|
|
|
|
@ -40,12 +40,17 @@ class iptables:
|
|
|
|
|
self.nat6 = "\n*nat"
|
|
|
|
|
self.mangle6 = "\n*mangle"
|
|
|
|
|
self.filter6 = "\n*filter"
|
|
|
|
|
self.global_chain4 = None
|
|
|
|
|
self.global_chain6 = None
|
|
|
|
|
self.subnet_ports = api_client.list("firewall/subnet-ports/")
|
|
|
|
|
self.interface_ports = api_client.list("firewall/interface-ports/")
|
|
|
|
|
self.normal_users = api_client.list("users/normaluser/")
|
|
|
|
|
self.verbose = False
|
|
|
|
|
self.action = None
|
|
|
|
|
self.dry = False
|
|
|
|
|
self.export = False
|
|
|
|
|
self.export4 = False
|
|
|
|
|
self.export6 = False
|
|
|
|
|
self.role = getattr(firewall_config, 'role', None)
|
|
|
|
|
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
|
|
|
|
self.nat_settings = getattr(firewall_config, 'nat', None)
|
|
|
|
|
@ -517,18 +522,29 @@ class iptables:
|
|
|
|
|
getattr(self, role)('mangle')
|
|
|
|
|
self.commit_mangle()
|
|
|
|
|
|
|
|
|
|
def gen_firewall(self, empty=False):
|
|
|
|
|
"""Assemblage des chaines et export si il y a lieu"""
|
|
|
|
|
self.gen_mangle(empty=empty)
|
|
|
|
|
self.gen_nat(empty=empty)
|
|
|
|
|
self.gen_filter(empty=empty)
|
|
|
|
|
self.global_chain4 = self.nat4 + self.filter4 + self.mangle4
|
|
|
|
|
self.global_chain6 = self.nat6 + self.filter6 + self.mangle6
|
|
|
|
|
if self.export or self.export4:
|
|
|
|
|
print(self.global_chain4)
|
|
|
|
|
if self.export or self.export6:
|
|
|
|
|
print(self.global_chain6)
|
|
|
|
|
|
|
|
|
|
def restore_iptables(self, mode='4'):
|
|
|
|
|
"""Restoration de l'iptable générée"""
|
|
|
|
|
if mode == '6':
|
|
|
|
|
global_chain = self.nat6 + self.filter6 + self.mangle6
|
|
|
|
|
global_chain = self.global_chain6
|
|
|
|
|
command_to_execute = ["sudo","-n","/sbin/ip6tables-restore"]
|
|
|
|
|
else:
|
|
|
|
|
global_chain = self.nat4 + self.filter4 + self.mangle4
|
|
|
|
|
global_chain = self.global_chain4
|
|
|
|
|
command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
|
|
|
|
|
process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
|
|
|
|
process.communicate(input=global_chain.encode('utf-8'))
|
|
|
|
|
if self.export:
|
|
|
|
|
print(global_chain)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def complete_flush_iptables(self, mode='4'):
|
|
|
|
|
"""Insère un parefeuv6 vide, appellé par l'arrét du parefeu"""
|
|
|
|
|
@ -537,17 +553,18 @@ class iptables:
|
|
|
|
|
def do_action(self):
|
|
|
|
|
"""Effectue l'action demandée"""
|
|
|
|
|
if self.action == "start" or self.action == "restart":
|
|
|
|
|
self.reload()
|
|
|
|
|
self.gen_firewall()
|
|
|
|
|
if not self.dry:
|
|
|
|
|
self.reload()
|
|
|
|
|
elif self.action == "stop":
|
|
|
|
|
self.flush()
|
|
|
|
|
self.gen_firewall(empty=True)
|
|
|
|
|
if not self.dry:
|
|
|
|
|
self.flush()
|
|
|
|
|
else:
|
|
|
|
|
raise NotImplementedError("Action non reconnu, actions valides : start, stop ou restart")
|
|
|
|
|
|
|
|
|
|
def reload(self):
|
|
|
|
|
"""Recharge le parefeu"""
|
|
|
|
|
self.gen_mangle()
|
|
|
|
|
self.gen_nat()
|
|
|
|
|
self.gen_filter()
|
|
|
|
|
if any('6' in role for role in self.role):
|
|
|
|
|
self.restore_iptables(mode='6')
|
|
|
|
|
return
|
|
|
|
|
@ -559,13 +576,12 @@ class iptables:
|
|
|
|
|
|
|
|
|
|
def flush(self):
|
|
|
|
|
"""Vide la chaine iptables, ou ip6tables suivant le role du serveur"""
|
|
|
|
|
self.gen_mangle(empty=True)
|
|
|
|
|
self.gen_nat(empty=True)
|
|
|
|
|
self.gen_filter(empty=True)
|
|
|
|
|
if any('6' in role for role in self.role):
|
|
|
|
|
return
|
|
|
|
|
self.complete_flush_iptables(mode='6')
|
|
|
|
|
if any('4' in role for role in self.role):
|
|
|
|
|
self.complete_flush_iptables(mode='4')
|
|
|
|
|
return
|
|
|
|
|
self.restore_iptables(mode='6')
|
|
|
|
|
self.restore_iptables(mode='4')
|
|
|
|
|
|
|
|
|
|
@ -587,15 +603,21 @@ def run(args):
|
|
|
|
|
table.verbose = True
|
|
|
|
|
table.action = args.action
|
|
|
|
|
table.export = args.export
|
|
|
|
|
table.dry = args.dry
|
|
|
|
|
table.export4 = args.export4
|
|
|
|
|
table.export6 = args.export6
|
|
|
|
|
table.do_action()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
parser = argparse.ArgumentParser()
|
|
|
|
|
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
|
|
|
|
|
parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true")
|
|
|
|
|
parser.add_argument("-e", "--export", help="export le contenu des parefeus", action="store_true")
|
|
|
|
|
parser.add_argument("-e4", "--export4", help="export le contenu du parefeu v4", action="store_true")
|
|
|
|
|
parser.add_argument("-e6", "--export6", help="export le contenu du parefeu v6", action="store_true")
|
|
|
|
|
parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?")
|
|
|
|
|
parser.add_argument("--force", help="Force l'action", action="store_true")
|
|
|
|
|
parser.add_argument("--dry", help="Ne pas effectuer de modification sur le pare-feu", default=False, action="store_true")
|
|
|
|
|
args = parser.parse_args()
|
|
|
|
|
|
|
|
|
|
if args.force:
|
|
|
|
|
@ -606,5 +628,6 @@ if __name__ == '__main__':
|
|
|
|
|
service['service_name'] == 'firewall' and \
|
|
|
|
|
service['need_regen']:
|
|
|
|
|
run(args)
|
|
|
|
|
api_client.patch(service['api_url'], data={'need_regen': False})
|
|
|
|
|
if not args.dry:
|
|
|
|
|
api_client.patch(service['api_url'], data={'need_regen': False})
|
|
|
|
|
|
|
|
|
|
|
root