|
|
|
@ -146,11 +146,11 @@ class iptables:
|
|
|
|
|
print("Filter : filtage ports v6")
|
|
|
|
|
self.filtrage_ports(ip_type='6')
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : limit connexions forward")
|
|
|
|
|
self.limit_ssh_connexion_forward()
|
|
|
|
|
print("Filter : limit connections forward")
|
|
|
|
|
self.limit_ssh_connection_forward()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : Limit connexion src")
|
|
|
|
|
self.limit_connexion_srcip()
|
|
|
|
|
print("Filter : Limit connection src")
|
|
|
|
|
self.limit_connection_srcip()
|
|
|
|
|
elif table == "mangle":
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Mangle : Mise en place des logs")
|
|
|
|
@ -169,11 +169,11 @@ class iptables:
|
|
|
|
|
print("Filter : filtrage ports 4")
|
|
|
|
|
self.filtrage_ports(ip_type='4')
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : limit ssh connexion forward")
|
|
|
|
|
self.limit_ssh_connexion_forward()
|
|
|
|
|
print("Filter : limit ssh connection forward")
|
|
|
|
|
self.limit_ssh_connection_forward()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : limit connexion src ip")
|
|
|
|
|
self.limit_connexion_srcip()
|
|
|
|
|
print("Filter : limit connection src ip")
|
|
|
|
|
self.limit_connection_srcip()
|
|
|
|
|
elif table == "mangle":
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Mangle : Mise en place des logs")
|
|
|
|
@ -198,11 +198,11 @@ class iptables:
|
|
|
|
|
print("Filter : filtage ports v6")
|
|
|
|
|
self.filtrage_ports(ip_type='6')
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : limit ssh connexion forward")
|
|
|
|
|
self.limit_ssh_connexion_forward()
|
|
|
|
|
print("Filter : limit ssh connection forward")
|
|
|
|
|
self.limit_ssh_connection_forward()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : limit connexion src ip")
|
|
|
|
|
self.limit_connexion_srcip()
|
|
|
|
|
print("Filter : limit connection src ip")
|
|
|
|
|
self.limit_connection_srcip()
|
|
|
|
|
elif table == "mangle":
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Mangle : Mise en place des logs")
|
|
|
|
@ -221,12 +221,12 @@ class iptables:
|
|
|
|
|
self.base_filter()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : autorisation des ip en sortie")
|
|
|
|
|
self.captif_autorized_ip()
|
|
|
|
|
self.captive_authorized_ip()
|
|
|
|
|
if table == "nat":
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Nat : nat et captures les connexions du portail masquerade")
|
|
|
|
|
self.nat_connexion_portail()
|
|
|
|
|
self.capture_connexion_portail()
|
|
|
|
|
self.nat_connection_portail()
|
|
|
|
|
self.capture_connection_portail()
|
|
|
|
|
|
|
|
|
|
def users(self, table):
|
|
|
|
|
"""Securisation d'un serveur avec comptes d'utilisateurs"""
|
|
|
|
@ -251,11 +251,11 @@ class iptables:
|
|
|
|
|
print("Filter : reseaux non routables")
|
|
|
|
|
self.reseaux_non_routables()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : connexion input")
|
|
|
|
|
print("Filter : connection input")
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Limitation des connexions")
|
|
|
|
|
self.limit_ssh_connexion_input()
|
|
|
|
|
self.limit_connexion_dstip()
|
|
|
|
|
self.limit_ssh_connection_input()
|
|
|
|
|
self.limit_connection_dstip()
|
|
|
|
|
|
|
|
|
|
def gen_filter(self, empty=False):
|
|
|
|
|
self.init_filter("INPUT")
|
|
|
|
@ -357,39 +357,39 @@ class iptables:
|
|
|
|
|
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
|
|
|
|
|
|
|
|
|
def captif_autorized_ip(self, subtable='FILTRE-IP-PORTAIL'):
|
|
|
|
|
"""Autorise les ip whitelistées sur le portail captif accueil"""
|
|
|
|
|
def captive_authorized_ip(self, subtable='FILTRE-IP-PORTAIL'):
|
|
|
|
|
"""Autorise les ip whitelistées sur le portail captive accueil"""
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
|
|
|
|
|
|
|
|
|
|
for protocol in self.portail_settings['autorized_hosts']:
|
|
|
|
|
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
|
|
|
|
|
for protocol in self.portail_settings['authorized_hosts']:
|
|
|
|
|
for ip, ports in self.portail_settings['authorized_hosts'][protocol].items():
|
|
|
|
|
self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
|
|
|
|
|
self.add_in_subtable("filter4", subtable, """-j REJECT""")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
|
|
|
|
"""Redirige les connexion 80 et 443 vers l'ip cible"""
|
|
|
|
|
def capture_connection_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
|
|
|
|
"""Redirige les connexions 80 et 443 vers l'ip cible"""
|
|
|
|
|
self.init_nat(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['routable']:
|
|
|
|
|
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
|
|
|
|
|
|
|
|
|
|
for protocol in self.portail_settings['autorized_hosts']:
|
|
|
|
|
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
|
|
|
|
|
for protocol in self.portail_settings['authorized_hosts']:
|
|
|
|
|
for ip, ports in self.portail_settings['authorized_hosts'][protocol].items():
|
|
|
|
|
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
|
|
|
|
|
for ip_range, destination in self.portail_settings['ip_redirect'].items():
|
|
|
|
|
for protocol, ip in destination.items():
|
|
|
|
|
for ip_dest, ports in ip.items():
|
|
|
|
|
self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))
|
|
|
|
|
|
|
|
|
|
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
|
|
|
|
def nat_connection_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
|
|
|
|
"""Nat les connexions derrière l'ip de la machine du portail"""
|
|
|
|
|
self.init_nat(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['sortie']:
|
|
|
|
|
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
|
|
|
|
|
|
|
|
|
|
for protocol in self.portail_settings['autorized_hosts']:
|
|
|
|
|
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
|
|
|
|
|
for protocol in self.portail_settings['authorized_hosts']:
|
|
|
|
|
for ip, ports in self.portail_settings['authorized_hosts'][protocol].items():
|
|
|
|
|
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))
|
|
|
|
|
|
|
|
|
|
def accept_established(self, subtable='ESTABLISHED-CONN'):
|
|
|
|
@ -418,7 +418,7 @@ class iptables:
|
|
|
|
|
self.jump_all_trafic("filter", "INPUT", subtable, mode='4')
|
|
|
|
|
self.add_in_subtable("filter4", subtable, """-p icmp -j ACCEPT""")
|
|
|
|
|
|
|
|
|
|
def limit_ssh_connexion_input(self, subtable='LIMIT-SSH-INPUT'):
|
|
|
|
|
def limit_ssh_connection_input(self, subtable='LIMIT-SSH-INPUT'):
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['routable']:
|
|
|
|
|
self.jump_traficfrom("filter", interface, "INPUT", subtable)
|
|
|
|
@ -426,7 +426,7 @@ class iptables:
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --set""")
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-INPUT --update --seconds 120 --hitcount 10 --rttl -j DROP""")
|
|
|
|
|
|
|
|
|
|
def limit_ssh_connexion_forward(self, subtable='LIMIT-SSH-FORWARD'):
|
|
|
|
|
def limit_ssh_connection_forward(self, subtable='LIMIT-SSH-FORWARD'):
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['sortie']:
|
|
|
|
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
|
|
|
@ -434,7 +434,7 @@ class iptables:
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --set""")
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-p tcp --dport ssh -m state --state NEW -m recent --name SSH-FORWARD --update --seconds 30 --hitcount 10 --rttl -j DROP""")
|
|
|
|
|
|
|
|
|
|
def limit_connexion_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
|
|
|
|
|
def limit_connection_srcip(self, subtable='LIMIT-CONNEXION-SRCIP'):
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['sortie']:
|
|
|
|
|
self.jump_traficto("filter", interface, "FORWARD", subtable)
|
|
|
|
@ -449,7 +449,7 @@ class iptables:
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m hashlimit --hashlimit-upto 5/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name LIMIT_OTHER_SRCIP_CONNEXION_LOG -j LOG --log-prefix "CONNEXION_LIMIT " """)
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-j REJECT""")
|
|
|
|
|
|
|
|
|
|
def limit_connexion_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
|
|
|
|
|
def limit_connection_dstip(self, subtable='LIMIT-CONNEXION-DSTIP', cible='INPUT'):
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['sortie']:
|
|
|
|
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable)
|
|
|
|
|