aurore/aurore-firewall
11
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Support de l'accès accueil

Browse source
This commit is contained in:
root 2021-01-24 16:11:15 +01:00
parent 8066c8bd73
commit 30ecbf70f7
1 changed files with 58 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
main.py
View file

@ -55,6 +55,7 @@ class iptables:
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
self.nat_settings = getattr(firewall_config, 'nat', None)
self.portail_settings = getattr(firewall_config, 'portail', None)
self.accueils = getattr(firewall_config, 'accueils', [])
def commit(self, chain):
self.add(chain, "COMMIT\n")
@ -74,14 +75,16 @@ class iptables:
def add(self, chain, value):
setattr(self, chain, getattr(self, chain) + "\n" + value)
def add_in_subtable(self, chain, subtable, value):
def add_in_subtable(self, chain, subtable, value, mode='all'):
if '4' in chain:
self.add(chain, "-A " + subtable + " " + value)
elif '6' in chain:
self.add(chain, "-A " + subtable + " " + value)
else:
self.add(chain + '4', "-A " + subtable + " " + value)
self.add(chain + '6', "-A " + subtable + " " + value)
if mode in ('4', 'all'):
self.add(chain + '4', "-A " + subtable + " " + value)
if mode in ('6', 'all'):
self.add(chain + '6', "-A " + subtable + " " + value)
def init_filter(self, subchain, decision="ACCEPT", mode='all'):
if mode == 'all' or mode == '4':
@ -207,6 +210,9 @@ class iptables:
if self.verbose:
print("Mangle : Mise en place des logs")
self.log()
if self.verbose:
print("Mangle : Ajout des accueils")
self.add_accueils()
if self.verbose:
print("Mangle : Réglage correct du MSS")
self.mss()
@ -500,6 +506,55 @@ class iptables:
self.add_in_subtable("mangle", subtable, '-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu')
def run_ipset(self, *args):
command = ["sudo", "-n", "/usr/sbin/ipset"] + list(args)
return subprocess.run(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
def ipset_create(self, name, set_type, timeout):
self.run_ipset("create", name, set_type, "timeout", str(timeout))
def ipset_swap(self, first, second):
self.run_ipset("swap", first, second)
def ipset_destroy(self, name):
self.run_ipset("destroy", name)
def ipset_exists(self, name):
ret = self.run_ipset("list", name)
return ret.returncode == 0
def add_mac_ipset(self, name, timeout):
if self.ipset_exists(name):
tmp_name = f"{name}__tmp"
self.ipset_create(tmp_name, "hash:mac", timeout)
self.ipset_swap(tmp_name, name)
self.ipset_destroy(tmp_name)
else:
self.ipset_create(name, "hash:mac", timeout)
def add_accueils(self):
for accueil in self.accueils:
iface = accueil["iface"]
triggered = f"accueil_{iface}_triggered"
allowed = f"accueil_{iface}_allowed"
triggers = accueil["triggers"]
self.add_mac_ipset(allowed, accueil.get("grace_period", 120))
self.add_mac_ipset(triggered, accueil.get("retry_period", 240))
self.add_accueil(iface, allowed, triggered, triggers)
def add_accueil(self, iface, allowed_set, triggered_set, triggers):
subtable = f"ACCUEIL-{iface}"
self.init_mangle(subtable, decision="-")
self.add_in_subtable("mangle", subtable, f"-m set --match-set {allowed_set} src -j RETURN")
self.add_in_subtable("mangle", subtable, f"-m set --match-set {triggered_set} src -j DROP")
for iptype, proto, addr, port in triggers:
match = f"-p {proto} -d {addr} --dport {port}"
for s in (allowed_set, triggered_set):
self.add_in_subtable("mangle", subtable, f"{match} -j SET --add-set {s} src", iptype)
self.add_in_subtable("mangle", subtable, f"{match} -j RETURN", iptype)
self.add_in_subtable("mangle", subtable, "-j DROP")
self.jump_traficfrom("mangle", iface, "PREROUTING", subtable)
def nat_prive_ip(self, nat_type):
"""Nat filaire en v4"""
subtable = "CONNEXION-NAT-" + nat_type['name'].upper()