From 9a27e5da956460fd97548ba57835af4377702194 Mon Sep 17 00:00:00 2001 From: chirac Date: Sun, 5 Aug 2018 15:13:53 +0200 Subject: [PATCH] =?UTF-8?q?Syst=C3=A8me=20d'ouverture=20de=20ports=20avec?= =?UTF-8?q?=20les=20serialisers=20re2o?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.py | 83 +++++++++++++++++++++++++-------------------------------- 1 file changed, 37 insertions(+), 46 deletions(-) diff --git a/main.py b/main.py index ae3e745..f5802af 100755 --- a/main.py +++ b/main.py @@ -36,6 +36,7 @@ class iptables: self.mangle6 = "\n*mangle" self.filter6 = "\n*filter" self.subnet_ports = api_client.list("firewall/subnet-ports/") + self.interface_ports = api_client.list("firewall/interface-ports/") self.verbose = False self.action = None self.export = False @@ -250,59 +251,56 @@ class iptables: else: chain = "filter6" - self.init_filter(subtable, decision="-") for interface in self.interfaces['sortie']: self.jump_traficto("filter", interface, "FORWARD", subtable, mode=ip_type) self.jump_traficfrom("filter", interface, "FORWARD", subtable, mode=ip_type) + def add_general_rule(ports, ip_type, chain, subtable, rule, protocol, direction): + """Règles générales, fonction de factorisation""" + if ip_type == '4': + self.add_in_subtable(chain, subtable, """-m iprange --%s-range %s-%s -p %s -m multiport --dports %s -j RETURN""" % (direction, rule["domaine_ip_start"], rule["domaine_ip_stop"], protocol, ports)) + if ip_type == '6': + self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], rule["complete_prefixv6"], protocol, ports)) + + #Ajout des règles générales for subnet in self.subnet_ports: ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_in"]) if ports: - if ip_type == '4': - self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) - if ip_type == '6': - self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) + add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'dst') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["tcp_ports_out"]) - if ports: - self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p tcp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) + if ports: + add_general_rule(ports, ip_type, chain, subtable, rule, 'tcp', 'src') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_in"]) - if ports: - self.add_in_subtable(chain, subtable, """-m iprange --dst-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) + if ports: + add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'dst') ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"]) - if ports: - self.add_in_subtable(chain, subtable, """-m iprange --src-range %s-%s -p udp -m multiport --dports %s -j RETURN""" % (rule["domaine_ip_start"], rule["domaine_ip_stop"], ports)) - - #Ajout des règles générales - for realm in self.config_firewall.ports_realm[ip_type]: - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['output']) if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['tcp']['input']) - if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['output']) - if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) - ports = ','.join(self.format_port(port) for port in self.config_firewall.ports_default['udp']['input']) - if ports: - for ip_range in get_range(ip_type, realm): - self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ip_range, ports)) + add_general_rule(ports, ip_type, chain, subtable, rule, 'udp', 'src') + for interface in self.interface_ports: + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]]) + if ports: + self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]]) + if ports: + self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]]) + if ports: + self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) + ports = ','.join([ports_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]]) + if ports: + self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports)) + for ipv6_addr in interface['ipv6']: + self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports)) - #Ajout des machines avec ouvertures particulières - for machine in self.conn.search(u'(&(portTCPout=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPout']))) - for machine in self.conn.search(u'(&(portTCPin=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portTCPin']))) - for machine in self.conn.search(u'(&(portUDPout=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPout']))) - for machine in self.conn.search(u'(&(portUDPin=*)(%s=*))' % ldap_object_name): - self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (machine[ldap_object_name][0].value, ','.join(self.format_port(port) for port in machine['portUDPin']))) #Rejet du reste self.add_in_subtable(chain, subtable, """-j REJECT""") @@ -635,11 +633,4 @@ if __name__ == '__main__': table.do_action() -sw = Switch() -for switch in all_switchs: - sw.switch = switch - sw.gen_conf_and_write() - try: - sw.apply_conf() - except: - print("Erreur dans l'application de la conf pour " + switch["short_name"]) +