Commit 25a36d8e by Bach Dániel

firewall: Blacklist added

parent 771d5049
...@@ -102,6 +102,9 @@ class RecordAdmin(admin.ModelAdmin): ...@@ -102,6 +102,9 @@ class RecordAdmin(admin.ModelAdmin):
if a: if a:
return a['name'] return a['name']
class BlacklistAdmin(admin.ModelAdmin):
list_display = ('ipv4', 'reason', 'created_at', 'modified_at')
admin.site.register(Host, HostAdmin) admin.site.register(Host, HostAdmin)
admin.site.register(Vlan, VlanAdmin) admin.site.register(Vlan, VlanAdmin)
admin.site.register(Rule, RuleAdmin) admin.site.register(Rule, RuleAdmin)
...@@ -110,4 +113,5 @@ admin.site.register(VlanGroup) ...@@ -110,4 +113,5 @@ admin.site.register(VlanGroup)
admin.site.register(Firewall, FirewallAdmin) admin.site.register(Firewall, FirewallAdmin)
admin.site.register(Domain, DomainAdmin) admin.site.register(Domain, DomainAdmin)
admin.site.register(Record, RecordAdmin) admin.site.register(Record, RecordAdmin)
admin.site.register(Blacklist, BlacklistAdmin)
...@@ -6,6 +6,7 @@ from cloud.settings import firewall_settings as settings ...@@ -6,6 +6,7 @@ from cloud.settings import firewall_settings as settings
import subprocess import subprocess
import re import re
import json import json
from datetime import datetime, timedelta
class firewall: class firewall:
...@@ -17,6 +18,7 @@ class firewall: ...@@ -17,6 +18,7 @@ class firewall:
pub = None pub = None
hosts = None hosts = None
fw = None fw = None
ipset = None
def dportsport(self, rule, repl=True): def dportsport(self, rule, repl=True):
retval = ' ' retval = ' '
...@@ -133,13 +135,14 @@ class firewall: ...@@ -133,13 +135,14 @@ class firewall:
self.iptables('-N PUB_OUT') self.iptables('-N PUB_OUT')
self.iptables('-A FORWARD -m set --match-set blacklist src,dst -j DROP')
self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP') self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP')
self.iptables('-A FORWARD -m state --state ESTABLISHED,RELATED ' self.iptables('-A FORWARD -m state --state ESTABLISHED,RELATED '
'-j ACCEPT') '-j ACCEPT')
self.iptables('-A FORWARD -p icmp --icmp-type echo-request ' self.iptables('-A FORWARD -p icmp --icmp-type echo-request '
'-g LOG_ACC') '-g LOG_ACC')
if not self.IPV6:
self.iptables('-A FORWARD -j r_pub_sIP -o pub') self.iptables('-A INPUT -m set --match-set blacklist src -j DROP')
self.iptables('-A INPUT -m state --state INVALID -g LOG_DROP') self.iptables('-A INPUT -m state --state INVALID -g LOG_DROP')
self.iptables('-A INPUT -i lo -j ACCEPT') self.iptables('-A INPUT -i lo -j ACCEPT')
self.iptables('-A INPUT -m state --state ESTABLISHED,RELATED ' self.iptables('-A INPUT -m state --state ESTABLISHED,RELATED '
...@@ -260,6 +263,7 @@ class firewall: ...@@ -260,6 +263,7 @@ class firewall:
def __init__(self, IPV6=False): def __init__(self, IPV6=False):
self.RULES=[] self.RULES=[]
self.RULES_NAT=[] self.RULES_NAT=[]
self.IPSET = []
self.IPV6 = IPV6 self.IPV6 = IPV6
self.vlans = models.Vlan.objects.all() self.vlans = models.Vlan.objects.all()
self.hosts = models.Host.objects.all() self.hosts = models.Host.objects.all()
...@@ -269,6 +273,7 @@ class firewall: ...@@ -269,6 +273,7 @@ class firewall:
self.ipt_filter() self.ipt_filter()
if not self.IPV6: if not self.IPV6:
self.ipt_nat() self.ipt_nat()
self.IPSET=self.ipset()
def reload(self): def reload(self):
if self.IPV6: if self.IPV6:
...@@ -287,7 +292,7 @@ class firewall: ...@@ -287,7 +292,7 @@ class firewall:
if self.IPV6: if self.IPV6:
return { 'filter': self.RULES, } return { 'filter': self.RULES, }
else: else:
return { 'filter': self.RULES, 'nat':self.RULES_NAT } return { 'filter': self.RULES, 'nat': self.RULES_NAT, 'ipset': self.IPSET }
def show(self): def show(self):
if self.IPV6: if self.IPV6:
...@@ -296,6 +301,10 @@ class firewall: ...@@ -296,6 +301,10 @@ class firewall:
return ('\n'.join(self.RULES) + '\n' + return ('\n'.join(self.RULES) + '\n' +
'\n'.join(self.RULES_NAT) + '\n') '\n'.join(self.RULES_NAT) + '\n')
def ipset(self):
week = datetime.now()-timedelta(days=7)
return models.Blacklist.objects.filter(modified_at__gte=week).values_list('ipv4', flat=True)
def ipv6_to_octal(ipv6): def ipv6_to_octal(ipv6):
while len(ipv6.split(':')) < 8: while len(ipv6.split(':')) < 8:
......
...@@ -318,6 +318,11 @@ class Record(models.Model): ...@@ -318,6 +318,11 @@ class Record(models.Model):
return None return None
return retval return retval
class Blacklist(models.Model):
ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True)
reason = models.TextField(blank=True)
created_at = models.DateTimeField(auto_now_add=True)
modified_at = models.DateTimeField(auto_now=True)
def send_task(sender, instance, created, **kwargs): def send_task(sender, instance, created, **kwargs):
from firewall.tasks import ReloadTask from firewall.tasks import ReloadTask
...@@ -332,3 +337,4 @@ post_save.connect(send_task, sender=Vlan) ...@@ -332,3 +337,4 @@ post_save.connect(send_task, sender=Vlan)
post_save.connect(send_task, sender=Firewall) post_save.connect(send_task, sender=Firewall)
post_save.connect(send_task, sender=Group) post_save.connect(send_task, sender=Group)
post_save.connect(send_task, sender=Host) post_save.connect(send_task, sender=Host)
post_save.connect(send_task, sender=Blacklist)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment