From c2163edc1ec775ce9e4b5694325e5d690821e585 Mon Sep 17 00:00:00 2001
From: Gabriel Detraz <detraz@crans.org>
Date: Sat, 17 Nov 2018 19:32:03 +0100
Subject: [PATCH] Zamok firewall complete

---
 main.py | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/main.py b/main.py
index fc004be..617607f 100755
--- a/main.py
+++ b/main.py
@@ -42,6 +42,7 @@ class iptables:
         self.filter6 = "\n*filter"
         self.subnet_ports = api_client.list("firewall/subnet-ports/")
         self.interface_ports = api_client.list("firewall/interface-ports/")
+        self.normal_users = api_client.list("users/normaluser/")
         self.verbose = False
         self.action = None
         self.export = False
@@ -202,7 +203,6 @@ class iptables:
     def users(self, table):
         """Securisation d'un serveur avec comptes d'utilisateurs"""
         if table == 'filter':
-            #self.blacklist_output()
             self.base_filter()
             if self.verbose:
                 print("Filter : Forbid admin vlan for users")
@@ -453,25 +453,14 @@ class iptables:
             if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
                 self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
 
-    def blacklist_output(self, subtable='BLACKLIST-OUTPUT'):
-        """Génération de la chaine blackliste output, meme idée que si dessus sauf que
-        ici on filtre les users uid sur un serveur et non leurs ip"""
-        self.init_filter(subtable, decision="-")
-        for interface in self.interfaces_settings['routable']:
-            self.jump_traficto("filter", interface, "OUTPUT", subtable)
-
-        for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
-            if user.blacklist_actif():
-                self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
-
     def forbid_adm(self, subtable='ADMIN-VLAN'):
         """Interdit aux users non admin de parler sur les vlans admin"""
         self.init_filter(subtable, decision="-")
         for interface in self.interfaces_settings['admin']:
             self.jump_traficto("filter", interface, "OUTPUT", subtable)
 
-        for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
-            self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
+        for user in self.normal_users:
+            self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uid'])
 
     def gen_nat(self, empty=False):
         """Génération de la chaine nat"""