diff --git a/main.py b/main.py index f5835fd..fc004be 100755 --- a/main.py +++ b/main.py @@ -48,6 +48,7 @@ class iptables: self.role = getattr(firewall_config, 'role', None) self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) self.nat_settings = getattr(firewall_config, 'nat', None) + self.portail_settings = getattr(firewall_config, 'portail', None) def commit(self, chain): self.add(chain, "COMMIT\n") @@ -333,29 +334,25 @@ class iptables: self.init_filter(subtable, decision="-") self.jump_all_trafic("filter", "FORWARD", subtable, mode='4') - for ip in self.config.accueil_route.keys(): - if 'tcp' in self.config.accueil_route[ip]: - self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) - if 'udp' in self.config.accueil_route[ip]: - self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) + for protocol in self.portail_settings['autorized_hosts']: + for ip, ports in self.portail_settings['autorized_hosts'][protocol].items(): + self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports))) self.add_in_subtable("filter4", subtable, """-j REJECT""") def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"): - """Nat les connexions derrière l'ip de la machine du portail""" + """Redirige les connexion 80 et 443 vers l'ip cible""" self.init_nat(subtable, decision="-") for interface in self.interfaces_settings['routable']: self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4') - for ip in self.config.accueil_route.keys(): - if 'tcp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) - if 'udp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) - self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']}) - self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']}) - self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']}) - self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']}) + for protocol in self.portail_settings['autorized_hosts']: + for ip, ports in self.portail_settings['autorized_hosts'][protocol].items(): + self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports))) + for ip_range, destination in self.portail_settings['ip_redirect'].items(): + for protocol, ip in destination.items(): + for ip_dest, ports in ip.items(): + self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest)) def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"): """Nat les connexions derrière l'ip de la machine du portail""" @@ -363,11 +360,9 @@ class iptables: for interface in self.interfaces_settings['sortie']: self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4') - for ip in self.config.accueil_route.keys(): - if 'tcp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) - if 'udp' in self.config.accueil_route[ip]: - self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) + for protocol in self.portail_settings['autorized_hosts']: + for ip, ports in self.portail_settings['autorized_hosts'][protocol].items(): + self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports))) def accept_established(self, subtable='ESTABLISHED-CONN'): """Accepte les connexions déjà établies"""