Commit e14a1b89 by Dudás Ádám

Merge branch 'master' of ssh://giccero.cloud.ik.bme.hu/cloud

parents 30a50ad7 11c061d4
...@@ -123,11 +123,11 @@ class firewall: ...@@ -123,11 +123,11 @@ class firewall:
# windows port scan are silently dropped # windows port scan are silently dropped
self.iptables('-A LOG_DROP -p tcp --dport 445 -j DROP') self.iptables('-A LOG_DROP -p tcp --dport 445 -j DROP')
self.iptables('-A LOG_DROP -p udp --dport 137 -j DROP') self.iptables('-A LOG_DROP -p udp --dport 137 -j DROP')
self.iptables('-A LOG_DROP -j LOG --log-level 7' self.iptables('-A LOG_DROP -j LOG --log-level 7 '
'--log-prefix "[ipt][drop]"') '--log-prefix "[ipt][drop]"')
self.iptables('-A LOG_DROP -j DROP') self.iptables('-A LOG_DROP -j DROP')
self.iptables('-N LOG_ACC') self.iptables('-N LOG_ACC')
self.iptables('-A LOG_ACC -j LOG --log-level 7' self.iptables('-A LOG_ACC -j LOG --log-level 7 '
'--log-prefix "[ipt][isok]"') '--log-prefix "[ipt][isok]"')
self.iptables('-A LOG_ACC -j ACCEPT') self.iptables('-A LOG_ACC -j ACCEPT')
...@@ -165,9 +165,9 @@ class firewall: ...@@ -165,9 +165,9 @@ class firewall:
self.iptables('-A PUB_OUT -j r_pub_dIP') self.iptables('-A PUB_OUT -j r_pub_dIP')
self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP') self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP')
self.iptables('-A FORWARD -m state --state ESTABLISHED,RELATED' self.iptables('-A FORWARD -m state --state ESTABLISHED,RELATED '
'-j ACCEPT') '-j ACCEPT')
self.iptables('-A FORWARD -p icmp --icmp-type echo-request' self.iptables('-A FORWARD -p icmp --icmp-type echo-request '
'-g LOG_ACC') '-g LOG_ACC')
if not self.IPV6: if not self.IPV6:
self.iptables('-A FORWARD -j r_pub_sIP -o pub') self.iptables('-A FORWARD -j r_pub_sIP -o pub')
...@@ -175,19 +175,19 @@ class firewall: ...@@ -175,19 +175,19 @@ class firewall:
self.iptables('-A INPUT -i lo -j ACCEPT') self.iptables('-A INPUT -i lo -j ACCEPT')
if not self.IPV6: if not self.IPV6:
self.iptables('-A INPUT -j r_pub_sIP') self.iptables('-A INPUT -j r_pub_sIP')
self.iptables('-A INPUT -m state --state ESTABLISHED,RELATED' self.iptables('-A INPUT -m state --state ESTABLISHED,RELATED '
'-j ACCEPT') '-j ACCEPT')
self.iptables('-A OUTPUT -m state --state INVALID -g LOG_DROP') self.iptables('-A OUTPUT -m state --state INVALID -g LOG_DROP')
self.iptables('-A OUTPUT -o lo -j ACCEPT') self.iptables('-A OUTPUT -o lo -j ACCEPT')
self.iptables('-A OUTPUT -m state --state ESTABLISHED,RELATED' self.iptables('-A OUTPUT -m state --state ESTABLISHED,RELATED '
'-j ACCEPT') '-j ACCEPT')
def postrun(self): def postrun(self):
self.iptables('-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 25' self.iptables('-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 25 '
'-j LOG_ACC') '-j LOG_ACC')
self.iptables('-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 445' self.iptables('-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 445 '
'-j LOG_ACC') '-j LOG_ACC')
self.iptables('-A PUB_OUT -p tcp --dport 25 -j LOG_DROP') self.iptables('-A PUB_OUT -p tcp --dport 25 -j LOG_DROP')
self.iptables('-A PUB_OUT -p tcp --dport 445 -j LOG_DROP') self.iptables('-A PUB_OUT -p tcp --dport 445 -j LOG_DROP')
...@@ -214,7 +214,7 @@ class firewall: ...@@ -214,7 +214,7 @@ class firewall:
for rule in host.rules.filter(nat=True, direction='1'): for rule in host.rules.filter(nat=True, direction='1'):
dport_sport = self.dportsport(rule, False) dport_sport = self.dportsport(rule, False)
if host.vlan.snat_ip: if host.vlan.snat_ip:
self.iptablesnat('-A PREROUTING -d %s %s %s -j DNAT' self.iptablesnat('-A PREROUTING -d %s %s %s -j DNAT '
'--to-destination %s:%s' % (host.pub_ipv4, '--to-destination %s:%s' % (host.pub_ipv4,
dport_sport, rule.extra, host.ipv4, dport_sport, rule.extra, host.ipv4,
rule.nat_dport)) rule.nat_dport))
...@@ -222,26 +222,26 @@ class firewall: ...@@ -222,26 +222,26 @@ class firewall:
# rules for machines with dedicated public IP # rules for machines with dedicated public IP
for host in self.hosts.exclude(shared_ip=True): for host in self.hosts.exclude(shared_ip=True):
if host.pub_ipv4: if host.pub_ipv4:
self.iptablesnat('-A PREROUTING -d %s -j DNAT' self.iptablesnat('-A PREROUTING -d %s -j DNAT '
'--to-destination %s' % (host.pub_ipv4, host.ipv4)) '--to-destination %s' % (host.pub_ipv4, host.ipv4))
self.iptablesnat('-A POSTROUTING -s %s -j SNAT' self.iptablesnat('-A POSTROUTING -s %s -j SNAT '
'--to-source %s' % (host.ipv4, host.pub_ipv4)) '--to-source %s' % (host.ipv4, host.pub_ipv4))
# default NAT rules for VLANs # default NAT rules for VLANs
for s_vlan in self.vlans: for s_vlan in self.vlans:
if s_vlan.snat_ip: if s_vlan.snat_ip:
for d_vlan in s_vlan.snat_to.all(): for d_vlan in s_vlan.snat_to.all():
self.iptablesnat('-A POSTROUTING -s %s -o %s -j SNAT' self.iptablesnat('-A POSTROUTING -s %s -o %s -j SNAT '
'--to-source %s' % (s_vlan.net_ipv4(), '--to-source %s' % (s_vlan.net_ipv4(),
d_vlan.interface, s_vlan.snat_ip)) d_vlan.interface, s_vlan.snat_ip))
# hard-wired rules # hard-wired rules
self.iptablesnat('-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT' self.iptablesnat('-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT '
'--to-source 10.3.255.254') # man elerheto legyen '--to-source 10.3.255.254') # man elerheto legyen
self.iptablesnat('-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT' self.iptablesnat('-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT '
'--to-source 10.0.0.247') # wolf network for printing '--to-source 10.0.0.247') # wolf network for printing
self.iptablesnat('-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT' self.iptablesnat('-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT '
'--to-source %s' % self.pub.ipv4) # kulonben nemmegy a du '--to-source %s' % self.pub.ipv4) # kulonben nemmegy a du
self.iptablesnat('COMMIT') self.iptablesnat('COMMIT')
...@@ -318,9 +318,9 @@ class firewall: ...@@ -318,9 +318,9 @@ class firewall:
def get(self): def get(self):
if self.IPV6: if self.IPV6:
return { 'filter': self.SZABALYOK, } return { 'filter': self.RULES, }
else: else:
return { 'filter': self.SZABALYOK, 'nat':self.SZABALYOK_NAT } return { 'filter': self.RULES, 'nat':self.RULES_NAT }
def show(self): def show(self):
if self.IPV6: if self.IPV6:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment