Commit 9a27e5da authored by chirac's avatar chirac

Système d'ouverture de ports avec les serialisers re2o

parent d25395f8
...@@ -36,6 +36,7 @@ class iptables: ...@@ -36,6 +36,7 @@ class iptables:
self.mangle6 = "\n*mangle" self.mangle6 = "\n*mangle"
self.filter6 = "\n*filter" self.filter6 = "\n*filter"
self.subnet_ports = api_client.list("firewall/subnet-ports/") self.subnet_ports = api_client.list("firewall/subnet-ports/")
self.interface_ports = api_client.list("firewall/interface-ports/")
self.verbose = False self.verbose = False
self.action = None self.action = None
self.export = False self.export = False
...@@ -250,60 +251,57 @@ class iptables: ...@@ -250,60 +251,57 @@ class iptables:
else: else:
chain = "filter6" chain = "filter6"
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['sortie']: for interface in self.interfaces['sortie']:
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction):
"""Règles générales, fonction de factorisation"""
if ip_type == '4':
self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports))
if ip_type == '6':
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports))
#Ajout des règles générales
for subnet in self.subnet_ports: for subnet in self.subnet_ports:
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"]) ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"])
if ports: if ports:
if ip_type == '4': add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst')
self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
if ip_type == '6':
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"]) ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src')
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"]) ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst')
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src')
#Ajout des règles générales
for realm in self.config_firewall.ports_realm[ip_type]: for interface in self.interface_ports:
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['output']) ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
if ports: if ports:
for ip_range in get_range(ip_type, realm): self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) for ipv6_addr in interface['ipv6']:
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['input']) self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
if ports: if ports:
for ip_range in get_range(ip_type, realm): self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) for ipv6_addr in interface['ipv6']:
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['output']) self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
if ports: if ports:
for ip_range in get_range(ip_type, realm): self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) for ipv6_addr in interface['ipv6']:
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['input']) self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
if ports: if ports:
for ip_range in get_range(ip_type, realm): self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
#Ajout des machines avec ouvertures particulières
for machine in self.conn.search(u'(&(portTCPout=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPout'])))
for machine in self.conn.search(u'(&(portTCPin=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPin'])))
for machine in self.conn.search(u'(&(portUDPout=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPout'])))
for machine in self.conn.search(u'(&(portUDPin=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPin'])))
#Rejet du reste #Rejet du reste
self.add_in_subtable(chain, subtable, """-j REJECT""") self.add_in_subtable(chain, subtable, """-j REJECT""")
...@@ -635,11 +633,4 @@ if __name__ == '__main__': ...@@ -635,11 +633,4 @@ if __name__ == '__main__':
table.do_action() table.do_action()
sw = Switch()
for switch in all_switchs:
sw.switch = switch
sw.gen_conf_and_write()
try:
sw.apply_conf()
except:
print("Erreur dans l'application de la conf pour " + switch["short_name"])
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment