aurore/aurore-firewall
11
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Configure captive portal v1

Browse source 
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
ynerant 2021-02-01 14:58:29 +01:00
parent 1b8e3c9fb2
commit a3fd508d09
Signed by untrusted user: ynerant
GPG key ID: 3A75C55819C8CF85
2 changed files with 52 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
firewall_config.example.py
View file

@ -23,11 +23,11 @@
### Specify each interface role
role = ['routeur', 'portail']
role = ['routeur'] # , 'portail']
interfaces_type = {
'routable' : ['eth1', 'eth2'],
'routable-portail': ['eth2'],
# 'routable-portail': ['eth2'],
'sortie' : ['eth3', 'eth4'],
'admin' : ['eth5', 'eth6']
}
@ -57,19 +57,44 @@ nat = [
}
]
portail = {
"autorized_hosts": {
# portail = {
# "autorized_hosts": {
# "tcp": {
# "45.66.111.61": ["80", "443"],
# "185.230.79.10": ["80", "443"]
# },
# "udp": {}
# },
# "ip_redirect": {
# "0.0.0.0/0": {
# "tcp": {
# "45.66.111.61": ["80", "443"]
# }
# }
# }
# }
# ATTENTION: on doit avoir retry ≥ grace
# ATTENTION: il faut que ip_redirect gère tous les ports
# autorisés dans le profile re2o, sinon on laisse sortir
# du trafic
accueils = [
{
'iface': 'ens23',
'grace_period': 1800,
'retry_period': 86400,
'ip_sources': [
'10.43.1.0/24',
'10.43.2.0/24',
],
'ip_redirect': {
"tcp": {
"45.66.111.61": ["80", "443"],
"185.230.79.10": ["80", "443"]
"10.43.0.247": ["80", "443"]
}
},
"udp": {}
},
"ip_redirect": {
"0.0.0.0/0": {
"tcp": {
"45.66.111.61": ["80", "443"]
}
}
}
'triggers': [
('4', 'tcp', '46.255.53.35', 443), # ComNPay
('4', 'tcp', '46.255.53.35', 80),
]
}
]

16
main.py
View file

@ -189,6 +189,7 @@ class iptables:
if self.verbose:
print("Nat : priv" + nat_to_do['name'])
self.nat_prive_ip(nat_to_do)
self.jump_all_trafic("nat", "POSTROUTING", "MASQUERADE")
def routeur(self, table):
"""Methode appellée spécifiquement pour le parefeu v4/v6"""
@ -221,6 +222,7 @@ class iptables:
if self.verbose:
print("Nat : priv" + nat_to_do['name'])
self.nat_prive_ip(nat_to_do)
self.jump_all_trafic("nat", "POSTROUTING", "MASQUERADE")
def portail(self, table):
if table == "filter":
@ -540,12 +542,13 @@ class iptables:
triggered = f"accueil_{iface}_triggered"
allowed = f"accueil_{iface}_allowed"
triggers = accueil["triggers"]
ip_sources = accueil.get("ip_sources", [])
ip_redirect = accueil.get("ip_redirect", {})
self.add_mac_ipset(allowed, accueil.get("grace_period", 120))
self.add_mac_ipset(triggered, accueil.get("retry_period", 240))
self.add_accueil(iface, allowed, triggered, triggers, ip_redirect)
self.add_accueil(iface, allowed, triggered, triggers, ip_sources, ip_redirect)
def add_accueil(self, iface, allowed_set, triggered_set, triggers, ip_redirect):
def add_accueil(self, iface, allowed_set, triggered_set, triggers, ip_sources, ip_redirect):
subtable = f"ACCUEIL-{iface}"
self.init_mangle(subtable, decision="-")
@ -575,7 +578,8 @@ class iptables:
# on redirige les machines non temporairement autorisées vers les
# portails captifs
self.add_in_subtable("nat", subtable_redir, f"-m set --match-set {allowed_set} src -j RETURN")
self.ip_redirect(subtable_redir, {"0.0.0.0/0": ip_redirect})
for ip_source in ip_sources:
self.ip_redirect(subtable_redir, {ip_source: ip_redirect})
self.jump_traficfrom("mangle", iface, "PREROUTING", subtable)
self.jump_traficfrom("nat", iface, "PREROUTING", subtable_redir)
@ -625,7 +629,11 @@ class iptables:
if 'extra_nat' in nat_type:
### Extra-nat (ex : Pour que le routeur ait accès à internet)
for ip_source, ip_to_nat in nat_type['extra_nat'].items():
self.add_in_subtable("nat4", subtable, '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat)
rule = ""
if 'extra_nat_group' in nat_type:
rule = "-m set --match-set " + nat_type['extra_nat_group'] + " src "
rule += '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat
self.add_in_subtable("nat4", subtable, rule)
def gen_mangle(self, empty=False):
"""Génération de la chaine mangle"""