aurore/aurore-firewall
12
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Système d'ouverture de ports avec les serialisers re2o

Browse source
This commit is contained in:
chirac 2018-08-05 15:13:53 +02:00
parent d25395f8bd
commit 9a27e5da95
1 changed files with 37 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
main.py
View file

@ -36,6 +36,7 @@ class iptables:
self.mangle6 = "\n*mangle"
self.filter6 = "\n*filter"
self.subnet_ports = api_client.list("firewall/subnet-ports/")
self.interface_ports = api_client.list("firewall/interface-ports/")
self.verbose = False
self.action = None
self.export = False
@ -250,59 +251,56 @@ class iptables:
else:
chain = "filter6"
self.init_filter(subtable, decision="-")
for interface in self.interfaces['sortie']:
self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type)
self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type)
def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction):
"""Règles générales, fonction de factorisation"""
if ip_type == '4':
self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports))
if ip_type == '6':
self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports))
#Ajout des règles générales
for subnet in self.subnet_ports:
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"])
if ports:
if ip_type == '4':
self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
if ip_type == '6':
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst')
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"])
if ports:
self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
if ports:
add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src')
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"])
if ports:
self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
if ports:
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst')
ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
if ports:
self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports))
#Ajout des règles générales
for realm in self.config_firewall.ports_realm[ip_type]:
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['output'])
if ports:
for ip_range in get_range(ip_type, realm):
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['input'])
if ports:
for ip_range in get_range(ip_type, realm):
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['output'])
if ports:
for ip_range in get_range(ip_type, realm):
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['input'])
if ports:
for ip_range in get_range(ip_type, realm):
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports))
add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src')
for interface in self.interface_ports:
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
if ports:
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
if ports:
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
if ports:
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
if ports:
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
for ipv6_addr in interface['ipv6']:
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
#Ajout des machines avec ouvertures particulières
for machine in self.conn.search(u'(&(portTCPout=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPout'])))
for machine in self.conn.search(u'(&(portTCPin=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPin'])))
for machine in self.conn.search(u'(&(portUDPout=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPout'])))
for machine in self.conn.search(u'(&(portUDPin=*)(%s=*))' % ldap_object_name):
self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPin'])))
#Rejet du reste
self.add_in_subtable(chain, subtable, """-j REJECT""")
@ -635,11 +633,4 @@ if __name__ == '__main__':
table.do_action()
sw = Switch()
for switch in all_switchs:
sw.switch = switch
sw.gen_conf_and_write()
try:
sw.apply_conf()
except:
print("Erreur dans l'application de la conf pour " + switch["short_name"])