|
|
|
|
@ -36,6 +36,7 @@ class iptables:
|
|
|
|
|
self.mangle6 = "\n*mangle"
|
|
|
|
|
self.filter6 = "\n*filter"
|
|
|
|
|
self.subnet_ports = api_client.list("firewall/subnet-ports/")
|
|
|
|
|
self.interface_ports = api_client.list("firewall/interface-ports/")
|
|
|
|
|
self.verbose = False
|
|
|
|
|
self.action = None
|
|
|
|
|
self.export = False
|
|
|
|
|
@ -250,60 +251,57 @@ class iptables:
|
|
|
|
|
else:
|
|
|
|
|
chain = "filter6"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces['sortie']:
|
|
|
|
|
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
|
|
|
|
|
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
|
|
|
|
|
|
|
|
|
|
def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction):
|
|
|
|
|
"""Règles générales, fonction de factorisation"""
|
|
|
|
|
if ip_type == '4':
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports))
|
|
|
|
|
if ip_type == '6':
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports))
|
|
|
|
|
|
|
|
|
|
#Ajout des règles générales
|
|
|
|
|
for subnet in self.subnet_ports:
|
|
|
|
|
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"])
|
|
|
|
|
if ports:
|
|
|
|
|
if ip_type == '4':
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
|
|
|
|
|
if ip_type == '6':
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
|
|
|
|
|
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst')
|
|
|
|
|
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"])
|
|
|
|
|
if ports:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
|
|
|
|
|
if ports:
|
|
|
|
|
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src')
|
|
|
|
|
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"])
|
|
|
|
|
if ports:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
|
|
|
|
|
if ports:
|
|
|
|
|
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst')
|
|
|
|
|
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
|
|
|
|
|
if ports:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
|
|
|
|
|
if ports:
|
|
|
|
|
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src')
|
|
|
|
|
|
|
|
|
|
#Ajout des règles générales
|
|
|
|
|
for realm in self.config_firewall.ports_realm[ip_type]:
|
|
|
|
|
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['output'])
|
|
|
|
|
|
|
|
|
|
for interface in self.interface_ports:
|
|
|
|
|
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
|
|
|
|
|
if ports:
|
|
|
|
|
for ip_range in get_range(ip_type, realm):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
|
|
|
|
|
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['input'])
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
|
|
|
|
for ipv6_addr in interface['ipv6']:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
|
|
|
|
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
|
|
|
|
|
if ports:
|
|
|
|
|
for ip_range in get_range(ip_type, realm):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
|
|
|
|
|
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['output'])
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
|
|
|
|
for ipv6_addr in interface['ipv6']:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
|
|
|
|
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
|
|
|
|
|
if ports:
|
|
|
|
|
for ip_range in get_range(ip_type, realm):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
|
|
|
|
|
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['input'])
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
|
|
|
|
for ipv6_addr in interface['ipv6']:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
|
|
|
|
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
|
|
|
|
|
if ports:
|
|
|
|
|
for ip_range in get_range(ip_type, realm):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
|
|
|
|
|
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
|
|
|
|
|
for ipv6_addr in interface['ipv6']:
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#Ajout des machines avec ouvertures particulières
|
|
|
|
|
for machine in self.conn.search(u'(&(portTCPout=*)(%s=*))' % ldap_object_name):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPout'])))
|
|
|
|
|
for machine in self.conn.search(u'(&(portTCPin=*)(%s=*))' % ldap_object_name):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPin'])))
|
|
|
|
|
for machine in self.conn.search(u'(&(portUDPout=*)(%s=*))' % ldap_object_name):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPout'])))
|
|
|
|
|
for machine in self.conn.search(u'(&(portUDPin=*)(%s=*))' % ldap_object_name):
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPin'])))
|
|
|
|
|
|
|
|
|
|
#Rejet du reste
|
|
|
|
|
self.add_in_subtable(chain, subtable, """-j REJECT""")
|
|
|
|
|
|
|
|
|
|
@ -635,11 +633,4 @@ if __name__ == '__main__':
|
|
|
|
|
table.do_action()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sw = Switch()
|
|
|
|
|
for switch in all_switchs:
|
|
|
|
|
sw.switch = switch
|
|
|
|
|
sw.gen_conf_and_write()
|
|
|
|
|
try:
|
|
|
|
|
sw.apply_conf()
|
|
|
|
|
except:
|
|
|
|
|
print("Erreur dans l'application de la conf pour " + switch["short_name"])
|
|
|
|
|
|
|
|
|
|
|
chirac
6 years ago