Zamok firewall complete
This commit is contained in:
root
parent
9adb949793
commit
c2163edc1e
1 changed files with 3 additions and 14 deletions
17
main.py
17
main.py
|
|
@ -42,6 +42,7 @@ class iptables:
|
|||
self.filter6 = "\n*filter"
|
||||
self.subnet_ports = api_client.list("firewall/subnet-ports/")
|
||||
self.interface_ports = api_client.list("firewall/interface-ports/")
|
||||
self.normal_users = api_client.list("users/normaluser/")
|
||||
self.verbose = False
|
||||
self.action = None
|
||||
self.export = False
|
||||
|
|
@ -202,7 +203,6 @@ class iptables:
|
|||
def users(self, table):
|
||||
"""Securisation d'un serveur avec comptes d'utilisateurs"""
|
||||
if table == 'filter':
|
||||
#self.blacklist_output()
|
||||
self.base_filter()
|
||||
if self.verbose:
|
||||
print("Filter : Forbid admin vlan for users")
|
||||
|
|
@ -453,25 +453,14 @@ class iptables:
|
|||
if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
|
||||
self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
|
||||
|
||||
def blacklist_output(self, subtable='BLACKLIST-OUTPUT'):
|
||||
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
|
||||
ici on filtre les users uid sur un serveur et non leurs ip"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces_settings['routable']:
|
||||
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
||||
|
||||
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
||||
if user.blacklist_actif():
|
||||
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
|
||||
|
||||
def forbid_adm(self, subtable='ADMIN-VLAN'):
|
||||
"""Interdit aux users non admin de parler sur les vlans admin"""
|
||||
self.init_filter(subtable, decision="-")
|
||||
for interface in self.interfaces_settings['admin']:
|
||||
self.jump_traficto("filter", interface, "OUTPUT", subtable)
|
||||
|
||||
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
|
||||
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
|
||||
for user in self.normal_users:
|
||||
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uid'])
|
||||
|
||||
def gen_nat(self, empty=False):
|
||||
"""Génération de la chaine nat"""
|
||||
|
|
|
|||
Loading…
Reference in a new issue