|
|
|
@ -55,6 +55,7 @@ class iptables:
|
|
|
|
|
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
|
|
|
|
self.nat_settings = getattr(firewall_config, 'nat', None)
|
|
|
|
|
self.portail_settings = getattr(firewall_config, 'portail', None)
|
|
|
|
|
self.accueils = getattr(firewall_config, 'accueils', [])
|
|
|
|
|
|
|
|
|
|
def commit(self, chain):
|
|
|
|
|
self.add(chain, "COMMIT\n")
|
|
|
|
@ -74,14 +75,16 @@ class iptables:
|
|
|
|
|
def add(self, chain, value):
|
|
|
|
|
setattr(self, chain, getattr(self, chain) + "\n" + value)
|
|
|
|
|
|
|
|
|
|
def add_in_subtable(self, chain, subtable, value):
|
|
|
|
|
def add_in_subtable(self, chain, subtable, value, mode='all'):
|
|
|
|
|
if '4' in chain:
|
|
|
|
|
self.add(chain, "-A " + subtable + " " + value)
|
|
|
|
|
elif '6' in chain:
|
|
|
|
|
self.add(chain, "-A " + subtable + " " + value)
|
|
|
|
|
else:
|
|
|
|
|
self.add(chain + '4', "-A " + subtable + " " + value)
|
|
|
|
|
self.add(chain + '6', "-A " + subtable + " " + value)
|
|
|
|
|
if mode in ('4', 'all'):
|
|
|
|
|
self.add(chain + '4', "-A " + subtable + " " + value)
|
|
|
|
|
if mode in ('6', 'all'):
|
|
|
|
|
self.add(chain + '6', "-A " + subtable + " " + value)
|
|
|
|
|
|
|
|
|
|
def init_filter(self, subchain, decision="ACCEPT", mode='all'):
|
|
|
|
|
if mode == 'all' or mode == '4':
|
|
|
|
@ -207,6 +210,9 @@ class iptables:
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Mangle : Mise en place des logs")
|
|
|
|
|
self.log()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Mangle : Ajout des accueils")
|
|
|
|
|
self.add_accueils()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Mangle : Réglage correct du MSS")
|
|
|
|
|
self.mss()
|
|
|
|
@ -500,6 +506,55 @@ class iptables:
|
|
|
|
|
|
|
|
|
|
self.add_in_subtable("mangle", subtable, '-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu')
|
|
|
|
|
|
|
|
|
|
def run_ipset(self, *args):
|
|
|
|
|
command = ["sudo", "-n", "/usr/sbin/ipset"] + list(args)
|
|
|
|
|
return subprocess.run(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
|
|
|
|
|
|
|
|
|
def ipset_create(self, name, set_type, timeout):
|
|
|
|
|
self.run_ipset("create", name, set_type, "timeout", str(timeout))
|
|
|
|
|
|
|
|
|
|
def ipset_swap(self, first, second):
|
|
|
|
|
self.run_ipset("swap", first, second)
|
|
|
|
|
|
|
|
|
|
def ipset_destroy(self, name):
|
|
|
|
|
self.run_ipset("destroy", name)
|
|
|
|
|
|
|
|
|
|
def ipset_exists(self, name):
|
|
|
|
|
ret = self.run_ipset("list", name)
|
|
|
|
|
return ret.returncode == 0
|
|
|
|
|
|
|
|
|
|
def add_mac_ipset(self, name, timeout):
|
|
|
|
|
if self.ipset_exists(name):
|
|
|
|
|
tmp_name = f"{name}__tmp"
|
|
|
|
|
self.ipset_create(tmp_name, "hash:mac", timeout)
|
|
|
|
|
self.ipset_swap(tmp_name, name)
|
|
|
|
|
self.ipset_destroy(tmp_name)
|
|
|
|
|
else:
|
|
|
|
|
self.ipset_create(name, "hash:mac", timeout)
|
|
|
|
|
|
|
|
|
|
def add_accueils(self):
|
|
|
|
|
for accueil in self.accueils:
|
|
|
|
|
iface = accueil["iface"]
|
|
|
|
|
triggered = f"accueil_{iface}_triggered"
|
|
|
|
|
allowed = f"accueil_{iface}_allowed"
|
|
|
|
|
triggers = accueil["triggers"]
|
|
|
|
|
self.add_mac_ipset(allowed, accueil.get("grace_period", 120))
|
|
|
|
|
self.add_mac_ipset(triggered, accueil.get("retry_period", 240))
|
|
|
|
|
self.add_accueil(iface, allowed, triggered, triggers)
|
|
|
|
|
|
|
|
|
|
def add_accueil(self, iface, allowed_set, triggered_set, triggers):
|
|
|
|
|
subtable = f"ACCUEIL-{iface}"
|
|
|
|
|
self.init_mangle(subtable, decision="-")
|
|
|
|
|
self.add_in_subtable("mangle", subtable, f"-m set --match-set {allowed_set} src -j RETURN")
|
|
|
|
|
self.add_in_subtable("mangle", subtable, f"-m set --match-set {triggered_set} src -j DROP")
|
|
|
|
|
for iptype, proto, addr, port in triggers:
|
|
|
|
|
match = f"-p {proto} -d {addr} --dport {port}"
|
|
|
|
|
for s in (allowed_set, triggered_set):
|
|
|
|
|
self.add_in_subtable("mangle", subtable, f"{match} -j SET --add-set {s} src", iptype)
|
|
|
|
|
self.add_in_subtable("mangle", subtable, f"{match} -j RETURN", iptype)
|
|
|
|
|
self.add_in_subtable("mangle", subtable, "-j DROP")
|
|
|
|
|
self.jump_traficfrom("mangle", iface, "PREROUTING", subtable)
|
|
|
|
|
|
|
|
|
|
def nat_prive_ip(self, nat_type):
|
|
|
|
|
"""Nat filaire en v4"""
|
|
|
|
|
subtable = "CONNEXION-NAT-" + nat_type['name'].upper()
|
|
|
|
|