No more bl hard

This commit is contained in:
chirac 2018-11-19 00:06:30 +01:00 committed by root
parent c2163edc1e
commit 66edd5f440

31
main.py
View file

@ -137,9 +137,6 @@ class iptables:
"""Methode appellée spécifiquement pour le parefeu v6""" """Methode appellée spécifiquement pour le parefeu v6"""
if table == "filter": if table == "filter":
self.base_filter() self.base_filter()
if self.verbose:
print("Filter : interdit les machines blacklistées en forward")
self.blacklist_hard_forward()
if self.verbose: if self.verbose:
print("Filter : filtage ports v6") print("Filter : filtage ports v6")
self.filtrage_ports(ip_type='6') self.filtrage_ports(ip_type='6')
@ -163,9 +160,6 @@ class iptables:
"""Methode appellée spécifiquement pour le parefeu v4""" """Methode appellée spécifiquement pour le parefeu v4"""
if table == "filter": if table == "filter":
self.base_filter() self.base_filter()
if self.verbose:
print("Filter : interdit les machines blacklistées en forward")
# self.blacklist_hard_forward()
if self.verbose: if self.verbose:
print("Filter : filtrage ports 4") print("Filter : filtrage ports 4")
self.filtrage_ports(ip_type='4') self.filtrage_ports(ip_type='4')
@ -222,9 +216,6 @@ class iptables:
if self.verbose: if self.verbose:
print("Filter : reseaux non routables") print("Filter : reseaux non routables")
self.reseaux_non_routables() self.reseaux_non_routables()
if self.verbose:
print("Filter : bl hard")
#self.blacklist_hard()
if self.verbose: if self.verbose:
print("Filter : connexion input") print("Filter : connexion input")
if self.verbose: if self.verbose:
@ -438,21 +429,6 @@ class iptables:
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """) self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_DSTIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
self.add_in_subtable("filter", subtable, """-j REJECT""") self.add_in_subtable("filter", subtable, """-j REJECT""")
def blacklist_hard_forward(self, subtable='BLACKLIST-HARD'):
"""Blacklist les machines en forward, à appliquer sur les routeurs de sortie"""
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
def blacklist_hard(self, subtable='BLACKLIST-HARD'):
"""Génération de la chaine blackliste hard, blackliste des mac des machines bl"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "INPUT", subtable)
for machine in self.conn.allMachines():
if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
def forbid_adm(self, subtable='ADMIN-VLAN'): def forbid_adm(self, subtable='ADMIN-VLAN'):
"""Interdit aux users non admin de parler sur les vlans admin""" """Interdit aux users non admin de parler sur les vlans admin"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
@ -599,13 +575,6 @@ class iptables:
if sens == "destination": if sens == "destination":
self.atomic_add("filter", subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % ('d', ip_cible, protocole, ','.join(self.format_port(port) for port in ports)), mode=mode) self.atomic_add("filter", subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % ('d', ip_cible, protocole, ','.join(self.format_port(port) for port in ports)), mode=mode)
def add_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'):
"""Ajoute la mac à la blacklist"""
self.atomic_add("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
def del_in_blacklist_hard(self, mac, subtable='BLACKLIST-HARD', mode='4'):
"""Retire la mac de la blacklist"""
self.atomic_del("filter", subtable, """-m mac --mac-source %s -j REJECT""" % mac, mode=mode)
def run(args): def run(args):
table = iptables() table = iptables()