Adaptation des fonctions pour portail captif accueil

This commit is contained in:
chirac 2018-08-25 18:31:32 +02:00 committed by root
parent b03a49d5d3
commit 9adb949793

35
main.py
View file

@ -48,6 +48,7 @@ class iptables:
self.role = getattr(firewall_config, 'role', None) self.role = getattr(firewall_config, 'role', None)
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
self.nat_settings = getattr(firewall_config, 'nat', None) self.nat_settings = getattr(firewall_config, 'nat', None)
self.portail_settings = getattr(firewall_config, 'portail', None)
def commit(self, chain): def commit(self, chain):
self.add(chain, "COMMIT\n") self.add(chain, "COMMIT\n")
@ -333,29 +334,25 @@ class iptables:
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
self.jump_all_trafic("filter", "FORWARD", subtable, mode='4') self.jump_all_trafic("filter", "FORWARD", subtable, mode='4')
for ip in self.config.accueil_route.keys(): for protocol in self.portail_settings['autorized_hosts']:
if 'tcp' in self.config.accueil_route[ip]: for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
self.add_in_subtable("filter4", subtable, """-p tcp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) self.add_in_subtable("filter4", subtable, """-p %s -d %s -m multiport --dports %s -j ACCEPT""" % (protocol, ip, ','.join(ports)))
if 'udp' in self.config.accueil_route[ip]:
self.add_in_subtable("filter4", subtable, """-p udp -d %s -m multiport --dports %s -j ACCEPT""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
self.add_in_subtable("filter4", subtable, """-j REJECT""") self.add_in_subtable("filter4", subtable, """-j REJECT""")
def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"): def capture_connexion_portail(self, subtable="PORTAIL-CAPTIF-REDIRECT"):
"""Nat les connexions derrière l'ip de la machine du portail""" """Redirige les connexion 80 et 443 vers l'ip cible"""
self.init_nat(subtable, decision="-") self.init_nat(subtable, decision="-")
for interface in self.interfaces_settings['routable']: for interface in self.interfaces_settings['routable']:
self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4') self.jump_traficfrom("nat", interface, "PREROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys(): for protocol in self.portail_settings['autorized_hosts']:
if 'tcp' in self.config.accueil_route[ip]: for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j RETURN""" % (protocol, ip, ','.join(ports)))
if 'udp' in self.config.accueil_route[ip]: for ip_range, destination in self.portail_settings['ip_redirect'].items():
self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j RETURN""" % (ip, ','.join(self.config.accueil_route[ip]['udp']))) for protocol, ip in destination.items():
self.add_in_subtable("nat4", subtable, """-p udp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' :self.config_firewall.portail['accueil']}) for ip_dest, ports in ip.items():
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 53 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']}) self.add_in_subtable("nat4", subtable, """-p %s -s %s -m multiport --dports %s -j DNAT --to %s""" % (protocol, ip_range, ','.join(ports), ip_dest))
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['accueil']})
self.add_in_subtable("nat4", subtable, """-p tcp -s %(ip)s/16 --dport 80 -j DNAT --to %(ip)s""" % {'ip' : self.config_firewall.portail['isolement']})
def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"): def nat_connexion_portail(self, subtable="PORTAIL-CAPTIF-NAT"):
"""Nat les connexions derrière l'ip de la machine du portail""" """Nat les connexions derrière l'ip de la machine du portail"""
@ -363,11 +360,9 @@ class iptables:
for interface in self.interfaces_settings['sortie']: for interface in self.interfaces_settings['sortie']:
self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4') self.jump_traficto("nat", interface, "POSTROUTING", subtable, mode='4')
for ip in self.config.accueil_route.keys(): for protocol in self.portail_settings['autorized_hosts']:
if 'tcp' in self.config.accueil_route[ip]: for ip, ports in self.portail_settings['autorized_hosts'][protocol].items():
self.add_in_subtable("nat4", subtable, """-p tcp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['tcp']))) self.add_in_subtable("nat4", subtable, """-p %s -d %s -m multiport --dports %s -j MASQUERADE""" % (protocol, ip, ','.join(ports)))
if 'udp' in self.config.accueil_route[ip]:
self.add_in_subtable("nat4", subtable, """-p udp -d %s -m multiport --dports %s -j MASQUERADE""" % (ip, ','.join(self.config.accueil_route[ip]['udp'])))
def accept_established(self, subtable='ESTABLISHED-CONN'): def accept_established(self, subtable='ESTABLISHED-CONN'):
"""Accepte les connexions déjà établies""" """Accepte les connexions déjà établies"""