Acceleration du parefeu v4 - nat via variable intermediaire

This commit is contained in:
chirac 2019-06-24 20:50:27 +02:00 committed by root
parent 66edd5f440
commit 17c1f9fe25

17
main.py
View file

@ -467,19 +467,21 @@ class iptables:
"""Nat filaire en v4""" """Nat filaire en v4"""
subtable = "CONNEXION-NAT-" + nat_type['name'].upper() subtable = "CONNEXION-NAT-" + nat_type['name'].upper()
self.init_nat(subtable, decision="-") self.init_nat(subtable, decision="-")
self.jump_all_trafic("nat", "POSTROUTING", subtable) self.jump_all_trafic("nat", "POSTROUTING", subtable, mode='4')
nat_prive_ip_plage = nat_type['ip_sources'] nat_prive_ip_plage = nat_type['ip_sources']
for nat_ip_range in range(1, 26): for nat_ip_range in range(1, 26):
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range ) range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range )
self.init_nat(range_name, decision="-") self.init_nat(range_name, decision="-")
self.add_in_subtable("nat", subtable, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.0/24 -j ' + range_name) self.add_in_subtable("nat4", subtable, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.0/24 -j ' + range_name)
for nat_ip_range in range(1, 26): for nat_ip_range in range(1, 26):
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range) range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range)
nat_rule_tcp = ""
nat_rule_udp = ""
for nat_ip_subrange in range(16): for nat_ip_subrange in range(16):
subrange_name = range_name + '_' + str(hex(nat_ip_subrange)[2:]) subrange_name = range_name + '_' + str(hex(nat_ip_subrange)[2:])
self.init_nat(subrange_name, decision="-") self.init_nat(subrange_name, decision="-")
self.add_in_subtable("nat", range_name, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name) self.add_in_subtable("nat4", range_name, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name)
for nat_private_ip in range(256): for nat_private_ip in range(256):
ip_src = '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_private_ip) + '/32' ip_src = '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_private_ip) + '/32'
@ -489,15 +491,18 @@ class iptables:
subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:]) subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:])
# On nat # On nat
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip//26) ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip//26)
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) nat_rule_tcp += '\n-A %s -s %s -o %s -p tcp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) nat_rule_udp += '\n-A %s -s %s -o %s -p udp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))
self.add("nat4", nat_rule_tcp)
self.add("nat4", nat_rule_udp)
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1 # On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1
# Ne pas oublier de loguer ce qui sort de cette ip # Ne pas oublier de loguer ce qui sort de cette ip
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
self.add_in_subtable("nat", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250') self.add_in_subtable("nat4", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.250')
def gen_mangle(self, empty=False): def gen_mangle(self, empty=False):
"""Génération de la chaine mangle""" """Génération de la chaine mangle"""