|
|
|
|
@ -137,9 +137,6 @@ class iptables:
|
|
|
|
|
"""Methode appellée spécifiquement pour le parefeu v6"""
|
|
|
|
|
if table == "filter":
|
|
|
|
|
self.base_filter()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : interdit les machines blacklistées en forward")
|
|
|
|
|
self.blacklist_hard_forward()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : filtage ports v6")
|
|
|
|
|
self.filtrage_ports(ip_type='6')
|
|
|
|
|
@ -163,9 +160,6 @@ class iptables:
|
|
|
|
|
"""Methode appellée spécifiquement pour le parefeu v4"""
|
|
|
|
|
if table == "filter":
|
|
|
|
|
self.base_filter()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : interdit les machines blacklistées en forward")
|
|
|
|
|
# self.blacklist_hard_forward()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : filtrage ports 4")
|
|
|
|
|
self.filtrage_ports(ip_type='4')
|
|
|
|
|
@ -222,9 +216,6 @@ class iptables:
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : reseaux non routables")
|
|
|
|
|
self.reseaux_non_routables()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : bl hard")
|
|
|
|
|
#self.blacklist_hard()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : connexion input")
|
|
|
|
|
if self.verbose:
|
|
|
|
|
@ -438,21 +429,6 @@ class iptables:
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
|
|
|
|
|
|
|
|
|
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
|
|
|
|
|
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
|
|
|
|
|
for interface in self.interfaces_settings['routable']:
|
|
|
|
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
|
|
|
|
|
|
|
|
|
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
|
|
|
|
|
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['routable']:
|
|
|
|
|
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
|
|
|
|
|
|
|
|
|
for machine in self.conn.allMachines():
|
|
|
|
|
if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
|
|
|
|
|
|
|
|
|
|
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
|
|
|
|
"""Interdit aux users non admin de parler sur les vlans admin"""
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
@ -599,13 +575,6 @@ class iptables:
|
|
|
|
|
if sens == "destination":
|
|
|
|
|
self.atomic_add("filter", subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % ('d', ip_cible, protocole, ','.join(self.format_port(port) for port in ports)), mode=mode)
|
|
|
|
|
|
|
|
|
|
def add_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'):
|
|
|
|
|
"""Ajoute la mac à la blacklist"""
|
|
|
|
|
self.atomic_add("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
|
|
|
|
|
|
|
|
|
|
def del_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'):
|
|
|
|
|
"""Retire la mac de la blacklist"""
|
|
|
|
|
self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
|
|
|
|
|
|
|
|
|
|
def run(args):
|
|
|
|
|
table = iptables()
|
|
|
|
|
|
root