No more bl hard
This commit is contained in:
parent
c2163edc1e
commit
66edd5f440
1 changed files with 0 additions and 31 deletions
31
main.py
31
main.py
|
@ -137,9 +137,6 @@ class iptables:
|
||||||
"""Methode appellée spécifiquement pour le parefeu v6"""
|
"""Methode appellée spécifiquement pour le parefeu v6"""
|
||||||
if table == "filter":
|
if table == "filter":
|
||||||
self.base_filter()
|
self.base_filter()
|
||||||
if self.verbose:
|
|
||||||
print("Filter : interdit les machines blacklistées en forward")
|
|
||||||
self.blacklist_hard_forward()
|
|
||||||
if self.verbose:
|
if self.verbose:
|
||||||
print("Filter : filtage ports v6")
|
print("Filter : filtage ports v6")
|
||||||
self.filtrage_ports(ip_type='6')
|
self.filtrage_ports(ip_type='6')
|
||||||
|
@ -163,9 +160,6 @@ class iptables:
|
||||||
"""Methode appellée spécifiquement pour le parefeu v4"""
|
"""Methode appellée spécifiquement pour le parefeu v4"""
|
||||||
if table == "filter":
|
if table == "filter":
|
||||||
self.base_filter()
|
self.base_filter()
|
||||||
if self.verbose:
|
|
||||||
print("Filter : interdit les machines blacklistées en forward")
|
|
||||||
# self.blacklist_hard_forward()
|
|
||||||
if self.verbose:
|
if self.verbose:
|
||||||
print("Filter : filtrage ports 4")
|
print("Filter : filtrage ports 4")
|
||||||
self.filtrage_ports(ip_type='4')
|
self.filtrage_ports(ip_type='4')
|
||||||
|
@ -222,9 +216,6 @@ class iptables:
|
||||||
if self.verbose:
|
if self.verbose:
|
||||||
print("Filter : reseaux non routables")
|
print("Filter : reseaux non routables")
|
||||||
self.reseaux_non_routables()
|
self.reseaux_non_routables()
|
||||||
if self.verbose:
|
|
||||||
print("Filter : bl hard")
|
|
||||||
#self.blacklist_hard()
|
|
||||||
if self.verbose:
|
if self.verbose:
|
||||||
print("Filter : connexion input")
|
print("Filter : connexion input")
|
||||||
if self.verbose:
|
if self.verbose:
|
||||||
|
@ -438,21 +429,6 @@ class iptables:
|
||||||
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
|
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
|
||||||
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
||||||
|
|
||||||
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
|
|
||||||
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
|
|
||||||
for interface in self.interfaces_settings['routable']:
|
|
||||||
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
|
||||||
|
|
||||||
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
|
|
||||||
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
|
|
||||||
self.init_filter(subtable, decision="-")
|
|
||||||
for interface in self.interfaces_settings['routable']:
|
|
||||||
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
|
||||||
|
|
||||||
for machine in self.conn.allMachines():
|
|
||||||
if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
|
|
||||||
self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
|
|
||||||
|
|
||||||
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
||||||
"""Interdit aux users non admin de parler sur les vlans admin"""
|
"""Interdit aux users non admin de parler sur les vlans admin"""
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
|
@ -599,13 +575,6 @@ class iptables:
|
||||||
if sens == "destination":
|
if sens == "destination":
|
||||||
self.atomic_add("filter", subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % ('d', ip_cible, protocole, ','.join(self.format_port(port) for port in ports)), mode=mode)
|
self.atomic_add("filter", subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % ('d', ip_cible, protocole, ','.join(self.format_port(port) for port in ports)), mode=mode)
|
||||||
|
|
||||||
def add_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'):
|
|
||||||
"""Ajoute la mac à la blacklist"""
|
|
||||||
self.atomic_add("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
|
|
||||||
|
|
||||||
def del_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'):
|
|
||||||
"""Retire la mac de la blacklist"""
|
|
||||||
self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
|
|
||||||
|
|
||||||
def run(args):
|
def run(args):
|
||||||
table = iptables()
|
table = iptables()
|
||||||
|
|
Loading…
Reference in a new issue