aurore/aurore-firewall
12
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Parefeu re2o; adaptation filtrage port + reglages des interfaces dans config.ini

Browse source
This commit is contained in:
chirac 2018-08-05 18:05:47 +02:00
parent 9a27e5da95
commit 439da0dcbb
1 changed files with 45 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
main.py
View file

@ -24,7 +24,6 @@ api_client = Re2oAPIClient(api_hostname, api_username, api_password)
client_hostname = socket.gethostname().split('.', 1)[0] client_hostname = socket.gethostname().split('.', 1)[0]
all_switchs = api_client.list("switchs/ports-config/")
class iptables: class iptables:
@ -40,6 +39,10 @@ class iptables:
self.verbose = False self.verbose = False
self.action = None self.action = None
self.export = False self.export = False
self.role = config.get('Firewall', 'role').split(',')
self.interfaces_sortie = config.get('Firewall', 'interfaces_sortie').split(',')
self.interfaces_routable = config.get('Firewall', 'interfaces_routable').split(',')
self.interfaces_admin = config.get('Firewall', 'interfaces_admin').split(',')
def commit(self, chain): def commit(self, chain):
self.add(chain, "COMMIT\n") self.add(chain, "COMMIT\n")
@ -155,7 +158,7 @@ class iptables:
self.base_filter() self.base_filter()
if self.verbose: if self.verbose:
print("Filter : interdit les machines blacklistées en forward") print("Filter : interdit les machines blacklistées en forward")
self.blacklist_hard_forward() # self.blacklist_hard_forward()
if self.verbose: if self.verbose:
print("Filter : filtrage ports 4") print("Filter : filtrage ports 4")
self.filtrage_ports(ip_type='4') self.filtrage_ports(ip_type='4')
@ -175,10 +178,10 @@ class iptables:
elif table == "nat": elif table == "nat":
if self.verbose: if self.verbose:
print("Nat : priv fil") print("Nat : priv fil")
self.nat_prive_ip('fil') # self.nat_prive_ip('fil')
if self.verbose: if self.verbose:
print("Nat : priv wifi") print("Nat : priv wifi")
self.nat_prive_ip('wifi') # self.nat_prive_ip('wifi')
def portail(self, table): def portail(self, table):
if table == "filter": if table == "filter":
@ -217,7 +220,7 @@ class iptables:
self.reseaux_non_routables() self.reseaux_non_routables()
if self.verbose: if self.verbose:
print("Filter : bl hard") print("Filter : bl hard")
self.blacklist_hard() #self.blacklist_hard()
if self.verbose: if self.verbose:
print("Filter : connexion input") print("Filter : connexion input")
if self.verbose: if self.verbose:
@ -252,50 +255,51 @@ class iptables:
chain = "filter6" chain = "filter6"
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['sortie']: for interface in self.interfaces_sortie:
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction): def add_general_rule(ports, ip_type, chain, subtable, subnet, protocol, direction):
"""Règles générales, fonction de factorisation""" """Règles générales, fonction de factorisation"""
if ip_type == '4': if ip_type == '4':
self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports)) self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, subnet["domaine_ip_start"], subnet["domaine_ip_stop"], protocol, ports))
if ip_type == '6': if ip_type == '6':
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports)) self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], subnet["complete_prefixv6"], protocol, ports))
#Ajout des règles générales #Ajout des règles générales
for subnet in self.subnet_ports: for subnet in self.subnet_ports:
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"]) if subnet["ouverture_ports"]:
if ports: if subnet["ouverture_ports"]["tcp_ports_in"]:
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"])
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"]) add_general_rule(ports, ip_type, chain, subtable, subnet, 'tcp', 'dst')
if ports: if subnet["ouverture_ports"]["tcp_ports_out"]:
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"])
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"]) add_general_rule(ports, ip_type, chain, subtable, subnet, 'tcp', 'src')
if ports: if subnet["ouverture_ports"]["udp_ports_in"]:
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"])
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) add_general_rule(ports, ip_type, chain, subtable, subnt, 'udp', 'dst')
if ports: if subnet["ouverture_ports"]["udp_ports_out"]:
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src')
for interface in self.interface_ports: for interface in self.interface_ports:
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']: for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']: for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']: for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']: for ipv6_addr in interface['ipv6']:
@ -308,7 +312,7 @@ class iptables:
def accept_freerad_from_server(self, subtable='RADIUS-SERVER'): def accept_freerad_from_server(self, subtable='RADIUS-SERVER'):
"""Accepte uniquement le trafique venant des serveurs radius federez""" """Accepte uniquement le trafique venant des serveurs radius federez"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['sortie']: for interface in self.interfaces_sortie:
self.jump_traficfrom("filter", interface, "INPUT", subtable) self.jump_traficfrom("filter", interface, "INPUT", subtable)
for server in self.config_firewall.radius_server: for server in self.config_firewall.radius_server:
self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port']))) self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port'])))
@ -318,7 +322,7 @@ class iptables:
def reseaux_non_routables(self, subtable='ADM-NETWORK'): def reseaux_non_routables(self, subtable='ADM-NETWORK'):
"""Bloc le trafic vers les réseaux non routables""" """Bloc le trafic vers les réseaux non routables"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['non-routables']: for interface in self.interfaces_admin:
self.jump_traficto("filter", interface, "FORWARD", subtable) self.jump_traficto("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-j REJECT""") self.add_in_subtable("filter", subtable, """-j REJECT""")
@ -338,7 +342,7 @@ class iptables:
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"): def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
"""Nat les connexions derrière l'ip de la machine du portail""" """Nat les connexions derrière l'ip de la machine du portail"""
self.init_nat(subtable, decision="-") self.init_nat(subtable, decision="-")
for interface in self.interfaces['routables']: for interface in self.interfaces_routable:
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4') self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys(): for ip in self.config.accueil_route.keys():
@ -354,7 +358,7 @@ class iptables:
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"): def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
"""Nat les connexions derrière l'ip de la machine du portail""" """Nat les connexions derrière l'ip de la machine du portail"""
self.init_nat(subtable, decision="-") self.init_nat(subtable, decision="-")
for interface in self.interfaces['sortie']: for interface in self.interfaces_sortie:
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4') self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys(): for ip in self.config.accueil_route.keys():
@ -391,7 +395,7 @@ class iptables:
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'): def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['routables']: for interface in self.interfaces_routable:
self.jump_traficfrom("filter", interface, "INPUT", subtable) self.jump_traficfrom("filter", interface, "INPUT", subtable)
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""") self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
@ -399,7 +403,7 @@ class iptables:
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'): def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['sortie']: for interface in self.interfaces_sortie:
self.jump_traficfrom("filter", interface, "FORWARD", subtable) self.jump_traficfrom("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""") self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
@ -407,7 +411,7 @@ class iptables:
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'): def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['sortie']: for interface in self.interfaces_sortie:
self.jump_traficto("filter", interface, "FORWARD", subtable) self.jump_traficto("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""") self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""")
@ -422,10 +426,9 @@ class iptables:
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'): def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
if "sortie" in self.interfaces: for interface in self.interfaces_sortie:
for interface in self.interfaces['sortie']: self.jump_traficfrom("filter", interface, "FORWARD", subtable)
self.jump_traficfrom("filter", interface, "FORWARD", subtable) for interface in self.interfaces_routable:
for interface in self.interfaces['routables']:
self.jump_traficfrom("filter", interface, "INPUT", subtable) self.jump_traficfrom("filter", interface, "INPUT", subtable)
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""") self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""")
@ -440,13 +443,13 @@ class iptables:
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'): def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie""" """Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
for interface in self.interfaces['routables']: for interface in self.interfaces_routable:
self.jump_traficfrom("filter", interface, "FORWARD", subtable) self.jump_traficfrom("filter", interface, "FORWARD", subtable)
def blacklist_hard(self, subtable='BLACKLIST-HARD'): def blacklist_hard(self, subtable='BLACKLIST-HARD'):
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl""" """Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['routables']: for interface in self.interfaces_routable:
self.jump_traficfrom("filter", interface, "INPUT", subtable) self.jump_traficfrom("filter", interface, "INPUT", subtable)
for machine in self.conn.allMachines(): for machine in self.conn.allMachines():
@ -457,7 +460,7 @@ class iptables:
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que """Génération de la chaine blackliste output, meme idée que si dessus sauf que
ici on filtre les users uid sur un serveur et non leurs ip""" ici on filtre les users uid sur un serveur et non leurs ip"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['routables']: for interface in self.interfaces_routable:
self.jump_traficto("filter", interface, "OUTPUT", subtable) self.jump_traficto("filter", interface, "OUTPUT", subtable)
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
@ -467,7 +470,7 @@ class iptables:
def forbid_adm(self, subtable='ADMIN-VLAN'): def forbid_adm(self, subtable='ADMIN-VLAN'):
"""Interdit aux users non admin de parler sur les vlans admin""" """Interdit aux users non admin de parler sur les vlans admin"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces['non-routables']: for interface in self.interfaces_admin:
self.jump_traficto("filter", interface, "OUTPUT", subtable) self.jump_traficto("filter", interface, "OUTPUT", subtable)
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
@ -555,8 +558,8 @@ class iptables:
else: else:
global_chain = self.nat4 + self.filter4 + self.mangle4 global_chain = self.nat4 + self.filter4 + self.mangle4
command_to_execute = ["sudo","-n","/sbin/iptables-restore"] command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE) #process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
process.communicate(input=global_chain.encode('utf-8')) #process.communicate(input=global_chain.encode('utf-8'))
if self.export: if self.export:
print(global_chain) print(global_chain)