Factorisation et correction de bug dans filter ports

This commit is contained in:
chirac 2018-08-06 11:13:12 +02:00 committed by root
parent 09e0006d32
commit 6947ea6673

31
main.py
View file

@ -41,7 +41,7 @@ class iptables:
self.verbose = False self.verbose = False
self.action = None self.action = None
self.export = False self.export = False
self.role = config.get('Firewall', 'role').split(',') self.role = getattr(firewall_config, 'role', None)
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
self.nat_settings = getattr(firewall_config, 'nat', None) self.nat_settings = getattr(firewall_config, 'nat', None)
@ -281,28 +281,27 @@ class iptables:
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src') add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src')
def add_specific_rule(ports, ip_type, chain, interface, subnet, protocol, direction):
"""Règles spécifique, fonction de factorisation"""
if ip_type == '4':
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], interface['ipv4'], protocol, ports))
if ip_type == '6':
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], ipv6_addr['ipv6'], protocol, ports))
for interface in self.interface_ports: for interface in self.interface_ports:
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) add_specific_rule(ports, ip_type, chain, interface, subnet, 'tcp', 'dst')
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) add_specific_rule(ports, ip_type, chain, interface, subnet, 'tcp', 'src')
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) add_specific_rule(ports, ip_type, chain, interface, subnet, 'udp', 'dst')
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]]) ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
if ports: if ports:
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) add_specific_rule(ports, ip_type, chain, interface, subnet, 'udp', 'src')
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
#Rejet du reste #Rejet du reste
@ -527,7 +526,7 @@ class iptables:
# On nat # On nat
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26) ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip//26)
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))) self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
@ -557,8 +556,8 @@ class iptables:
else: else:
global_chain = self.nat4 + self.filter4 + self.mangle4 global_chain = self.nat4 + self.filter4 + self.mangle4
command_to_execute = ["sudo","-n","/sbin/iptables-restore"] command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
#process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE) process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
#process.communicate(input=global_chain.encode('utf-8')) process.communicate(input=global_chain.encode('utf-8'))
if self.export: if self.export:
print(global_chain) print(global_chain)