Adaptation du nat, et des réglages interfaces au fichier de settings python firewall
This commit is contained in:
chirac
parent
837873eede
commit
09e0006d32
1 changed files with 31 additions and 32 deletions
63
main.py
63
main.py
|
|
@ -13,6 +13,8 @@ import subprocess
|
||||||
import socket
|
import socket
|
||||||
import argparse
|
import argparse
|
||||||
|
|
||||||
|
import firewall_config
|
||||||
|
|
||||||
config = ConfigParser()
|
config = ConfigParser()
|
||||||
config.read('config.ini')
|
config.read('config.ini')
|
||||||
|
|
||||||
|
|
@ -40,9 +42,8 @@ class iptables:
|
||||||
self.action = None
|
self.action = None
|
||||||
self.export = False
|
self.export = False
|
||||||
self.role = config.get('Firewall', 'role').split(',')
|
self.role = config.get('Firewall', 'role').split(',')
|
||||||
self.interfaces_sortie = config.get('Firewall', 'interfaces_sortie').split(',')
|
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
||||||
self.interfaces_routable = config.get('Firewall', 'interfaces_routable').split(',')
|
self.nat_settings = getattr(firewall_config, 'nat', None)
|
||||||
self.interfaces_admin = config.get('Firewall', 'interfaces_admin').split(',')
|
|
||||||
|
|
||||||
def commit(self, chain):
|
def commit(self, chain):
|
||||||
self.add(chain, "COMMIT\n")
|
self.add(chain, "COMMIT\n")
|
||||||
|
|
@ -176,12 +177,10 @@ class iptables:
|
||||||
print("Mangle : Réglage correct du MSS")
|
print("Mangle : Réglage correct du MSS")
|
||||||
self.mss()
|
self.mss()
|
||||||
elif table == "nat":
|
elif table == "nat":
|
||||||
if self.verbose:
|
for nat_to_do in self.nat_settings:
|
||||||
print("Nat : priv fil")
|
if self.verbose:
|
||||||
# self.nat_prive_ip('fil')
|
print("Nat : priv" + nat_to_do['name'])
|
||||||
if self.verbose:
|
self.nat_prive_ip(nat_to_do)
|
||||||
print("Nat : priv wifi")
|
|
||||||
# self.nat_prive_ip('wifi')
|
|
||||||
|
|
||||||
def portail(self, table):
|
def portail(self, table):
|
||||||
if table == "filter":
|
if table == "filter":
|
||||||
|
|
@ -255,7 +254,7 @@ class iptables:
|
||||||
chain = "filter6"
|
chain = "filter6"
|
||||||
|
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_sortie:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
|
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
|
||||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
|
||||||
|
|
||||||
|
|
@ -312,7 +311,7 @@ class iptables:
|
||||||
def accept_freerad_from_server(self, subtable='RADIUS-SERVER'):
|
def accept_freerad_from_server(self, subtable='RADIUS-SERVER'):
|
||||||
"""Accepte uniquement le trafique venant des serveurs radius federez"""
|
"""Accepte uniquement le trafique venant des serveurs radius federez"""
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_sortie:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||||
for server in self.config_firewall.radius_server:
|
for server in self.config_firewall.radius_server:
|
||||||
self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port'])))
|
self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port'])))
|
||||||
|
|
@ -322,7 +321,7 @@ class iptables:
|
||||||
def reseaux_non_routables(self, subtable='ADM-NETWORK'):
|
def reseaux_non_routables(self, subtable='ADM-NETWORK'):
|
||||||
"""Bloc le trafic vers les réseaux non routables"""
|
"""Bloc le trafic vers les réseaux non routables"""
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_admin:
|
for interface in self.interfaces_settings['admin']:
|
||||||
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
||||||
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
||||||
|
|
||||||
|
|
@ -342,7 +341,7 @@ class iptables:
|
||||||
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
||||||
"""Nat les connexions derrière l'ip de la machine du portail"""
|
"""Nat les connexions derrière l'ip de la machine du portail"""
|
||||||
self.init_nat(subtable, decision="-")
|
self.init_nat(subtable, decision="-")
|
||||||
for interface in self.interfaces_routable:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
|
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
|
||||||
|
|
||||||
for ip in self.config.accueil_route.keys():
|
for ip in self.config.accueil_route.keys():
|
||||||
|
|
@ -358,7 +357,7 @@ class iptables:
|
||||||
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
||||||
"""Nat les connexions derrière l'ip de la machine du portail"""
|
"""Nat les connexions derrière l'ip de la machine du portail"""
|
||||||
self.init_nat(subtable, decision="-")
|
self.init_nat(subtable, decision="-")
|
||||||
for interface in self.interfaces_sortie:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
|
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
|
||||||
|
|
||||||
for ip in self.config.accueil_route.keys():
|
for ip in self.config.accueil_route.keys():
|
||||||
|
|
@ -395,7 +394,7 @@ class iptables:
|
||||||
|
|
||||||
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
|
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_routable:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||||
|
|
||||||
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
|
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
|
||||||
|
|
@ -403,7 +402,7 @@ class iptables:
|
||||||
|
|
||||||
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
|
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_sortie:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
||||||
|
|
||||||
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
|
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
|
||||||
|
|
@ -411,7 +410,7 @@ class iptables:
|
||||||
|
|
||||||
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
|
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_sortie:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
||||||
|
|
||||||
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""")
|
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""")
|
||||||
|
|
@ -426,9 +425,9 @@ class iptables:
|
||||||
|
|
||||||
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
|
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_sortie:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
||||||
for interface in self.interfaces_routable:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||||
|
|
||||||
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""")
|
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""")
|
||||||
|
|
@ -443,13 +442,13 @@ class iptables:
|
||||||
|
|
||||||
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
|
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
|
||||||
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
|
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
|
||||||
for interface in self.interfaces_routable:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
||||||
|
|
||||||
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
|
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
|
||||||
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
|
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_routable:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||||
|
|
||||||
for machine in self.conn.allMachines():
|
for machine in self.conn.allMachines():
|
||||||
|
|
@ -460,7 +459,7 @@ class iptables:
|
||||||
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
|
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
|
||||||
ici on filtre les users uid sur un serveur et non leurs ip"""
|
ici on filtre les users uid sur un serveur et non leurs ip"""
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_routable:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
||||||
|
|
||||||
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
||||||
|
|
@ -470,7 +469,7 @@ class iptables:
|
||||||
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
||||||
"""Interdit aux users non admin de parler sur les vlans admin"""
|
"""Interdit aux users non admin de parler sur les vlans admin"""
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
for interface in self.interfaces_admin:
|
for interface in self.interfaces_settings['admin']:
|
||||||
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
||||||
|
|
||||||
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
||||||
|
|
@ -503,11 +502,11 @@ class iptables:
|
||||||
|
|
||||||
def nat_prive_ip(self, nat_type):
|
def nat_prive_ip(self, nat_type):
|
||||||
"""Nat filaire en v4"""
|
"""Nat filaire en v4"""
|
||||||
subtable = "CONNEXION-NAT-" + nat_type.upper()
|
subtable = "CONNEXION-NAT-" + nat_type['name'].upper()
|
||||||
self.init_nat(subtable, decision="-")
|
self.init_nat(subtable, decision="-")
|
||||||
self.jump_all_trafic("nat", "POSTROUTING", subtable)
|
self.jump_all_trafic("nat", "POSTROUTING", subtable)
|
||||||
|
|
||||||
nat_prive_ip_plage = self.config_firewall.nat_prive_ip_plage[nat_type]
|
nat_prive_ip_plage = nat_type['ip_sources']
|
||||||
for nat_ip_range in range(1, 26):
|
for nat_ip_range in range(1, 26):
|
||||||
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range )
|
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range )
|
||||||
self.init_nat(range_name, decision="-")
|
self.init_nat(range_name, decision="-")
|
||||||
|
|
@ -524,18 +523,18 @@ class iptables:
|
||||||
port_low = 10000 + 2000*(nat_private_ip%26)
|
port_low = 10000 + 2000*(nat_private_ip%26)
|
||||||
port_high = port_low + 1999
|
port_high = port_low + 1999
|
||||||
|
|
||||||
subrange_name = range_name + '_' + str(hex(nat_private_ip/16)[2:])
|
subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:])
|
||||||
|
|
||||||
# On nat
|
# On nat
|
||||||
for interface in self.config_firewall.nat_pub_ip_plage[nat_type]:
|
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
|
||||||
ip_nat = '.'.join(self.config_firewall.nat_pub_ip_plage[nat_type][interface].split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26)
|
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26)
|
||||||
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, self.dev[interface], ip_nat + ':' + str(port_low) + '-' + str(port_high)))
|
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
|
||||||
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, self.dev[interface], ip_nat + ':' + str(port_low) + '-' + str(port_high)))
|
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
|
||||||
|
|
||||||
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1
|
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1
|
||||||
# Ne pas oublier de loguer ce qui sort de cette ip
|
# Ne pas oublier de loguer ce qui sort de cette ip
|
||||||
for interface in self.config_firewall.nat_pub_ip_plage[nat_type]:
|
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
|
||||||
self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (self.dev[interface],) + '.'.join(self.config_firewall.nat_pub_ip_plage[nat_type][interface].split('.')[:3]) + '.250')
|
self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250')
|
||||||
|
|
||||||
def gen_mangle(self, empty=False):
|
def gen_mangle(self, empty=False):
|
||||||
"""Génération de la chaine mangle"""
|
"""Génération de la chaine mangle"""
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue