"OUTPUT"
,
subtable
)
for
user
in
self
.
conn
.
search
(
u
'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))'
,
sizelimit
=
10000
):
...
...
@@ -503,11 +502,11 @@ class iptables:
def
nat_prive_ip
(
self
,
nat_type
):
"""Nat filaire en v4"""
subtable
=
"CONNEXION-NAT-"
+
nat_type
.
upper
()
subtable
=
"CONNEXION-NAT-"
+
nat_type
[
'name'
]
.
upper
()
self
.
init_nat
(
subtable
,
decision
=
"-"
)
self
.
jump_all_trafic
(
"nat"
,
"POSTROUTING"
,
subtable
)
nat_prive_ip_plage
=
self
.
config_firewall
.
nat_prive_ip_plage
[
nat_type
]
nat_prive_ip_plage
=
nat_type
[
'ip_sources'
]
for
nat_ip_range
in
range
(
1
,
26
):
range_name
=
'nat'
+
nat_prive_ip_plage
.
split
(
'.'
)[
1
]
+
'_'
+
str
(
"%02d"
%
nat_ip_range
)
self
.
init_nat
(
range_name
,
decision
=
"-"
)
...
...
@@ -524,18 +523,18 @@ class iptables:
port_low
=
10000
+
2000
*
(
nat_private_ip
%
26
)
port_high
=
port_low
+
1999
subrange_name
=
range_name
+
'_'
+
str
(
hex
(
nat_private_ip
/
16
)[
2
:])
subrange_name
=
range_name
+
'_'
+
str
(
hex
(
nat_private_ip
/
/
16
)[
2
:])
# On nat
for
interface
in
self
.
config_firewall
.
nat_pub_ip_plage
[
nat_type
]
:
ip_nat
=
'.'
.
join
(
self
.
config_firewall
.
nat_pub_ip_plage
[
nat_type
][
interface
]
.
split
(
'.'
)[:
3
])
+
'.'
+
str
(
10
*
(
nat_ip_range
-
1
)
+
nat_private_ip
/
26
)
self
.
add_in_subtable
(
"nat"
,
subrange_name
,
'-s %s -o %s -p tcp -j SNAT --to-source %s'
%
(
ip_src
,
self
.
dev
[
interface
]
,
ip_nat
+
':'
+
str
(
port_low
)
+
'-'
+
str
(
port_high
)))
self
.
add_in_subtable
(
"nat"
,
subrange_name
,
'-s %s -o %s -p udp -j SNAT --to-source %s'
%
(
ip_src
,
self
.
dev
[
interface
]
,
ip_nat
+
':'
+
str
(
port_low
)
+
'-'
+
str
(
port_high
)))
for
interface
,
pub_ip_range
in
nat_type
[
'interfaces_ip_to_nat'
].
items
()
:
ip_nat
=
'.'
.
join
(
pub_ip_range
.
split
(
'.'
)[:
3
])
+
'.'
+
str
(
10
*
(
nat_ip_range
-
1
)
+
nat_private_ip
/
26
)
self
.
add_in_subtable
(
"nat"
,
subrange_name
,
'-s %s -o %s -p tcp -j SNAT --to-source %s'
%
(
ip_src
,
interface
,
ip_nat
+
':'
+
str
(
port_low
)
+
'-'
+
str
(
port_high
)))
self
.
add_in_subtable
(
"nat"
,
subrange_name
,
'-s %s -o %s -p udp -j SNAT --to-source %s'
%
(
ip_src
,
interface
,
ip_nat
+
':'
+
str
(
port_low
)
+
'-'
+
str
(
port_high
)))
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1
# Ne pas oublier de loguer ce qui sort de cette ip
for
interface
in
self
.
config_firewall
.
nat_pub_ip_plage
[
nat_type
]
:
self
.
add_in_subtable
(
"nat"
,
subtable
,
'-s '
+
nat_prive_ip_plage
+
' -o %s -j SNAT --to-source '
%
(
self
.
dev
[
interface
],)
+
'.'
.
join
(
self
.
config_firewall
.
nat_pub_ip_plage
[
nat_type
][
interface
]
.
split
(
'.'
)[:
3
])
+
'.250'
)
for
interface
,
pub_ip_range
in
nat_type
[
'interfaces_ip_to_nat'
].
items
()
:
self
.
add_in_subtable
(
"nat"
,
subtable
,
'-s '
+
nat_prive_ip_plage
+
' -o %s -j SNAT --to-source '
%
(
interface
,)
+
'.'
.
join
(
pub_ip_range
.
split
(
'.'
)[:
3
])
+
'.250'
)
def
gen_mangle
(
self
,
empty
=
False
):
"""Génération de la chaine mangle"""
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment