Add option to enable forwarding between two interfaces without any additional firewall rule

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
ynerant 2021-07-04 10:20:34 +02:00
parent 44b9573c10
commit 411669e310
Signed by untrusted user: ynerant
GPG key ID: 3A75C55819C8CF85
2 changed files with 15 additions and 0 deletions

View file

@ -106,3 +106,10 @@ accueils = [
]
}
]
### Specifiy tuples of interfaces that should be directly forwarded without any
### firewall rule.
# external_forward = [
# ('eth1', 'eth2'),
# ]

View file

@ -58,6 +58,7 @@ class iptables:
self.accueils = getattr(firewall_config, 'accueils', [])
self.log_ignore_v4 = getattr(firewall_config, 'log_ignore_v4', [])
self.log_ignore_v6 = getattr(firewall_config, 'log_ignore_v6', [])
self.external_forward_settings = getattr(firewall_config, 'external_forward', [])
def commit(self, chain):
self.add(chain, "COMMIT\n")
@ -270,6 +271,7 @@ class iptables:
print("Limitation des connexions")
self.limit_ssh_connection_input()
self.limit_connection_dstip()
self.external_forward()
def gen_filter(self, empty=False):
self.init_filter("INPUT")
@ -482,6 +484,12 @@ class iptables:
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
self.add_in_subtable("filter", subtable, """-j REJECT""")
def external_forward(self):
for ip_type in [4, 6]:
for if1, if2 in self.external_forward_settings:
self.add(f"filter{ip_type}", f"-I FORWARD -i {if1} -o {if2} -j ACCEPT")
self.add(f"filter{ip_type}", f"-I FORWARD -i {if2} -o {if1} -j ACCEPT")
def forbid_adm(self, subtable='ADMIN-VLAN'):
"""Interdit aux users non admin de parler sur les vlans admin"""
self.init_filter(subtable, decision="-")