Add option to enable forwarding between two interfaces without any additional firewall rule

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

firewall_config.example.py

@@ -106,3 +106,10 @@ accueils = [
         ]
     }
 ]
+
+### Specifiy tuples of interfaces that should be directly forwarded without any
+### firewall rule.
+
+# external_forward = [
+#     ('eth1', 'eth2'),
+# ]

main.py

@@ -58,6 +58,7 @@ class iptables:
         self.accueils = getattr(firewall_config, 'accueils', [])
         self.log_ignore_v4 = getattr(firewall_config, 'log_ignore_v4', [])
         self.log_ignore_v6 = getattr(firewall_config, 'log_ignore_v6', [])
+        self.external_forward_settings = getattr(firewall_config, 'external_forward', [])
 
     def commit(self, chain):
         self.add(chain, "COMMIT\n")
@@ -270,6 +271,7 @@ class iptables:
             print("Limitation des connexions")
         self.limit_ssh_connection_input()
         self.limit_connection_dstip()
+        self.external_forward()
 
     def gen_filter(self, empty=False):
         self.init_filter("INPUT")
@@ -482,6 +484,12 @@ class iptables:
         self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
         self.add_in_subtable("filter", subtable, """-j REJECT""")
 
+    def external_forward(self):
+        for ip_type in [4, 6]:
+            for if1, if2 in self.external_forward_settings:
+                self.add(f"filter{ip_type}", f"-I FORWARD -i {if1} -o {if2} -j ACCEPT")
+                self.add(f"filter{ip_type}", f"-I FORWARD -i {if2} -o {if1} -j ACCEPT")
+
     def forbid_adm(self, subtable='ADMIN-VLAN'):
         """Interdit aux users non admin de parler sur les vlans admin"""
         self.init_filter(subtable, decision="-")