|
|
@ -58,6 +58,7 @@ class iptables:
|
|
|
|
self.accueils = getattr(firewall_config, 'accueils', [])
|
|
|
|
self.accueils = getattr(firewall_config, 'accueils', [])
|
|
|
|
self.log_ignore_v4 = getattr(firewall_config, 'log_ignore_v4', [])
|
|
|
|
self.log_ignore_v4 = getattr(firewall_config, 'log_ignore_v4', [])
|
|
|
|
self.log_ignore_v6 = getattr(firewall_config, 'log_ignore_v6', [])
|
|
|
|
self.log_ignore_v6 = getattr(firewall_config, 'log_ignore_v6', [])
|
|
|
|
|
|
|
|
self.external_forward_settings = getattr(firewall_config, 'external_forward', [])
|
|
|
|
|
|
|
|
|
|
|
|
def commit(self, chain):
|
|
|
|
def commit(self, chain):
|
|
|
|
self.add(chain, "COMMIT\n")
|
|
|
|
self.add(chain, "COMMIT\n")
|
|
|
@ -270,6 +271,7 @@ class iptables:
|
|
|
|
print("Limitation des connexions")
|
|
|
|
print("Limitation des connexions")
|
|
|
|
self.limit_ssh_connection_input()
|
|
|
|
self.limit_ssh_connection_input()
|
|
|
|
self.limit_connection_dstip()
|
|
|
|
self.limit_connection_dstip()
|
|
|
|
|
|
|
|
self.external_forward()
|
|
|
|
|
|
|
|
|
|
|
|
def gen_filter(self, empty=False):
|
|
|
|
def gen_filter(self, empty=False):
|
|
|
|
self.init_filter("INPUT")
|
|
|
|
self.init_filter("INPUT")
|
|
|
@ -482,6 +484,12 @@ class iptables:
|
|
|
|
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
|
|
|
|
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
|
|
|
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
|
|
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def external_forward(self):
|
|
|
|
|
|
|
|
for ip_type in [4, 6]:
|
|
|
|
|
|
|
|
for if1, if2 in self.external_forward_settings:
|
|
|
|
|
|
|
|
self.add(f"filter{ip_type}", f"-I FORWARD -i {if1} -o {if2} -j ACCEPT")
|
|
|
|
|
|
|
|
self.add(f"filter{ip_type}", f"-I FORWARD -i {if2} -o {if1} -j ACCEPT")
|
|
|
|
|
|
|
|
|
|
|
|
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
|
|
|
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
|
|
|
"""Interdit aux users non admin de parler sur les vlans admin"""
|
|
|
|
"""Interdit aux users non admin de parler sur les vlans admin"""
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|