Factorisation et correction de bug dans filter ports
This commit is contained in:
parent
09e0006d32
commit
6947ea6673
1 changed files with 15 additions and 16 deletions
31
main.py
31
main.py
|
@ -41,7 +41,7 @@ class iptables:
|
|||
self.verbose = False
|
||||
self.action = None
|
||||
self.export = False
|
||||
self.role = config.get('Firewall', 'role').split(',')
|
||||
self.role = getattr(firewall_config, 'role', None)
|
||||
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
||||
self.nat_settings = getattr(firewall_config, 'nat', None)
|
||||
|
||||
|
@ -281,28 +281,27 @@ class iptables:
|
|||
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
|
||||
add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src')
|
||||
|
||||
def add_specific_rule(ports, ip_type, chain, interface, subnet, protocol, direction):
|
||||
"""Règles spécifique, fonction de factorisation"""
|
||||
if ip_type == '4':
|
||||
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], interface['ipv4'], protocol, ports))
|
||||
if ip_type == '6':
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], ipv6_addr['ipv6'], protocol, ports))
|
||||
|
||||
for interface in self.interface_ports:
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
add_specific_rule(ports, ip_type, chain, interface, subnet, 'tcp', 'dst')
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
add_specific_rule(ports, ip_type, chain, interface, subnet, 'tcp', 'src')
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
add_specific_rule(ports, ip_type, chain, interface, subnet, 'udp', 'dst')
|
||||
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
|
||||
if ports:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
||||
for ipv6_addr in interface['ipv6']:
|
||||
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
||||
add_specific_rule(ports, ip_type, chain, interface, subnet, 'udp', 'src')
|
||||
|
||||
|
||||
#Rejet du reste
|
||||
|
@ -527,7 +526,7 @@ class iptables:
|
|||
|
||||
# On nat
|
||||
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
|
||||
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26)
|
||||
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip//26)
|
||||
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
|
||||
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
|
||||
|
||||
|
@ -557,8 +556,8 @@ class iptables:
|
|||
else:
|
||||
global_chain = self.nat4 + self.filter4 + self.mangle4
|
||||
command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
|
||||
#process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
||||
#process.communicate(input=global_chain.encode('utf-8'))
|
||||
process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
||||
process.communicate(input=global_chain.encode('utf-8'))
|
||||
if self.export:
|
||||
print(global_chain)
|
||||
|
||||
|
|
Loading…
Reference in a new issue