From 30ecbf70f7637f1545d5110b9d384c92e73b48c3 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 24 Jan 2021 16:11:15 +0100 Subject: [PATCH] =?UTF-8?q?Support=20de=20l'acc=C3=A8s=20accueil?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.py | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/main.py b/main.py index d589fef..4ee10c4 100755 --- a/main.py +++ b/main.py @@ -55,6 +55,7 @@ class iptables: self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) self.nat_settings = getattr(firewall_config, 'nat', None) self.portail_settings = getattr(firewall_config, 'portail', None) + self.accueils = getattr(firewall_config, 'accueils', []) def commit(self, chain): self.add(chain, "COMMIT\n") @@ -74,14 +75,16 @@ class iptables: def add(self, chain, value): setattr(self, chain, getattr(self, chain) + "\n" + value) - def add_in_subtable(self, chain, subtable, value): + def add_in_subtable(self, chain, subtable, value, mode='all'): if '4' in chain: self.add(chain, "-A " + subtable + " " + value) elif '6' in chain: self.add(chain, "-A " + subtable + " " + value) else: - self.add(chain + '4', "-A " + subtable + " " + value) - self.add(chain + '6', "-A " + subtable + " " + value) + if mode in ('4', 'all'): + self.add(chain + '4', "-A " + subtable + " " + value) + if mode in ('6', 'all'): + self.add(chain + '6', "-A " + subtable + " " + value) def init_filter(self, subchain, decision="ACCEPT", mode='all'): if mode == 'all' or mode == '4': @@ -207,6 +210,9 @@ class iptables: if self.verbose: print("Mangle : Mise en place des logs") self.log() + if self.verbose: + print("Mangle : Ajout des accueils") + self.add_accueils() if self.verbose: print("Mangle : Réglage correct du MSS") self.mss() @@ -500,6 +506,55 @@ class iptables: self.add_in_subtable("mangle", subtable, '-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu') + def run_ipset(self, *args): + command = ["sudo", "-n", "/usr/sbin/ipset"] + list(args) + return subprocess.run(command, stdin=subprocess.PIPE, stdout=subprocess.PIPE) + + def ipset_create(self, name, set_type, timeout): + self.run_ipset("create", name, set_type, "timeout", str(timeout)) + + def ipset_swap(self, first, second): + self.run_ipset("swap", first, second) + + def ipset_destroy(self, name): + self.run_ipset("destroy", name) + + def ipset_exists(self, name): + ret = self.run_ipset("list", name) + return ret.returncode == 0 + + def add_mac_ipset(self, name, timeout): + if self.ipset_exists(name): + tmp_name = f"{name}__tmp" + self.ipset_create(tmp_name, "hash:mac", timeout) + self.ipset_swap(tmp_name, name) + self.ipset_destroy(tmp_name) + else: + self.ipset_create(name, "hash:mac", timeout) + + def add_accueils(self): + for accueil in self.accueils: + iface = accueil["iface"] + triggered = f"accueil_{iface}_triggered" + allowed = f"accueil_{iface}_allowed" + triggers = accueil["triggers"] + self.add_mac_ipset(allowed, accueil.get("grace_period", 120)) + self.add_mac_ipset(triggered, accueil.get("retry_period", 240)) + self.add_accueil(iface, allowed, triggered, triggers) + + def add_accueil(self, iface, allowed_set, triggered_set, triggers): + subtable = f"ACCUEIL-{iface}" + self.init_mangle(subtable, decision="-") + self.add_in_subtable("mangle", subtable, f"-m set --match-set {allowed_set} src -j RETURN") + self.add_in_subtable("mangle", subtable, f"-m set --match-set {triggered_set} src -j DROP") + for iptype, proto, addr, port in triggers: + match = f"-p {proto} -d {addr} --dport {port}" + for s in (allowed_set, triggered_set): + self.add_in_subtable("mangle", subtable, f"{match} -j SET --add-set {s} src", iptype) + self.add_in_subtable("mangle", subtable, f"{match} -j RETURN", iptype) + self.add_in_subtable("mangle", subtable, "-j DROP") + self.jump_traficfrom("mangle", iface, "PREROUTING", subtable) + def nat_prive_ip(self, nat_type): """Nat filaire en v4""" subtable = "CONNEXION-NAT-" + nat_type['name'].upper()