|
|
|
|
@ -42,6 +42,7 @@ class iptables:
|
|
|
|
|
self.filter6 = "\n*filter"
|
|
|
|
|
self.subnet_ports = api_client.list("firewall/subnet-ports/")
|
|
|
|
|
self.interface_ports = api_client.list("firewall/interface-ports/")
|
|
|
|
|
self.normal_users = api_client.list("users/normaluser/")
|
|
|
|
|
self.verbose = False
|
|
|
|
|
self.action = None
|
|
|
|
|
self.export = False
|
|
|
|
|
@ -202,7 +203,6 @@ class iptables:
|
|
|
|
|
def users(self, table):
|
|
|
|
|
"""Securisation d'un serveur avec comptes d'utilisateurs"""
|
|
|
|
|
if table == 'filter':
|
|
|
|
|
#self.blacklist_output()
|
|
|
|
|
self.base_filter()
|
|
|
|
|
if self.verbose:
|
|
|
|
|
print("Filter : Forbid admin vlan for users")
|
|
|
|
|
@ -453,25 +453,14 @@ class iptables:
|
|
|
|
|
if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
|
|
|
|
|
|
|
|
|
|
def blacklist_output(self, subtable='BLACKLIST-OUTPUT'):
|
|
|
|
|
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
|
|
|
|
|
ici on filtre les users uid sur un serveur et non leurs ip"""
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['routable']:
|
|
|
|
|
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
|
|
|
|
|
|
|
|
|
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
|
|
|
|
if user.blacklist_actif():
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
|
|
|
|
|
|
|
|
|
|
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
|
|
|
|
"""Interdit aux users non admin de parler sur les vlans admin"""
|
|
|
|
|
self.init_filter(subtable, decision="-")
|
|
|
|
|
for interface in self.interfaces_settings['admin']:
|
|
|
|
|
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
|
|
|
|
|
|
|
|
|
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
|
|
|
|
|
for user in self.normal_users:
|
|
|
|
|
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uid'])
|
|
|
|
|
|
|
|
|
|
def gen_nat(self, empty=False):
|
|
|
|
|
"""Génération de la chaine nat"""
|
|
|
|
|
|
root