From 17c1f9fe257adeea876f771652e1f7f3a210ea7d Mon Sep 17 00:00:00 2001 From: Gabriel Detraz Date: Mon, 24 Jun 2019 20:50:27 +0200 Subject: [PATCH] Acceleration du parefeu v4 - nat via variable intermediaire --- main.py | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/main.py b/main.py index 65ee1f3..8614c29 100755 --- a/main.py +++ b/main.py @@ -467,19 +467,21 @@ class iptables: """Nat filaire en v4""" subtable = "CONNEXION-NAT-" + nat_type['name'].upper() self.init_nat(subtable, decision="-") - self.jump_all_trafic("nat", "POSTROUTING", subtable) + self.jump_all_trafic("nat", "POSTROUTING", subtable, mode='4') nat_prive_ip_plage = nat_type['ip_sources'] for nat_ip_range in range(1, 26): range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range ) self.init_nat(range_name, decision="-") - self.add_in_subtable("nat", subtable, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.0/24 -j ' + range_name) + self.add_in_subtable("nat4", subtable, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.0/24 -j ' + range_name) for nat_ip_range in range(1, 26): range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range) + nat_rule_tcp = "" + nat_rule_udp = "" for nat_ip_subrange in range(16): subrange_name = range_name + '_' + str(hex(nat_ip_subrange)[2:]) self.init_nat(subrange_name, decision="-") - self.add_in_subtable("nat", range_name, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name) + self.add_in_subtable("nat4", range_name, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name) for nat_private_ip in range(256): ip_src = '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_private_ip) + '/32' @@ -489,15 +491,18 @@ class iptables: subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:]) # On nat + for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip//26) - self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) - self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) + nat_rule_tcp += '\n-A %s -s %s -o %s -p tcp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)) + nat_rule_udp += '\n-A %s -s %s -o %s -p udp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)) + self.add("nat4", nat_rule_tcp) + self.add("nat4", nat_rule_udp) # On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1 # Ne pas oublier de loguer ce qui sort de cette ip for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): - self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250') + self.add_in_subtable("nat4", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250') def gen_mangle(self, empty=False): """Génération de la chaine mangle"""