Parefeu re2o; adaptation filtrage port + reglages des interfaces dans config.ini
This commit is contained in:
parent
9a27e5da95
commit
439da0dcbb
1 changed files with 45 additions and 42 deletions
77
main.py
77
main.py
|
@ -24,7 +24,6 @@ api_client = Re2oAPIClient(api_hostname, api_username, api_password)
|
|||
|
||||
client_hostname = socket.gethostname().split('.', 1)[0]
|
||||
|
||||
all_switchs = api_client.list("switchs/ports-config/")
|
||||
|
||||
|
||||
class iptables:
|
||||
|
@ -40,6 +39,10 @@ class iptables:
|
|||
self.verbose = False
|
||||
self.action = None
|
||||
self.export = False
|
||||
self.role = config.get('Firewall', 'role').split(',')
|
||||
self.interfaces_sortie = config.get('Firewall', 'interfaces_sortie').split(',')
|
||||
self.interfaces_routable = config.get('Firewall', 'interfaces_routable').split(',')
|
||||
self.interfaces_admin = config.get('Firewall', 'interfaces_admin').split(',')
|
||||
|
||||
def commit(self, chain):
|
||||
self.add(chain, "COMMIT\n")
|
||||
|
@ -155,7 +158,7 @@ class iptables:
|
|||
self.base_filter()
|
||||
if self.verbose:
|
||||
print("Filter : interdit les machines blacklistées en forward")
|
||||
self.blacklist_hard_forward()
|
||||
# self.blacklist_hard_forward()
|
||||
if self.verbose:
|
||||
print("Filter : filtrage ports 4")
|
||||
self.filtrage_ports(ip_type='4')
|
||||
|
@ -175,10 +178,10 @@ class iptables:
|
|||
elif table == "nat":
|
||||
if self.verbose:
|
||||
print("Nat : priv fil")
|
||||
self.nat_prive_ip('fil')
|
||||
# self.nat_prive_ip('fil')
|
||||
if self.verbose:
|
||||
print("Nat : priv wifi")
|
||||
self.nat_prive_ip('wifi')
|
||||
# self.nat_prive_ip('wifi')
|
||||
|
||||
def portail(self, table):
|
||||
if table == "filter":
|
||||
|
@ -217,7 +220,7 @@ class iptables:
|
|||
self.reseaux_non_routables()
|
||||
if self.verbose:
|
||||
print("Filter : bl hard")
|
||||
self.blacklist_hard()
|
||||
#self.blacklist_hard()
|
||||
if self.verbose:
|
||||
print("Filter : connexion input")
|
||||
if self.verbose:
|
||||
|
@ -252,50 +255,51 @@ class iptables:
|
|||
chain = "filter6"
|
||||
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['sortie']:
|
||||
for interface in self.interfaces_sortie:
|
||||
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
|
||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
|
||||
|
||||
def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction):
|
||||
def add_general_rule(ports, ip_type, chain, subtable, subnet, protocol, direction):
|
||||
"""Règles générales, fonction de factorisation"""
|
||||
if ip_type == '4':
|
||||
self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports))
|
||||
self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, subnet["domaine_ip_start"], subnet["domaine_ip_stop"], protocol, ports))
|
||||
if ip_type == '6':
|
||||
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports))
|
||||
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], subnet["complete_prefixv6"], protocol, ports))
|
||||
|
||||
#Ajout des règles générales
|
||||
for subnet in self.subnet_ports:
|
||||
if subnet["ouverture_ports"]:
|
||||
if subnet["ouverture_ports"]["tcp_ports_in"]:
|
||||
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"])
|
||||
if ports:
|
||||
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst')
|
||||
add_general_rule(ports, ip_type, chain, subtable, subnet, 'tcp', 'dst')
|
||||
if subnet["ouverture_ports"]["tcp_ports_out"]:
|
||||
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"])
|
||||
if ports:
|
||||
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src')
|
||||
add_general_rule(ports, ip_type, chain, subtable, subnet, 'tcp', 'src')
|
||||
if subnet["ouverture_ports"]["udp_ports_in"]:
|
||||
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"])
|
||||
if ports:
|
||||
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst')
|
||||
add_general_rule(ports, ip_type, chain, subtable, subnt, 'udp', 'dst')
|
||||
if subnet["ouverture_ports"]["udp_ports_out"]:
|
||||
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
|
||||
if ports:
|
||||
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src')
|
||||
add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src')
|
||||
|
||||
|
||||
for interface in self.interface_ports:
|
||||
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
|
@ -308,7 +312,7 @@ class iptables:
|
|||
def accept_freerad_from_server(self, subtable='RADIUS-SERVER'):
|
||||
"""Accepte uniquement le trafique venant des serveurs radius federez"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['sortie']:
|
||||
for interface in self.interfaces_sortie:
|
||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||
for server in self.config_firewall.radius_server:
|
||||
self.add_in_subtable("filter4", subtable, """-s %s -p %s -m multiport --dports %s -j ACCEPT""" % (server['ipaddr'], server['protocol'], ','.join(server['port'])))
|
||||
|
@ -318,7 +322,7 @@ class iptables:
|
|||
def reseaux_non_routables(self, subtable='ADM-NETWORK'):
|
||||
"""Bloc le trafic vers les réseaux non routables"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['non-routables']:
|
||||
for interface in self.interfaces_admin:
|
||||
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
||||
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
||||
|
||||
|
@ -338,7 +342,7 @@ class iptables:
|
|||
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
||||
"""Nat les connexions derrière l'ip de la machine du portail"""
|
||||
self.init_nat(subtable, decision="-")
|
||||
for interface in self.interfaces['routables']:
|
||||
for interface in self.interfaces_routable:
|
||||
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
|
||||
|
||||
for ip in self.config.accueil_route.keys():
|
||||
|
@ -354,7 +358,7 @@ class iptables:
|
|||
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
||||
"""Nat les connexions derrière l'ip de la machine du portail"""
|
||||
self.init_nat(subtable, decision="-")
|
||||
for interface in self.interfaces['sortie']:
|
||||
for interface in self.interfaces_sortie:
|
||||
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
|
||||
|
||||
for ip in self.config.accueil_route.keys():
|
||||
|
@ -391,7 +395,7 @@ class iptables:
|
|||
|
||||
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['routables']:
|
||||
for interface in self.interfaces_routable:
|
||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||
|
||||
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
|
||||
|
@ -399,7 +403,7 @@ class iptables:
|
|||
|
||||
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['sortie']:
|
||||
for interface in self.interfaces_sortie:
|
||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
||||
|
||||
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
|
||||
|
@ -407,7 +411,7 @@ class iptables:
|
|||
|
||||
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['sortie']:
|
||||
for interface in self.interfaces_sortie:
|
||||
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
||||
|
||||
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_SRCIP_CONNEXION -j RETURN""")
|
||||
|
@ -422,10 +426,9 @@ class iptables:
|
|||
|
||||
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
|
||||
self.init_filter(subtable, decision="-")
|
||||
if "sortie" in self.interfaces:
|
||||
for interface in self.interfaces['sortie']:
|
||||
for interface in self.interfaces_sortie:
|
||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
||||
for interface in self.interfaces['routables']:
|
||||
for interface in self.interfaces_routable:
|
||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||
|
||||
self.add_in_subtable("filter", subtable, """-p udp -m hashlimit --hashlimit-upto 400/sec --hashlimit-burst 800 --hashlimit-mode srcip --hashlimit-name LIMIT_UDP_DSTIP_CONNEXION -j RETURN""")
|
||||
|
@ -440,13 +443,13 @@ class iptables:
|
|||
|
||||
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
|
||||
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
|
||||
for interface in self.interfaces['routables']:
|
||||
for interface in self.interfaces_routable:
|
||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
||||
|
||||
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
|
||||
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['routables']:
|
||||
for interface in self.interfaces_routable:
|
||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
||||
|
||||
for machine in self.conn.allMachines():
|
||||
|
@ -457,7 +460,7 @@ class iptables:
|
|||
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
|
||||
ici on filtre les users uid sur un serveur et non leurs ip"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['routables']:
|
||||
for interface in self.interfaces_routable:
|
||||
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
||||
|
||||
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
||||
|
@ -467,7 +470,7 @@ class iptables:
|
|||
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
||||
"""Interdit aux users non admin de parler sur les vlans admin"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces['non-routables']:
|
||||
for interface in self.interfaces_admin:
|
||||
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
||||
|
||||
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
||||
|
@ -555,8 +558,8 @@ class iptables:
|
|||
else:
|
||||
global_chain = self.nat4 + self.filter4 + self.mangle4
|
||||
command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
|
||||
process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
||||
process.communicate(input=global_chain.encode('utf-8'))
|
||||
#process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
||||
#process.communicate(input=global_chain.encode('utf-8'))
|
||||
if self.export:
|
||||
print(global_chain)
|
||||
|
||||
|
|
Loading…
Reference in a new issue