aurore/aurore-firewall
11
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Configure captive portal v1

Browse source 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
ynerant 2021-02-01 14:58:29 +01:00
parent 1b8e3c9fb2
commit a3fd508d09
Signed by untrusted user: ynerant
GPG key ID: 3A75C55819C8CF85
2 changed files with 52 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
firewall_config.example.py
View file

@ -23,11 +23,11 @@
### Specify each interface role ### Specify each interface role
role = ['routeur', 'portail'] role = ['routeur'] # , 'portail']
interfaces_type = { interfaces_type = {
'routable' : ['eth1', 'eth2'], 'routable' : ['eth1', 'eth2'],
'routable-portail': ['eth2'], # 'routable-portail': ['eth2'],
'sortie' : ['eth3', 'eth4'], 'sortie' : ['eth3', 'eth4'],
'admin' : ['eth5', 'eth6'] 'admin' : ['eth5', 'eth6']
} }
@ -57,19 +57,44 @@ nat = [
} }
] ]
portail = { # portail = {
"autorized_hosts": { # "autorized_hosts": {
"tcp": { # "tcp": {
"45.66.111.61": ["80", "443"], # "45.66.111.61": ["80", "443"],
"185.230.79.10": ["80", "443"] # "185.230.79.10": ["80", "443"]
}, # },
"udp": {} # "udp": {}
}, # },
"ip_redirect": { # "ip_redirect": {
"0.0.0.0/0": { # "0.0.0.0/0": {
# "tcp": {
# "45.66.111.61": ["80", "443"]
# }
# }
# }
# }
# ATTENTION: on doit avoir retry ≥ grace
# ATTENTION: il faut que ip_redirect gère tous les ports
# autorisés dans le profile re2o, sinon on laisse sortir
# du trafic
accueils = [
{
'iface': 'ens23',
'grace_period': 1800,
'retry_period': 86400,
'ip_sources': [
'10.43.1.0/24',
'10.43.2.0/24',
],
'ip_redirect': {
"tcp": { "tcp": {
"45.66.111.61": ["80", "443"] "10.43.0.247": ["80", "443"]
} }
} },
'triggers': [
('4', 'tcp', '46.255.53.35', 443), # ComNPay
('4', 'tcp', '46.255.53.35', 80),
]
} }
} ]

16
main.py
View file

@ -189,6 +189,7 @@ class iptables:
if self.verbose: if self.verbose:
print("Nat : priv" + nat_to_do['name']) print("Nat : priv" + nat_to_do['name'])
self.nat_prive_ip(nat_to_do) self.nat_prive_ip(nat_to_do)
self.jump_all_trafic("nat", "POSTROUTING", "MASQUERADE")
def routeur(self, table): def routeur(self, table):
"""Methode appellée spécifiquement pour le parefeu v4/v6""" """Methode appellée spécifiquement pour le parefeu v4/v6"""
@ -221,6 +222,7 @@ class iptables:
if self.verbose: if self.verbose:
print("Nat : priv" + nat_to_do['name']) print("Nat : priv" + nat_to_do['name'])
self.nat_prive_ip(nat_to_do) self.nat_prive_ip(nat_to_do)
self.jump_all_trafic("nat", "POSTROUTING", "MASQUERADE")
def portail(self, table): def portail(self, table):
if table == "filter": if table == "filter":
@ -540,12 +542,13 @@ class iptables:
triggered = f"accueil_{iface}_triggered" triggered = f"accueil_{iface}_triggered"
allowed = f"accueil_{iface}_allowed" allowed = f"accueil_{iface}_allowed"
triggers = accueil["triggers"] triggers = accueil["triggers"]
ip_sources = accueil.get("ip_sources", [])
ip_redirect = accueil.get("ip_redirect", {}) ip_redirect = accueil.get("ip_redirect", {})
self.add_mac_ipset(allowed, accueil.get("grace_period", 120)) self.add_mac_ipset(allowed, accueil.get("grace_period", 120))
self.add_mac_ipset(triggered, accueil.get("retry_period", 240)) self.add_mac_ipset(triggered, accueil.get("retry_period", 240))
self.add_accueil(iface, allowed, triggered, triggers, ip_redirect) self.add_accueil(iface, allowed, triggered, triggers, ip_sources, ip_redirect)
def add_accueil(self, iface, allowed_set, triggered_set, triggers, ip_redirect): def add_accueil(self, iface, allowed_set, triggered_set, triggers, ip_sources, ip_redirect):
subtable = f"ACCUEIL-{iface}" subtable = f"ACCUEIL-{iface}"
self.init_mangle(subtable, decision="-") self.init_mangle(subtable, decision="-")
@ -575,7 +578,8 @@ class iptables:
# on redirige les machines non temporairement autorisées vers les # on redirige les machines non temporairement autorisées vers les
# portails captifs # portails captifs
self.add_in_subtable("nat", subtable_redir, f"-m set --match-set {allowed_set} src -j RETURN") self.add_in_subtable("nat", subtable_redir, f"-m set --match-set {allowed_set} src -j RETURN")
self.ip_redirect(subtable_redir, {"0.0.0.0/0": ip_redirect}) for ip_source in ip_sources:
self.ip_redirect(subtable_redir, {ip_source: ip_redirect})
self.jump_traficfrom("mangle", iface, "PREROUTING", subtable) self.jump_traficfrom("mangle", iface, "PREROUTING", subtable)
self.jump_traficfrom("nat", iface, "PREROUTING", subtable_redir) self.jump_traficfrom("nat", iface, "PREROUTING", subtable_redir)
@ -625,7 +629,11 @@ class iptables:
if 'extra_nat' in nat_type: if 'extra_nat' in nat_type:
### Extra-nat (ex : Pour que le routeur ait accès à internet) ### Extra-nat (ex : Pour que le routeur ait accès à internet)
for ip_source, ip_to_nat in nat_type['extra_nat'].items(): for ip_source, ip_to_nat in nat_type['extra_nat'].items():
self.add_in_subtable("nat4", subtable, '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat) rule = ""
if 'extra_nat_group' in nat_type:
rule = "-m set --match-set " + nat_type['extra_nat_group'] + " src "
rule += '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat
self.add_in_subtable("nat4", subtable, rule)
def gen_mangle(self, empty=False): def gen_mangle(self, empty=False):
"""Génération de la chaine mangle""" """Génération de la chaine mangle"""