diff --git a/main.py b/main.py index f5802af..cf95c1d 100755 --- a/main.py +++ b/main.py @@ -24,7 +24,6 @@ api_client = Re2oAPIClient(api_hostname, api_username, api_password) client_hostname = socket.gethostname().split('.', 1)[0] -all_switchs = api_client.list("switchs/ports-config/") class iptables: @@ -40,6 +39,10 @@ class iptables: self.verbose = False self.action = None self.export = False + self.role = config.get('Firewall', 'role').split(',') + self.interfaces_sortie = config.get('Firewall', 'interfaces_sortie').split(',') + self.interfaces_routable = config.get('Firewall', 'interfaces_routable').split(',') + self.interfaces_admin = config.get('Firewall', 'interfaces_admin').split(',') def commit(self, chain): self.add(chain, "COMMIT\n") @@ -155,7 +158,7 @@ class iptables: self.base_filter() if self.verbose: print("Filter : interdit les machines blacklistées en forward") - self.blacklist_hard_forward() + # self.blacklist_hard_forward() if self.verbose: print("Filter : filtrage ports 4") self.filtrage_ports(ip_type='4') @@ -175,10 +178,10 @@ class iptables: elif table == "nat": if self.verbose: print("Nat : priv fil") - self.nat_prive_ip('fil') + # self.nat_prive_ip('fil') if self.verbose: print("Nat : priv wifi") - self.nat_prive_ip('wifi') + # self.nat_prive_ip('wifi') def portail(self, table): if table == "filter": @@ -217,7 +220,7 @@ class iptables: self.reseaux_non_routables() if self.verbose: print("Filter : bl hard") - self.blacklist_hard() + #self.blacklist_hard() if self.verbose: print("Filter : connexion input") if self.verbose: @@ -252,50 +255,51 @@ class iptables: chain = "filter6" self.init_filter(subtable, decision="-") - for interface in self.interfaces['sortie']: + for interface in self.interfaces_sortie: self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type) - def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction): + def add_general_rule(ports, ip_type, chain, subtable, subnet, protocol, direction): """Règles générales, fonction de factorisation""" if ip_type == '4': - self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports)) + self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, subnet["domaine_ip_start"], subnet["domaine_ip_stop"], protocol, ports)) if ip_type == '6': - self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports)) + self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], subnet["complete_prefixv6"], protocol, ports)) #Ajout des règles générales for subnet in self.subnet_ports: - ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"]) - if ports: - add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst') - ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"]) - if ports: - add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src') - ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"]) - if ports: - add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst') - ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) - if ports: - add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src') + if subnet["ouverture_ports"]: + if subnet["ouverture_ports"]["tcp_ports_in"]: + ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"]) + add_general_rule(ports, ip_type, chain, subtable, subnet, 'tcp', 'dst') + if subnet["ouverture_ports"]["tcp_ports_out"]: + ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"]) + add_general_rule(ports, ip_type, chain, subtable, subnet, 'tcp', 'src') + if subnet["ouverture_ports"]["udp_ports_in"]: + ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"]) + add_general_rule(ports, ip_type, chain, subtable, subnt, 'udp', 'dst') + if subnet["ouverture_ports"]["udp_ports_out"]: + ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) + add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src') for interface in self.interface_ports: - ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]]) + ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]]) if ports: self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) for ipv6_addr in interface['ipv6']: self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) - ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]]) + ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]]) if ports: self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) for ipv6_addr in interface['ipv6']: self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) - ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]]) + ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]]) if ports: self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) for ipv6_addr in interface['ipv6']: self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) - ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]]) + ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]]) if ports: self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) for ipv6_addr in interface['ipv6']: @@ -308,7 +312,7 @@ class iptables: def accept_freerad_from_server(self, subtable='RADIUS-SERVER'): """Accepte uniquement le trafique venant des serveurs radius federez""" self.init_filter(subtable, decision="-") - for interface in self.interfaces['sortie']: + for interface in self.interfaces_sortie: self.jump_traficfrom("filter", interface, "INPUT", subtable) for server in self.config_firewall.radius_server: self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port']))) @@ -318,7 +322,7 @@ class iptables: def reseaux_non_routables(self, subtable='ADM-NETWORK'): """Bloc le trafic vers les réseaux non routables""" self.init_filter(subtable, decision="-") - for interface in self.interfaces['non-routables']: + for interface in self.interfaces_admin: self.jump_traficto("filter", interface, "FORWARD", subtable) self.add_in_subtable("filter", subtable, """-j REJECT""") @@ -338,7 +342,7 @@ class iptables: def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"): """Nat les connexions derrière l'ip de la machine du portail""" self.init_nat(subtable, decision="-") - for interface in self.interfaces['routables']: + for interface in self.interfaces_routable: self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4') for ip in self.config.accueil_route.keys(): @@ -354,7 +358,7 @@ class iptables: def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"): """Nat les connexions derrière l'ip de la machine du portail""" self.init_nat(subtable, decision="-") - for interface in self.interfaces['sortie']: + for interface in self.interfaces_sortie: self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4') for ip in self.config.accueil_route.keys(): @@ -391,7 +395,7 @@ class iptables: def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'): self.init_filter(subtable, decision="-") - for interface in self.interfaces['routables']: + for interface in self.interfaces_routable: self.jump_traficfrom("filter", interface, "INPUT", subtable) self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""") @@ -399,7 +403,7 @@ class iptables: def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'): self.init_filter(subtable, decision="-") - for interface in self.interfaces['sortie']: + for interface in self.interfaces_sortie: self.jump_traficfrom("filter", interface, "FORWARD", subtable) self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""") @@ -407,7 +411,7 @@ class iptables: def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'): self.init_filter(subtable, decision="-") - for interface in self.interfaces['sortie']: + for interface in self.interfaces_sortie: self.jump_traficto("filter", interface, "FORWARD", subtable) self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""") @@ -422,10 +426,9 @@ class iptables: def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'): self.init_filter(subtable, decision="-") - if "sortie" in self.interfaces: - for interface in self.interfaces['sortie']: - self.jump_traficfrom("filter", interface, "FORWARD", subtable) - for interface in self.interfaces['routables']: + for interface in self.interfaces_sortie: + self.jump_traficfrom("filter", interface, "FORWARD", subtable) + for interface in self.interfaces_routable: self.jump_traficfrom("filter", interface, "INPUT", subtable) self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""") @@ -440,13 +443,13 @@ class iptables: def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'): """Blacklist les machines en forward, à appliquer sur les routeurs de sortie""" - for interface in self.interfaces['routables']: + for interface in self.interfaces_routable: self.jump_traficfrom("filter", interface, "FORWARD", subtable) def blacklist_hard(self, subtable='BLACKLIST-HARD'): """Génération de la chaine blackliste hard, blackliste des mac des machines bl""" self.init_filter(subtable, decision="-") - for interface in self.interfaces['routables']: + for interface in self.interfaces_routable: self.jump_traficfrom("filter", interface, "INPUT", subtable) for machine in self.conn.allMachines(): @@ -457,7 +460,7 @@ class iptables: """Génération de la chaine blackliste output, meme idée que si dessus sauf que ici on filtre les users uid sur un serveur et non leurs ip""" self.init_filter(subtable, decision="-") - for interface in self.interfaces['routables']: + for interface in self.interfaces_routable: self.jump_traficto("filter", interface, "OUTPUT", subtable) for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): @@ -467,7 +470,7 @@ class iptables: def forbid_adm(self, subtable='ADMIN-VLAN'): """Interdit aux users non admin de parler sur les vlans admin""" self.init_filter(subtable, decision="-") - for interface in self.interfaces['non-routables']: + for interface in self.interfaces_admin: self.jump_traficto("filter", interface, "OUTPUT", subtable) for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): @@ -555,8 +558,8 @@ class iptables: else: global_chain = self.nat4 + self.filter4 + self.mangle4 command_to_execute = ["sudo","-n","/sbin/iptables-restore"] - process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE) - process.communicate(input=global_chain.encode('utf-8')) + #process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE) + #process.communicate(input=global_chain.encode('utf-8')) if self.export: print(global_chain)