diff --git a/main.py b/main.py index 617607f..65ee1f3 100755 --- a/main.py +++ b/main.py @@ -137,9 +137,6 @@ class iptables: """Methode appellée spécifiquement pour le parefeu v6""" if table == "filter": self.base_filter() - if self.verbose: - print("Filter : interdit les machines blacklistées en forward") - self.blacklist_hard_forward() if self.verbose: print("Filter : filtage ports v6") self.filtrage_ports(ip_type='6') @@ -163,9 +160,6 @@ class iptables: """Methode appellée spécifiquement pour le parefeu v4""" if table == "filter": self.base_filter() - if self.verbose: - print("Filter : interdit les machines blacklistées en forward") - # self.blacklist_hard_forward() if self.verbose: print("Filter : filtrage ports 4") self.filtrage_ports(ip_type='4') @@ -222,9 +216,6 @@ class iptables: if self.verbose: print("Filter : reseaux non routables") self.reseaux_non_routables() - if self.verbose: - print("Filter : bl hard") - #self.blacklist_hard() if self.verbose: print("Filter : connexion input") if self.verbose: @@ -438,21 +429,6 @@ class iptables: self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """) self.add_in_subtable("filter", subtable, """-j REJECT""") - def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'): - """Blacklist les machines en forward, à appliquer sur les routeurs de sortie""" - for interface in self.interfaces_settings['routable']: - self.jump_traficfrom("filter", interface, "FORWARD", subtable) - - def blacklist_hard(self, subtable='BLACKLIST-HARD'): - """Génération de la chaine blackliste hard, blackliste des mac des machines bl""" - self.init_filter(subtable, decision="-") - for interface in self.interfaces_settings['routable']: - self.jump_traficfrom("filter", interface, "INPUT", subtable) - - for machine in self.conn.allMachines(): - if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '': - self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value) - def forbid_adm(self, subtable='ADMIN-VLAN'): """Interdit aux users non admin de parler sur les vlans admin""" self.init_filter(subtable, decision="-") @@ -599,13 +575,6 @@ class iptables: if sens == "destination": self.atomic_add("filter", subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % ('d', ip_cible, protocole, ','.join(self.format_port(port) for port in ports)), mode=mode) - def add_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'): - """Ajoute la mac à la blacklist""" - self.atomic_add("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode) - - def del_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'): - """Retire la mac de la blacklist""" - self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode) def run(args): table = iptables()