Adaptation des fonctions pour portail captif accueil
This commit is contained in:
parent
b03a49d5d3
commit
9adb949793
1 changed files with 15 additions and 20 deletions
35
main.py
35
main.py
|
@ -48,6 +48,7 @@ class iptables:
|
||||||
self.role = getattr(firewall_config, 'role', None)
|
self.role = getattr(firewall_config, 'role', None)
|
||||||
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
||||||
self.nat_settings = getattr(firewall_config, 'nat', None)
|
self.nat_settings = getattr(firewall_config, 'nat', None)
|
||||||
|
self.portail_settings = getattr(firewall_config, 'portail', None)
|
||||||
|
|
||||||
def commit(self, chain):
|
def commit(self, chain):
|
||||||
self.add(chain, "COMMIT\n")
|
self.add(chain, "COMMIT\n")
|
||||||
|
@ -333,29 +334,25 @@ class iptables:
|
||||||
self.init_filter(subtable, decision="-")
|
self.init_filter(subtable, decision="-")
|
||||||
self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
|
self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
|
||||||
|
|
||||||
for ip in self.config.accueil_route.keys():
|
for protocol in self.portail_settings['autorized_hosts']:
|
||||||
if 'tcp' in self.config.accueil_route[ip]:
|
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
|
||||||
self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
|
self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
|
||||||
if 'udp' in self.config.accueil_route[ip]:
|
|
||||||
self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
|
|
||||||
self.add_in_subtable("filter4", subtable, """-j REJECT""")
|
self.add_in_subtable("filter4", subtable, """-j REJECT""")
|
||||||
|
|
||||||
|
|
||||||
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
|
||||||
"""Nat les connexions derrière l'ip de la machine du portail"""
|
"""Redirige les connexion 80 et 443 vers l'ip cible"""
|
||||||
self.init_nat(subtable, decision="-")
|
self.init_nat(subtable, decision="-")
|
||||||
for interface in self.interfaces_settings['routable']:
|
for interface in self.interfaces_settings['routable']:
|
||||||
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
|
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
|
||||||
|
|
||||||
for ip in self.config.accueil_route.keys():
|
for protocol in self.portail_settings['autorized_hosts']:
|
||||||
if 'tcp' in self.config.accueil_route[ip]:
|
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
|
||||||
self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
|
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
|
||||||
if 'udp' in self.config.accueil_route[ip]:
|
for ip_range, destination in self.portail_settings['ip_redirect'].items():
|
||||||
self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
|
for protocol, ip in destination.items():
|
||||||
self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']})
|
for ip_dest, ports in ip.items():
|
||||||
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
|
self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))
|
||||||
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
|
|
||||||
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']})
|
|
||||||
|
|
||||||
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
|
||||||
"""Nat les connexions derrière l'ip de la machine du portail"""
|
"""Nat les connexions derrière l'ip de la machine du portail"""
|
||||||
|
@ -363,11 +360,9 @@ class iptables:
|
||||||
for interface in self.interfaces_settings['sortie']:
|
for interface in self.interfaces_settings['sortie']:
|
||||||
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
|
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
|
||||||
|
|
||||||
for ip in self.config.accueil_route.keys():
|
for protocol in self.portail_settings['autorized_hosts']:
|
||||||
if 'tcp' in self.config.accueil_route[ip]:
|
for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
|
||||||
self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp'])))
|
self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))
|
||||||
if 'udp' in self.config.accueil_route[ip]:
|
|
||||||
self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
|
|
||||||
|
|
||||||
def accept_established(self, subtable='ESTABLISHED-CONN'):
|
def accept_established(self, subtable='ESTABLISHED-CONN'):
|
||||||
"""Accepte les connexions déjà établies"""
|
"""Accepte les connexions déjà établies"""
|
||||||
|
|
Loading…
Reference in a new issue