Skip to content

CIRCLE / cloud

Go to a project
Commit 0731aa4e by Bach Dániel
Options

Merge branch 'firewall-fixes' into 'master' 

Firewall Fixes
parents 601f4803 048d3e30
Showing with 32 additions and 9 deletions
circle/firewall/fw.py
...@@ -62,6 +62,15 @@ class BuildFirewall: ...@@ -62,6 +62,15 @@ class BuildFirewall:
extra='-j DNAT --to-destination %s:%s' % (rule.host.ipv4, extra='-j DNAT --to-destination %s:%s' % (rule.host.ipv4,
rule.dport))) rule.dport)))
# SNAT rules for machines with public IPv4
for host in Host.objects.exclude(external_ipv4=None).select_related(
'vlan').prefetch_related('vlan__snat_to'):
for vl_out in host.vlan.snat_to.all():
self.add_rules(POSTROUTING=IptRule(
priority=1500, src=(host.ipv4, None),
extra='-o %s -j SNAT --to-source %s' % (
vl_out.name, host.external_ipv4)))
# default outbound NAT rules for VLANs # default outbound NAT rules for VLANs
for vl_in in Vlan.objects.exclude( for vl_in in Vlan.objects.exclude(
snat_ip=None).prefetch_related('snat_to'): snat_ip=None).prefetch_related('snat_to'):
...@@ -183,9 +192,12 @@ def generate_ptr_records(): ...@@ -183,9 +192,12 @@ def generate_ptr_records():
for host in Host.objects.order_by('vlan').all(): for host in Host.objects.order_by('vlan').all():
template = host.vlan.reverse_domain template = host.vlan.reverse_domain
i = host.get_external_ipv4().words if not host.shared_ip and host.external_ipv4: # DMZ
reverse = (host.reverse if host.reverse not in [None, ''] i = host.external_ipv4.words
else host.get_fqdn()) reverse = host.get_hostname('ipv4', public=True)
else:
i = host.ipv4.words
reverse = host.get_hostname('ipv4', public=False)
# ipv4 # ipv4
if host.ipv4: if host.ipv4:
...@@ -194,7 +206,7 @@ def generate_ptr_records(): ...@@ -194,7 +206,7 @@ def generate_ptr_records():
# ipv6 # ipv6
if host.ipv6: if host.ipv6:
DNS.append("^%s:%s:%s" % (host.ipv6.reverse_dns, DNS.append("^%s:%s:%s" % (host.ipv6.reverse_dns.rstrip('.'),
reverse, settings['dns_ttl'])) reverse, settings['dns_ttl']))
return DNS return DNS
...@@ -211,14 +223,14 @@ def generate_records(): ...@@ -211,14 +223,14 @@ def generate_records():
'CNAME': 'C%(fqdn)s:%(address)s:%(ttl)s', 'CNAME': 'C%(fqdn)s:%(address)s:%(ttl)s',
'MX': '@%(fqdn)s::%(address)s:%(dist)s:%(ttl)s', 'MX': '@%(fqdn)s::%(address)s:%(dist)s:%(ttl)s',
'PTR': '^%(fqdn)s:%(address)s:%(ttl)s', 'PTR': '^%(fqdn)s:%(address)s:%(ttl)s',
'TXT': '%(fqdn)s:%(octal)s:%(ttl)s'} 'TXT': "'%(fqdn)s:%(octal)s:%(ttl)s"}
retval = [] retval = []
for r in Record.objects.all(): for r in Record.objects.all():
params = {'fqdn': r.fqdn, 'address': r.address, 'ttl': r.ttl} params = {'fqdn': r.fqdn, 'address': r.address, 'ttl': r.ttl}
if r.type == 'MX': if r.type == 'MX':
params['address'], params['dist'] = r.address.split(':', 2) params['dist'], params['address'] = r.address.split(':', 2)
if r.type == 'AAAA': if r.type == 'AAAA':
try: try:
params['octal'] = ipv6_to_octal(r.address) params['octal'] = ipv6_to_octal(r.address)
......
circle/firewall/iptables.py
...@@ -22,7 +22,7 @@ from collections import OrderedDict ...@@ -22,7 +22,7 @@ from collections import OrderedDict
logger = logging.getLogger() logger = logging.getLogger()
ipv4_re = re.compile( ipv4_re = re.compile(
r'^(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}') r'(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}')
class InvalidRuleExcepion(Exception): class InvalidRuleExcepion(Exception):
......
circle/firewall/models.py
...@@ -575,10 +575,14 @@ class Host(models.Model): ...@@ -575,10 +575,14 @@ class Host(models.Model):
# IPv4 # IPv4
if self.ipv4 is not None: if self.ipv4 is not None:
if not self.shared_ip and self.external_ipv4: # DMZ
ipv4 = self.external_ipv4
else:
ipv4 = self.ipv4
# update existing records # update existing records
affected_records = Record.objects.filter( affected_records = Record.objects.filter(
host=self, name=self.hostname, host=self, name=self.hostname,
type='A').update(address=self.ipv4) type='A').update(address=ipv4)
# create new record # create new record
if affected_records == 0: if affected_records == 0:
Record(host=self, Record(host=self,
...@@ -714,6 +718,8 @@ class Host(models.Model): ...@@ -714,6 +718,8 @@ class Host(models.Model):
:type proto: str. :type proto: str.
""" """
assert proto in ('ipv6', 'ipv4', ) assert proto in ('ipv6', 'ipv4', )
if self.reverse:
return self.reverse
try: try:
if proto == 'ipv6': if proto == 'ipv6':
res = self.record_set.filter(type='AAAA', res = self.record_set.filter(type='AAAA',
......
circle/firewall/templates/firewall/iptables.conf
...@@ -35,7 +35,7 @@ COMMIT ...@@ -35,7 +35,7 @@ COMMIT
{% if proto == "ipv4" %} {% if proto == "ipv4" %}
-A FORWARD -p icmp --icmp-type echo-request -g LOG_ACC -A FORWARD -p icmp --icmp-type echo-request -g LOG_ACC
{% else %} {% else %}
-A FORWARD -p icmpv6 --icmpv6-type echo-request -g LOG_ACC -A FORWARD -p icmpv6 -g LOG_ACC
{% endif %} {% endif %}
# initialize INPUT chain # initialize INPUT chain
...@@ -45,6 +45,11 @@ COMMIT ...@@ -45,6 +45,11 @@ COMMIT
-A INPUT -m state --state INVALID -g LOG_DROP -A INPUT -m state --state INVALID -g LOG_DROP
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
{% if proto == "ipv4" %}
-A INPUT -p icmp --icmp-type echo-request -g LOG_ACC
{% else %}
-A INPUT -p icmpv6 -g LOG_ACC
{% endif %}
# initialize OUTPUT chain # initialize OUTPUT chain
-A OUTPUT -m state --state INVALID -g LOG_DROP -A OUTPUT -m state --state INVALID -g LOG_DROP
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment