aurore/aurore-firewall
12
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Zamok firewall complete

Browse source
This commit is contained in:
chirac 2018-11-17 19:32:03 +01:00 committed by root
parent 9adb949793
commit c2163edc1e
1 changed files with 3 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
main.py
View file

@ -42,6 +42,7 @@ class iptables:
self.filter6 = "\n*filter" self.filter6 = "\n*filter"
self.subnet_ports = api_client.list("firewall/subnet-ports/") self.subnet_ports = api_client.list("firewall/subnet-ports/")
self.interface_ports = api_client.list("firewall/interface-ports/") self.interface_ports = api_client.list("firewall/interface-ports/")
self.normal_users = api_client.list("users/normaluser/")
self.verbose = False self.verbose = False
self.action = None self.action = None
self.export = False self.export = False
@ -202,7 +203,6 @@ class iptables:
def users(self, table): def users(self, table):
"""Securisation d'un serveur avec comptes d'utilisateurs""" """Securisation d'un serveur avec comptes d'utilisateurs"""
if table == 'filter': if table == 'filter':
#self.blacklist_output()
self.base_filter() self.base_filter()
if self.verbose: if self.verbose:
print("Filter : Forbid admin vlan for users") print("Filter : Forbid admin vlan for users")
@ -453,25 +453,14 @@ class iptables:
if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>': if machine.blacklist_actif() and set(bl['type'] for bl in machine.blacklist_actif()).intersection(self.config.blacklist_sanctions) and machine['macAddress'] and machine['macAddress'][0].value != '<automatique>':
self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value) self.add_in_subtable("filter", subtable, """-m mac --mac-source %s -j REJECT""" % machine['macAddress'][0].value)
def blacklist_output(self, subtable='BLACKLIST-OUTPUT'):
"""Génération de la chaine blackliste output, meme idée que si dessus sauf que
ici on filtre les users uid sur un serveur et non leurs ip"""
self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['routable']:
self.jump_traficto("filter", interface, "OUTPUT", subtable)
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000):
if user.blacklist_actif():
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value)
def forbid_adm(self, subtable='ADMIN-VLAN'): def forbid_adm(self, subtable='ADMIN-VLAN'):
"""Interdit aux users non admin de parler sur les vlans admin""" """Interdit aux users non admin de parler sur les vlans admin"""
self.init_filter(subtable, decision="-") self.init_filter(subtable, decision="-")
for interface in self.interfaces_settings['admin']: for interface in self.interfaces_settings['admin']:
self.jump_traficto("filter", interface, "OUTPUT", subtable) self.jump_traficto("filter", interface, "OUTPUT", subtable)
for user in self.conn.search(u'(&(uidNumber=*)(!(droits=nounou))(!(droits=apprenti))(|(objectClass=adherent)(objectClass=club)))', sizelimit=10000): for user in self.normal_users:
self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uidNumber'][0].value) self.add_in_subtable("filter", subtable, """-m owner --uid-owner %s -j REJECT""" % user['uid'])
def gen_nat(self, empty=False): def gen_nat(self, empty=False):
"""Génération de la chaine nat""" """Génération de la chaine nat"""