|
|
|
@ -189,6 +189,7 @@ class iptables:
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Nat : priv" + nat_to_do['name'])
|
|
|
|
|
self.nat_prive_ip(nat_to_do)
|
|
|
|
|
self.jump_all_trafic("nat", "POSTROUTING", "MASQUERADE")
|
|
|
|
|
|
|
|
|
|
def routeur(self, table):
|
|
|
|
|
"""Methode appellée spécifiquement pour le parefeu v4/v6"""
|
|
|
|
@ -221,6 +222,7 @@ class iptables:
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Nat : priv" + nat_to_do['name'])
|
|
|
|
|
self.nat_prive_ip(nat_to_do)
|
|
|
|
|
self.jump_all_trafic("nat", "POSTROUTING", "MASQUERADE")
|
|
|
|
|
|
|
|
|
|
def portail(self, table):
|
|
|
|
|
if table == "filter":
|
|
|
|
@ -540,12 +542,13 @@ class iptables:
|
|
|
|
|
triggered = f"accueil_{iface}_triggered"
|
|
|
|
|
allowed = f"accueil_{iface}_allowed"
|
|
|
|
|
triggers = accueil["triggers"]
|
|
|
|
|
ip_sources = accueil.get("ip_sources", [])
|
|
|
|
|
ip_redirect = accueil.get("ip_redirect", {})
|
|
|
|
|
self.add_mac_ipset(allowed, accueil.get("grace_period", 120))
|
|
|
|
|
self.add_mac_ipset(triggered, accueil.get("retry_period", 240))
|
|
|
|
|
self.add_accueil(iface, allowed, triggered, triggers, ip_redirect)
|
|
|
|
|
self.add_accueil(iface, allowed, triggered, triggers, ip_sources, ip_redirect)
|
|
|
|
|
|
|
|
|
|
def add_accueil(self, iface, allowed_set, triggered_set, triggers, ip_redirect):
|
|
|
|
|
def add_accueil(self, iface, allowed_set, triggered_set, triggers, ip_sources, ip_redirect):
|
|
|
|
|
subtable = f"ACCUEIL-{iface}"
|
|
|
|
|
self.init_mangle(subtable, decision="-")
|
|
|
|
|
|
|
|
|
@ -575,7 +578,8 @@ class iptables:
|
|
|
|
|
# on redirige les machines non temporairement autorisées vers les
|
|
|
|
|
# portails captifs
|
|
|
|
|
self.add_in_subtable("nat", subtable_redir, f"-m set --match-set {allowed_set} src -j RETURN")
|
|
|
|
|
self.ip_redirect(subtable_redir, {"0.0.0.0/0": ip_redirect})
|
|
|
|
|
for ip_source in ip_sources:
|
|
|
|
|
self.ip_redirect(subtable_redir, {ip_source: ip_redirect})
|
|
|
|
|
|
|
|
|
|
self.jump_traficfrom("mangle", iface, "PREROUTING", subtable)
|
|
|
|
|
self.jump_traficfrom("nat", iface, "PREROUTING", subtable_redir)
|
|
|
|
@ -625,7 +629,11 @@ class iptables:
|
|
|
|
|
if 'extra_nat' in nat_type:
|
|
|
|
|
### Extra-nat (ex : Pour que le routeur ait accès à internet)
|
|
|
|
|
for ip_source, ip_to_nat in nat_type['extra_nat'].items():
|
|
|
|
|
self.add_in_subtable("nat4", subtable, '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat)
|
|
|
|
|
rule = ""
|
|
|
|
|
if 'extra_nat_group' in nat_type:
|
|
|
|
|
rule = "-m set --match-set " + nat_type['extra_nat_group'] + " src "
|
|
|
|
|
rule += '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat
|
|
|
|
|
self.add_in_subtable("nat4", subtable, rule)
|
|
|
|
|
|
|
|
|
|
def gen_mangle(self, empty=False):
|
|
|
|
|
"""Génération de la chaine mangle"""
|
|
|
|
|