Adaptation des fonctions pour portail captif accueil

2018-08-25 18:31:32 +02:00 · 2018-08-25 18:31:32 +02:00 · 9adb949793
commit 9adb949793
parent b03a49d5d3
1 changed files with 15 additions and 20 deletions
--- a/main.py
+++ b/main.py
@ -48,6 +48,7 @@ class iptables:
        self.role = getattr(firewall_config, 'role', None)
        self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
        self.nat_settings = getattr(firewall_config, 'nat', None)
+        self.portail_settings = getattr(firewall_config, 'portail', None)

    def commit(self, chain):
        self.add(chain, "COMMIT\n")
@ -333,29 +334,25 @@ class iptables:
        self.init_filter(subtable, decision="-")
        self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')

-        for ip in self.config.accueil_route.keys():
-            if 'tcp' in self.config.accueil_route[ip]:
-                self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
-            if 'udp' in self.config.accueil_route[ip]:
-                self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
+        for protocol in self.portail_settings['autorized_hosts']:
+            for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
+                self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
        self.add_in_subtable("filter4", subtable, """-j REJECT""")


    def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
-        """Nat les connexions derrière l'ip de la machine du portail"""
+        """Redirige les connexion 80 et 443 vers l'ip cible"""
        self.init_nat(subtable, decision="-")
        for interface in self.interfaces_settings['routable']:
            self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')

-        for ip in self.config.accueil_route.keys():
-            if 'tcp' in self.config.accueil_route[ip]:
-                self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
-            if 'udp' in self.config.accueil_route[ip]:
-                self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
-        self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']})
-        self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
-        self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
-        self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']})
+        for protocol in self.portail_settings['autorized_hosts']:
+            for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
+                self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
+        for ip_range, destination in self.portail_settings['ip_redirect'].items():
+            for protocol, ip in destination.items():
+                for ip_dest, ports in ip.items():
+                    self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))

    def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
        """Nat les connexions derrière l'ip de la machine du portail"""
@ -363,11 +360,9 @@ class iptables:
        for interface in self.interfaces_settings['sortie']:
            self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')

-        for ip in self.config.accueil_route.keys():
-            if 'tcp' in self.config.accueil_route[ip]:
-                self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
-            if 'udp' in self.config.accueil_route[ip]:
-                self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
+        for protocol in self.portail_settings['autorized_hosts']:
+            for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
+                self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))

    def accept_established(self, subtable='ESTABLISHED-CONN'):
        """Accepte les connexions déjà établies"""