Skip to content

CIRCLE / cloud

Go to a project
Commit 0731aa4e by Bach Dániel
Options

Merge branch 'firewall-fixes' into 'master' 

Firewall Fixes
parents 601f4803 048d3e30
Showing with 32 additions and 9 deletions
circle/firewall/fw.py
......@@ -62,6 +62,15 @@ class BuildFirewall:
extra='-j DNAT --to-destination %s:%s' % (rule.host.ipv4,
rule.dport)))
# SNAT rules for machines with public IPv4
for host in Host.objects.exclude(external_ipv4=None).select_related(
'vlan').prefetch_related('vlan__snat_to'):
for vl_out in host.vlan.snat_to.all():
self.add_rules(POSTROUTING=IptRule(
priority=1500, src=(host.ipv4, None),
extra='-o %s -j SNAT --to-source %s' % (
vl_out.name, host.external_ipv4)))
# default outbound NAT rules for VLANs
for vl_in in Vlan.objects.exclude(
snat_ip=None).prefetch_related('snat_to'):
......@@ -183,9 +192,12 @@ def generate_ptr_records():
for host in Host.objects.order_by('vlan').all():
template = host.vlan.reverse_domain
i = host.get_external_ipv4().words
reverse = (host.reverse if host.reverse not in [None, '']
else host.get_fqdn())
if not host.shared_ip and host.external_ipv4: # DMZ
i = host.external_ipv4.words
reverse = host.get_hostname('ipv4', public=True)
else:
i = host.ipv4.words
reverse = host.get_hostname('ipv4', public=False)
# ipv4
if host.ipv4:
......@@ -194,7 +206,7 @@ def generate_ptr_records():
# ipv6
if host.ipv6:
DNS.append("^%s:%s:%s" % (host.ipv6.reverse_dns,
DNS.append("^%s:%s:%s" % (host.ipv6.reverse_dns.rstrip('.'),
reverse, settings['dns_ttl']))
return DNS
......@@ -211,14 +223,14 @@ def generate_records():
'CNAME': 'C%(fqdn)s:%(address)s:%(ttl)s',
'MX': '@%(fqdn)s::%(address)s:%(dist)s:%(ttl)s',
'PTR': '^%(fqdn)s:%(address)s:%(ttl)s',
'TXT': '%(fqdn)s:%(octal)s:%(ttl)s'}
'TXT': "'%(fqdn)s:%(octal)s:%(ttl)s"}
retval = []
for r in Record.objects.all():
params = {'fqdn': r.fqdn, 'address': r.address, 'ttl': r.ttl}
if r.type == 'MX':
params['address'], params['dist'] = r.address.split(':', 2)
params['dist'], params['address'] = r.address.split(':', 2)
if r.type == 'AAAA':
try:
params['octal'] = ipv6_to_octal(r.address)
......
circle/firewall/iptables.py
......@@ -22,7 +22,7 @@ from collections import OrderedDict
logger = logging.getLogger()
ipv4_re = re.compile(
r'^(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}')
r'(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}')
class InvalidRuleExcepion(Exception):
......
circle/firewall/models.py
......@@ -575,10 +575,14 @@ class Host(models.Model):
# IPv4
if self.ipv4 is not None:
if not self.shared_ip and self.external_ipv4: # DMZ
ipv4 = self.external_ipv4
else:
ipv4 = self.ipv4
# update existing records
affected_records = Record.objects.filter(
host=self, name=self.hostname,
type='A').update(address=self.ipv4)
type='A').update(address=ipv4)
# create new record
if affected_records == 0:
Record(host=self,
......@@ -714,6 +718,8 @@ class Host(models.Model):
:type proto: str.
"""
assert proto in ('ipv6', 'ipv4', )
if self.reverse:
return self.reverse
try:
if proto == 'ipv6':
res = self.record_set.filter(type='AAAA',
......
circle/firewall/templates/firewall/iptables.conf
......@@ -35,7 +35,7 @@ COMMIT
{% if proto == "ipv4" %}
-A FORWARD -p icmp --icmp-type echo-request -g LOG_ACC
{% else %}
-A FORWARD -p icmpv6 --icmpv6-type echo-request -g LOG_ACC
-A FORWARD -p icmpv6 -g LOG_ACC
{% endif %}
# initialize INPUT chain
......@@ -45,6 +45,11 @@ COMMIT
-A INPUT -m state --state INVALID -g LOG_DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
{% if proto == "ipv4" %}
-A INPUT -p icmp --icmp-type echo-request -g LOG_ACC
{% else %}
-A INPUT -p icmpv6 -g LOG_ACC
{% endif %}
# initialize OUTPUT chain
-A OUTPUT -m state --state INVALID -g LOG_DROP
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment