From 09e0006d3228c4f8124130e4efdf8e46a79ef698 Mon Sep 17 00:00:00 2001 From: chirac Date: Sun, 5 Aug 2018 20:35:10 +0200 Subject: [PATCH] =?UTF-8?q?Adaptation=20du=20nat,=20et=20des=20r=C3=A9glag?= =?UTF-8?q?es=20interfaces=20au=20fichier=20de=20settings=20python=20firew?= =?UTF-8?q?all?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.py | 63 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/main.py b/main.py index cf95c1d..f208c18 100755 --- a/main.py +++ b/main.py @@ -13,6 +13,8 @@ import subprocess import socket import argparse +import firewall_config + config = ConfigParser() config.read('config.ini') @@ -40,9 +42,8 @@ class iptables: self.action = None self.export = False self.role = config.get('Firewall', 'role').split(',') - self.interfaces_sortie = config.get('Firewall', 'interfaces_sortie').split(',') - self.interfaces_routable = config.get('Firewall', 'interfaces_routable').split(',') - self.interfaces_admin = config.get('Firewall', 'interfaces_admin').split(',') + self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) + self.nat_settings = getattr(firewall_config, 'nat', None) def commit(self, chain): self.add(chain, "COMMIT\n") @@ -176,12 +177,10 @@ class iptables: print("Mangle : Réglage correct du MSS") self.mss() elif table == "nat": - if self.verbose: - print("Nat : priv fil") - # self.nat_prive_ip('fil') - if self.verbose: - print("Nat : priv wifi") - # self.nat_prive_ip('wifi') + for nat_to_do in self.nat_settings: + if self.verbose: + print("Nat : priv" + nat_to_do['name']) + self.nat_prive_ip(nat_to_do) def portail(self, table): if table == "filter": @@ -255,7 +254,7 @@ class iptables: chain = "filter6" self.init_filter(subtable, decision="-") - for interface in self.interfaces_sortie: + for interface in self.interfaces_settings['sortie']: self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type) @@ -312,7 +311,7 @@ class iptables: def accept_freerad_from_server(self, subtable='RADIUS-SERVER'): """Accepte uniquement le trafique venant des serveurs radius federez""" self.init_filter(subtable, decision="-") - for interface in self.interfaces_sortie: + for interface in self.interfaces_settings['sortie']: self.jump_traficfrom("filter", interface, "INPUT", subtable) for server in self.config_firewall.radius_server: self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port']))) @@ -322,7 +321,7 @@ class iptables: def reseaux_non_routables(self, subtable='ADM-NETWORK'): """Bloc le trafic vers les réseaux non routables""" self.init_filter(subtable, decision="-") - for interface in self.interfaces_admin: + for interface in self.interfaces_settings['admin']: self.jump_traficto("filter", interface, "FORWARD", subtable) self.add_in_subtable("filter", subtable, """-j REJECT""") @@ -342,7 +341,7 @@ class iptables: def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"): """Nat les connexions derrière l'ip de la machine du portail""" self.init_nat(subtable, decision="-") - for interface in self.interfaces_routable: + for interface in self.interfaces_settings['routable']: self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4') for ip in self.config.accueil_route.keys(): @@ -358,7 +357,7 @@ class iptables: def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"): """Nat les connexions derrière l'ip de la machine du portail""" self.init_nat(subtable, decision="-") - for interface in self.interfaces_sortie: + for interface in self.interfaces_settings['sortie']: self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4') for ip in self.config.accueil_route.keys(): @@ -395,7 +394,7 @@ class iptables: def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'): self.init_filter(subtable, decision="-") - for interface in self.interfaces_routable: + for interface in self.interfaces_settings['routable']: self.jump_traficfrom("filter", interface, "INPUT", subtable) self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""") @@ -403,7 +402,7 @@ class iptables: def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'): self.init_filter(subtable, decision="-") - for interface in self.interfaces_sortie: + for interface in self.interfaces_settings['sortie']: self.jump_traficfrom("filter", interface, "FORWARD", subtable) self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""") @@ -411,7 +410,7 @@ class iptables: def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'): self.init_filter(subtable, decision="-") - for interface in self.interfaces_sortie: + for interface in self.interfaces_settings['sortie']: self.jump_traficto("filter", interface, "FORWARD", subtable) self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""") @@ -426,9 +425,9 @@ class iptables: def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'): self.init_filter(subtable, decision="-") - for interface in self.interfaces_sortie: + for interface in self.interfaces_settings['sortie']: self.jump_traficfrom("filter", interface, "FORWARD", subtable) - for interface in self.interfaces_routable: + for interface in self.interfaces_settings['routable']: self.jump_traficfrom("filter", interface, "INPUT", subtable) self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""") @@ -443,13 +442,13 @@ class iptables: def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'): """Blacklist les machines en forward, à appliquer sur les routeurs de sortie""" - for interface in self.interfaces_routable: + for interface in self.interfaces_settings['routable']: self.jump_traficfrom("filter", interface, "FORWARD", subtable) def blacklist_hard(self, subtable='BLACKLIST-HARD'): """Génération de la chaine blackliste hard, blackliste des mac des machines bl""" self.init_filter(subtable, decision="-") - for interface in self.interfaces_routable: + for interface in self.interfaces_settings['routable']: self.jump_traficfrom("filter", interface, "INPUT", subtable) for machine in self.conn.allMachines(): @@ -460,7 +459,7 @@ class iptables: """Génération de la chaine blackliste output, meme idée que si dessus sauf que ici on filtre les users uid sur un serveur et non leurs ip""" self.init_filter(subtable, decision="-") - for interface in self.interfaces_routable: + for interface in self.interfaces_settings['routable']: self.jump_traficto("filter", interface, "OUTPUT", subtable) for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): @@ -470,7 +469,7 @@ class iptables: def forbid_adm(self, subtable='ADMIN-VLAN'): """Interdit aux users non admin de parler sur les vlans admin""" self.init_filter(subtable, decision="-") - for interface in self.interfaces_admin: + for interface in self.interfaces_settings['admin']: self.jump_traficto("filter", interface, "OUTPUT", subtable) for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): @@ -503,11 +502,11 @@ class iptables: def nat_prive_ip(self, nat_type): """Nat filaire en v4""" - subtable = "CONNEXION-NAT-" + nat_type.upper() + subtable = "CONNEXION-NAT-" + nat_type['name'].upper() self.init_nat(subtable, decision="-") self.jump_all_trafic("nat", "POSTROUTING", subtable) - nat_prive_ip_plage = self.config_firewall.nat_prive_ip_plage[nat_type] + nat_prive_ip_plage = nat_type['ip_sources'] for nat_ip_range in range(1, 26): range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range ) self.init_nat(range_name, decision="-") @@ -524,18 +523,18 @@ class iptables: port_low = 10000 + 2000*(nat_private_ip%26) port_high = port_low + 1999 - subrange_name = range_name + '_' + str(hex(nat_private_ip/16)[2:]) + subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:]) # On nat - for interface in self.config_firewall.nat_pub_ip_plage[nat_type]: - ip_nat = '.'.join(self.config_firewall.nat_pub_ip_plage[nat_type][interface].split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26) - self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, self.dev[interface], ip_nat + ':' + str(port_low) + '-' + str(port_high))) - self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, self.dev[interface], ip_nat + ':' + str(port_low) + '-' + str(port_high))) + for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): + ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26) + self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) + self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) # On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1 # Ne pas oublier de loguer ce qui sort de cette ip - for interface in self.config_firewall.nat_pub_ip_plage[nat_type]: - self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (self.dev[interface],) + '.'.join(self.config_firewall.nat_pub_ip_plage[nat_type][interface].split('.')[:3]) + '.250') + for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): + self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250') def gen_mangle(self, empty=False): """Génération de la chaine mangle"""