aurore
/
aurore-firewall
17
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix typo

Browse Source 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
aurore
ynerant 3 years ago
parent 6437f6191e
commit 6e53fd7bdb
1 changed files with 33 additions and 33 deletions
Show Stats Download Patch File Download Diff File

66
main.py
Unescape Escape View File

@ -146,11 +146,11 @@ class iptables:
print("Filter : filtage ports v6")
self.filtrage_ports(ip_type='6')
if self.verbose:
print("Filter : limit connexions forward")
self.limit_ssh_connexion_forward()
print("Filter : limit connections forward")
self.limit_ssh_connection_forward()
if self.verbose:
print("Filter : Limit connexion src")
self.limit_connexion_srcip()
print("Filter : Limit connection src")
self.limit_connection_srcip()
elif table == "mangle":
if self.verbose:
print("Mangle : Mise en place des logs")
@ -169,11 +169,11 @@ class iptables:
print("Filter : filtrage ports 4")
self.filtrage_ports(ip_type='4')
if self.verbose:
print("Filter : limit ssh connexion forward")
self.limit_ssh_connexion_forward()
print("Filter : limit ssh connection forward")
self.limit_ssh_connection_forward()
if self.verbose:
print("Filter : limit connexion src ip")
self.limit_connexion_srcip()
print("Filter : limit connection src ip")
self.limit_connection_srcip()
elif table == "mangle":
if self.verbose:
print("Mangle : Mise en place des logs")
@ -198,11 +198,11 @@ class iptables:
print("Filter : filtage ports v6")
self.filtrage_ports(ip_type='6')
if self.verbose:
print("Filter : limit ssh connexion forward")
self.limit_ssh_connexion_forward()
print("Filter : limit ssh connection forward")
self.limit_ssh_connection_forward()
if self.verbose:
print("Filter : limit connexion src ip")
self.limit_connexion_srcip()
print("Filter : limit connection src ip")
self.limit_connection_srcip()
elif table == "mangle":
if self.verbose:
print("Mangle : Mise en place des logs")
@ -221,12 +221,12 @@ class iptables:
self.base_filter()
if self.verbose:
print("Filter : autorisation des ip en sortie")
self.captif_autorized_ip()
self.captive_authorized_ip()
if table == "nat":
if self.verbose:
print("Nat : nat et captures les connexions du portail masquerade")
self.nat_connexion_portail()
self.capture_connexion_portail()
self.nat_connection_portail()
self.capture_connection_portail()
def users(self, table):
"""Securisation d'un serveur avec comptes d'utilisateurs"""
@ -251,11 +251,11 @@ class iptables:
print("Filter : reseaux non routables")
self.reseaux_non_routables()
if self.verbose:
print("Filter : connexion input")
print("Filter : connection input")
if self.verbose:
print("Limitation des connexions")
self.limit_ssh_connexion_input()
self.limit_connexion_dstip()
self.limit_ssh_connection_input()
self.limit_connection_dstip()
def gen_filter(self, empty=False):
self.init_filter("INPUT")
@ -357,39 +357,39 @@ class iptables:
self.jump_traficto("filter", interface, "FORWARD", subtable)
self.add_in_subtable("filter", subtable, """-j REJECT""")
def captif_autorized_ip(self, subtable='FILTRE-IP-PORTAIL'):
"""Autorise les ip whitelistées sur le portail captif accueil"""
def captive_authorized_ip(self, subtable='FILTRE-IP-PORTAIL'):
"""Autorise les ip whitelistées sur le portail captive accueil"""
self.init_filter(subtable, decision="-")
self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
for protocol in self.portail_settings['autorized_hosts']:
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
for protocol in self.portail_settings['authorized_hosts']:
for ip, ports in self.portail_settings['authorized_hosts'][protocol].items():
self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
self.add_in_subtable("filter4", subtable, """-j REJECT""")
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
"""Redirige les connexion 80 et 443 vers l'ip cible"""
def capture_connection_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
"""Redirige les connexions 80 et 443 vers l'ip cible"""
self.init_nat(subtable, decision="-")
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
for protocol in self.portail_settings['autorized_hosts']:
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
for protocol in self.portail_settings['authorized_hosts']:
for ip, ports in self.portail_settings['authorized_hosts'][protocol].items():
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
for ip_range, destination in self.portail_settings['ip_redirect'].items():
for protocol, ip in destination.items():
for ip_dest, ports in ip.items():
self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
def nat_connection_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
"""Nat les connexions derrière l'ip de la machine du portail"""
self.init_nat(subtable, decision="-")
for interface in self.interfaces_settings['sortie']:
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
for protocol in self.portail_settings['autorized_hosts']:
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
for protocol in self.portail_settings['authorized_hosts']:
for ip, ports in self.portail_settings['authorized_hosts'][protocol].items():
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))
def accept_established(self, subtable='ESTABLISHED-CONN'):
@ -418,7 +418,7 @@ class iptables:
self.jump_all_trafic("filter", "INPUT", subtable, mode='4')
self.add_in_subtable("filter4", subtable, """-p icmp -j ACCEPT""")
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
def limit_ssh_connection_input(self, subtable='LIMIT-SSH-INPUT'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("filter", interface, "INPUT", subtable)
@ -426,7 +426,7 @@ class iptables:
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --update --seconds 120 --hitcount 10 --rttl -j DROP""")
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
def limit_ssh_connection_forward(self, subtable='LIMIT-SSH-FORWARD'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['sortie']:
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
@ -434,7 +434,7 @@ class iptables:
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --update --seconds 30 --hitcount 10 --rttl -j DROP""")
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
def limit_connection_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['sortie']:
self.jump_traficto("filter", interface, "FORWARD", subtable)
@ -449,7 +449,7 @@ class iptables:
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_SRCIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
self.add_in_subtable("filter", subtable, """-j REJECT""")
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
def limit_connection_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['sortie']:
self.jump_traficfrom("filter", interface, "FORWARD", subtable)

Write Preview
Loading…
Cancel
Save