firewall: Blacklist added

firewall/admin.py

@@ -102,6 +102,9 @@ class RecordAdmin(admin.ModelAdmin):
         if a:
             return a['name']
 
+class BlacklistAdmin(admin.ModelAdmin):
+    list_display = ('ipv4', 'reason', 'created_at', 'modified_at')
+
 admin.site.register(Host, HostAdmin)
 admin.site.register(Vlan, VlanAdmin)
 admin.site.register(Rule, RuleAdmin)
@@ -110,4 +113,5 @@ admin.site.register(VlanGroup)
 admin.site.register(Firewall, FirewallAdmin)
 admin.site.register(Domain, DomainAdmin)
 admin.site.register(Record, RecordAdmin)
+admin.site.register(Blacklist, BlacklistAdmin)
 

firewall/fw.py

@@ -6,6 +6,7 @@ from cloud.settings import firewall_settings as settings
 import subprocess
 import re
 import json
+from datetime import datetime, timedelta
 
 
 class firewall:
@@ -17,6 +18,7 @@ class firewall:
     pub = None
     hosts = None
     fw = None
+    ipset = None
 
     def dportsport(self, rule, repl=True):
         retval = ' '
@@ -133,13 +135,14 @@ class firewall:
 
         self.iptables('-N PUB_OUT')
 
+        self.iptables('-A FORWARD -m set --match-set blacklist src,dst -j DROP')
         self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP')
         self.iptables('-A FORWARD -m state --state ESTABLISHED,RELATED '
                 '-j ACCEPT')
         self.iptables('-A FORWARD -p icmp --icmp-type echo-request '
                 '-g LOG_ACC')
-        if not self.IPV6:
-            self.iptables('-A FORWARD -j r_pub_sIP -o pub')
+
+        self.iptables('-A INPUT -m set --match-set blacklist src -j DROP')
         self.iptables('-A INPUT -m state --state INVALID -g LOG_DROP')
         self.iptables('-A INPUT -i lo -j ACCEPT')
         self.iptables('-A INPUT -m state --state ESTABLISHED,RELATED '
@@ -260,6 +263,7 @@ class firewall:
     def __init__(self, IPV6=False):
         self.RULES=[]
         self.RULES_NAT=[]
+        self.IPSET = []
         self.IPV6 = IPV6
         self.vlans = models.Vlan.objects.all()
         self.hosts = models.Host.objects.all()
@@ -269,6 +273,7 @@ class firewall:
         self.ipt_filter()
         if not self.IPV6:
             self.ipt_nat()
+            self.IPSET=self.ipset()
 
     def reload(self):
         if self.IPV6:
@@ -287,7 +292,7 @@ class firewall:
         if self.IPV6:
             return { 'filter': self.RULES, }
         else:
-            return { 'filter': self.RULES, 'nat':self.RULES_NAT }
+            return { 'filter': self.RULES, 'nat': self.RULES_NAT, 'ipset': self.IPSET }
 
     def show(self):
         if self.IPV6:
@@ -296,6 +301,10 @@ class firewall:
             return ('\n'.join(self.RULES) + '\n' +
                 '\n'.join(self.RULES_NAT) + '\n')
 
+    def ipset(self):
+        week = datetime.now()-timedelta(days=7)
+        return models.Blacklist.objects.filter(modified_at__gte=week).values_list('ipv4', flat=True)
+
 
 def ipv6_to_octal(ipv6):
     while len(ipv6.split(':')) < 8:

firewall/models.py

@@ -318,6 +318,11 @@ class Record(models.Model):
             return None
         return retval
 
+class Blacklist(models.Model):
+    ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True)
+    reason = models.TextField(blank=True)
+    created_at = models.DateTimeField(auto_now_add=True)
+    modified_at = models.DateTimeField(auto_now=True)
 
 def send_task(sender, instance, created, **kwargs):
     from firewall.tasks import ReloadTask
@@ -332,3 +337,4 @@ post_save.connect(send_task, sender=Vlan)
 post_save.connect(send_task, sender=Firewall)
 post_save.connect(send_task, sender=Group)
 post_save.connect(send_task, sender=Host)
+post_save.connect(send_task, sender=Blacklist)