Permet de faire un nat simple (routeur-aurore) sans plage de ports

This commit is contained in:
chirac 2019-10-29 16:24:08 +01:00 committed by root
parent 0120cfbb5f
commit fb2f52e94d

66
main.py
View file

@ -475,44 +475,46 @@ class iptables:
self.init_nat(subtable, decision="-") self.init_nat(subtable, decision="-")
self.jump_all_trafic("nat", "POSTROUTING", subtable, mode='4') self.jump_all_trafic("nat", "POSTROUTING", subtable, mode='4')
nat_prive_ip_plage = nat_type['ip_sources'] if 'interfaces_ip_to_nat' in nat_type and 'ip_sources' in nat_type:
for nat_ip_range in range(1, 11): nat_prive_ip_plage = nat_type['ip_sources']
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range ) for nat_ip_range in range(1, 11):
self.init_nat(range_name, decision="-") range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range )
self.add_in_subtable("nat4", subtable, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.0/24 -j ' + range_name) self.init_nat(range_name, decision="-")
for nat_ip_range in range(1, 11): self.add_in_subtable("nat4", subtable, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.0/24 -j ' + range_name)
range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range) for nat_ip_range in range(1, 11):
nat_rule_tcp = "" range_name = 'nat' + nat_prive_ip_plage.split('.')[1] + '_' + str("%02d" % nat_ip_range)
nat_rule_udp = "" nat_rule_tcp = ""
for nat_ip_subrange in range(16): nat_rule_udp = ""
subrange_name = range_name + '_' + str(hex(nat_ip_subrange)[2:]) for nat_ip_subrange in range(16):
self.init_nat(subrange_name, decision="-") subrange_name = range_name + '_' + str(hex(nat_ip_subrange)[2:])
self.add_in_subtable("nat4", range_name, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name) self.init_nat(subrange_name, decision="-")
for nat_private_ip in range(256): self.add_in_subtable("nat4", range_name, '-s ' + '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_ip_subrange*16) + '/28 -j ' + subrange_name)
ip_src = '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_private_ip) + '/32' for nat_private_ip in range(256):
ip_src = '.'.join(nat_prive_ip_plage.split('.')[:2]) + '.' + str(nat_ip_range) + '.' + str(nat_private_ip) + '/32'
port_low = 1000 + 1000*(nat_private_ip%64) port_low = 1000 + 1000*(nat_private_ip%64)
port_high = port_low + 999 port_high = port_low + 999
subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:]) subrange_name = range_name + '_' + str(hex(nat_private_ip//16)[2:])
# On nat # On nat
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str((int(nat_prive_ip_plage.split('.')[1][0]) - 1)*40 + 4*(nat_ip_range - 1) + nat_private_ip//64) ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str((int(nat_prive_ip_plage.split('.')[1][0]) - 1)*40 + 4*(nat_ip_range - 1) + nat_private_ip//64)
nat_rule_tcp += '\n-A %s -s %s -o %s -p tcp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)) nat_rule_tcp += '\n-A %s -s %s -o %s -p tcp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))
nat_rule_udp += '\n-A %s -s %s -o %s -p udp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)) nat_rule_udp += '\n-A %s -s %s -o %s -p udp -j SNAT --to-source %s' % (subrange_name, ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high))
self.add("nat4", nat_rule_tcp) self.add("nat4", nat_rule_tcp)
self.add("nat4", nat_rule_udp) self.add("nat4", nat_rule_udp)
# On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1 # On nat tout ce qui match dans les règles et qui n'est pas du tcp/udp derrière la première ip publique unused (25*10) + 1
# Ne pas oublier de loguer ce qui sort de cette ip # Ne pas oublier de loguer ce qui sort de cette ip
for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items(): for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
self.add_in_subtable("nat4", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(250 + int(nat_prive_ip_plage.split('.')[1][0]))) self.add_in_subtable("nat4", subtable, '-s ' + nat_prive_ip_plage + ' -o %s -j SNAT --to-source ' % (interface,) + '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(250 + int(nat_prive_ip_plage.split('.')[1][0])))
### Extra-nat (ex : Pour que le routeur ait accès à internet) if 'extra_nat' in nat_type:
for ip_source, ip_to_nat in nat_type['extra_nat'].items(): ### Extra-nat (ex : Pour que le routeur ait accès à internet)
self.add_in_subtable("nat4", subtable, '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat) for ip_source, ip_to_nat in nat_type['extra_nat'].items():
self.add_in_subtable("nat4", subtable, '-s ' + ip_source + ' -j SNAT --to-source ' + ip_to_nat)
def gen_mangle(self, empty=False): def gen_mangle(self, empty=False):
"""Génération de la chaine mangle""" """Génération de la chaine mangle"""