Commit e6dd3a56 by root Committed by Őry Máté

port forward as typical rule

parent 3ae7502b
...@@ -16,4 +16,5 @@ urlpatterns = patterns('', ...@@ -16,4 +16,5 @@ urlpatterns = patterns('',
url(r'^vm/show/(?P<iid>\d+)/$', 'one.views.vm_show', name='vm_show'), url(r'^vm/show/(?P<iid>\d+)/$', 'one.views.vm_show', name='vm_show'),
url(r'^vm/delete/(?P<iid>\d+)/$', 'one.views.vm_delete', name='vm_delete'), url(r'^vm/delete/(?P<iid>\d+)/$', 'one.views.vm_delete', name='vm_delete'),
url(r'^reload/$', 'firewall.views.reload_firewall', name='reload_firewall'), url(r'^reload/$', 'firewall.views.reload_firewall', name='reload_firewall'),
url(r'^fwapi/$', 'firewall.views.firewall_api', name='firewall_api'),
) )
...@@ -7,11 +7,11 @@ class HostAdmin(admin.ModelAdmin): ...@@ -7,11 +7,11 @@ class HostAdmin(admin.ModelAdmin):
ordering = ('-hostname',) ordering = ('-hostname',)
class VlanAdmin(admin.ModelAdmin): class VlanAdmin(admin.ModelAdmin):
list_display = ('vid', 'name', 'en_dst_vlan', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain') list_display = ('vid', 'name', 'rules_l', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain', 'snat_ip', 'snat_to_l')
ordering = ('-vid',) ordering = ('-vid',)
class RuleAdmin(admin.ModelAdmin): class RuleAdmin(admin.ModelAdmin):
list_display = ('description', 'vlan', 'extra', 'direction', 'action') list_display = ('r_type', 'desc', 'description', 'vlan_l', 'owner', 'extra', 'direction', 'action', 'nat', 'nat_dport')
admin.site.register(Host, HostAdmin) admin.site.register(Host, HostAdmin)
admin.site.register(Vlan, VlanAdmin) admin.site.register(Vlan, VlanAdmin)
......
...@@ -21,6 +21,7 @@ class firewall: ...@@ -21,6 +21,7 @@ class firewall:
vlans = None vlans = None
dmz = None dmz = None
pub = None pub = None
hosts = None
fw = None fw = None
def iptables(self, s): def iptables(self, s):
...@@ -35,39 +36,46 @@ class firewall: ...@@ -35,39 +36,46 @@ class firewall:
else: else:
ipaddr = host.ipv4 ipaddr = host.ipv4
action = "LOG_DROP" extra = rule.extra
if(rule.nat and rule.direction):
extra = re.sub(r'--dport [0-9]+', '--dport %i' %rule.nat_dport, rule.extra)
for vlan in rule.vlan.all():
if(rule.action): if(rule.action):
if((not rule.direction) and rule.vlan.name == "PUB"): if((not rule.direction) and vlan.name == "PUB"):
action = "PUB_OUT" action = "PUB_OUT"
else: else:
action = "LOG_ACC" action = "LOG_ACC"
else:
action = "LOG_DROP"
if(rule.direction): #HOSTHOZ megy if(rule.direction): #HOSTHOZ megy
self.iptables("-A %s_%s -d %s %s -g %s" % (rule.vlan, host.vlan, ipaddr, rule.extra, action)); self.iptables("-A %s_%s -d %s %s -g %s" % (vlan, host.vlan, ipaddr, extra, action));
else: else:
self.iptables("-A %s_%s -s %s %s -g %s" % (host.vlan, rule.vlan, ipaddr, rule.extra, action)); self.iptables("-A %s_%s -s %s %s -g %s" % (host.vlan, vlan, ipaddr, extra, action));
def fw2vlan(self, rule):
snet=None
if(self.IPV6): def fw2vlan(self, rule):
if((not rule.direction) and rule.vlan.name == "PUB"): for vlan in rule.vlan.all():
snet = "::0/0" if(rule.direction): #HOSTHOZ megy
self.iptables("-A INPUT -i %s %s -g %s" % (vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
else: else:
snet = rule.vlan.net6 + "/" + str(rule.vlan.prefix6) self.iptables("-A OUTPUT -o %s %s -g %s" % (vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
def vlan2vlan(self, l_vlan, rule):
for vlan in rule.vlan.all():
if(rule.action):
if((not rule.direction) and vlan.name == "PUB"):
action = "PUB_OUT"
else: else:
if((rule.direction) and rule.vlan.name == "PUB"): action = "LOG_ACC"
snet = "0.0.0.0/0"
else: else:
snet = rule.vlan.net4 + "/" + str(rule.vlan.prefix4) action = "LOG_DROP"
if(rule.direction): #HOSTHOZ megy if(rule.direction): #HOSTHOZ megy
# self.iptables("-A INPUT -i %s -s: %s %s -m state --state NEW -g %s" % (rule.vlan.interface, snet, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP")); self.iptables("-A %s_%s %s -g %s" % (vlan, l_vlan, rule.extra, action));
self.iptables("-A INPUT -i %s %s -g %s" % (rule.vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
else: else:
self.iptables("-A OUTPUT -o %s %s -g %s" % (rule.vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP")); self.iptables("-A %s_%s %s -g %s" % (l_vlan, vlan, rule.extra, action));
def prerun(self): def prerun(self):
...@@ -155,32 +163,29 @@ class firewall: ...@@ -155,32 +163,29 @@ class firewall:
self.iptablesnat(":OUTPUT ACCEPT [1:708]") self.iptablesnat(":OUTPUT ACCEPT [1:708]")
self.iptablesnat(":POSTROUTING ACCEPT [1:708]") self.iptablesnat(":POSTROUTING ACCEPT [1:708]")
for host in self.dmz.host_set.all():
#portforward
for host in self.hosts.filter(pub_ipv4=None):
for rule in host.rules.filter(nat=True, direction=True):
self.iptablesnat("-A PREROUTING -d %s %s -j DNAT --to-destination %s:%s" % (host.vlan.snat_ip, rule.extra, host.ipv4, rule.nat_dport))
#sajat publikus ipvel rendelkezo gepek szabalyai
for host in self.hosts:
if(host.pub_ipv4): if(host.pub_ipv4):
self.iptablesnat("-A PREROUTING -d %s -j DNAT --to-destination %s" % (host.pub_ipv4, host.ipv4)) self.iptablesnat("-A PREROUTING -d %s -j DNAT --to-destination %s" % (host.pub_ipv4, host.ipv4))
self.iptablesnat("-A POSTROUTING -s %s -j SNAT --to-source %s" % (host.ipv4, host.pub_ipv4)) self.iptablesnat("-A POSTROUTING -s %s -j SNAT --to-source %s" % (host.ipv4, host.pub_ipv4))
#natolas a vpn-nek #alapertelmezett nat szabalyok a vlanokra
self.iptablesnat("-A POSTROUTING -s 10.1.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4) for s_vlan in self.vlans:
self.iptablesnat("-A POSTROUTING -s 10.1.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4) if(s_vlan.snat_ip):
for d_vlan in s_vlan.snat_to.all():
#natolas az office-nak self.iptablesnat("-A POSTROUTING -s %s -o %s -j SNAT --to-source %s" % (s_vlan.net_ipv4(), d_vlan.interface, s_vlan.snat_ip))
self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254")
self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247")
#natolas a hotspotnak
self.iptablesnat("-A POSTROUTING -s 10.4.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
self.iptablesnat("-A POSTROUTING -s 10.4.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
#natolas a labnak
self.iptablesnat("-A POSTROUTING -s 10.7.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
self.iptablesnat("-A POSTROUTING -s 10.7.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
#natolas a mannak #bedrotozott szabalyok
self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4) self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254") #man elerheto legyen
self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4) self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247") #wolf halozat a nyomtatashoz
self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4) #kulonben nemmegy a du
self.iptablesnat("COMMIT") self.iptablesnat("COMMIT")
...@@ -213,11 +218,8 @@ class firewall: ...@@ -213,11 +218,8 @@ class firewall:
#vlanok kozotti kommunikacio engedelyezese #vlanok kozotti kommunikacio engedelyezese
for s_vlan in self.vlans: for s_vlan in self.vlans:
for d_vlan in s_vlan.en_dst.all(): for rule in s_vlan.rules.all():
if(d_vlan.name == "PUB"): self.vlan2vlan(s_vlan, rule)
self.iptables("-A %s_%s -g PUB_OUT" % (s_vlan, d_vlan))
else:
self.iptables("-A %s_%s -g LOG_ACC" % (s_vlan, d_vlan))
#zonak kozotti lancokat zarja le #zonak kozotti lancokat zarja le
for s_vlan in self.vlans: for s_vlan in self.vlans:
...@@ -237,6 +239,7 @@ class firewall: ...@@ -237,6 +239,7 @@ class firewall:
self.SZABALYOK=[] self.SZABALYOK=[]
self.IPV6 = IPV6 self.IPV6 = IPV6
self.vlans = models.Vlan.objects.all() self.vlans = models.Vlan.objects.all()
self.hosts = models.Host.objects.all()
self.dmz = models.Vlan.objects.get(name="DMZ") self.dmz = models.Vlan.objects.get(name="DMZ")
self.pub = models.Vlan.objects.get(name="PUB") self.pub = models.Vlan.objects.get(name="PUB")
self.fw = models.Firewall.objects.all() self.fw = models.Firewall.objects.all()
...@@ -252,6 +255,11 @@ class firewall: ...@@ -252,6 +255,11 @@ class firewall:
process = subprocess.Popen(['/usr/bin/ssh', 'fw2', '/usr/bin/sudo', '/sbin/iptables-restore', '-c'], shell=False, stdin=subprocess.PIPE) process = subprocess.Popen(['/usr/bin/ssh', 'fw2', '/usr/bin/sudo', '/sbin/iptables-restore', '-c'], shell=False, stdin=subprocess.PIPE)
process.communicate("\n".join(self.SZABALYOK)+"\n"+"\n".join(self.SZABALYOK_NAT)+"\n") process.communicate("\n".join(self.SZABALYOK)+"\n"+"\n".join(self.SZABALYOK_NAT)+"\n")
def show(self):
if self.IPV6:
return "\n".join(self.SZABALYOK)+"\n"
else:
return "\n".join(self.SZABALYOK)+"\n"+"\n".join(self.SZABALYOK_NAT)+"\n"
...@@ -260,6 +268,11 @@ def dns(): ...@@ -260,6 +268,11 @@ def dns():
regex = re.compile(r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$') regex = re.compile(r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$')
DNS = [] DNS = []
DNS.append("=cloud.ik.bme.hu:152.66.243.98:600::\n") DNS.append("=cloud.ik.bme.hu:152.66.243.98:600::\n")
#tarokkknak
DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (75, 243, 66, 152, "se.hpc.iit.bme.hu"))
DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (76, 243, 66, 152, "ce.hpc.iit.bme.hu"))
DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (77, 243, 66, 152, "mon.hpc.iit.bme.hu"))
for i_vlan in vlans: for i_vlan in vlans:
m = regex.search(i_vlan.net4) m = regex.search(i_vlan.net4)
if(i_vlan.name != "DMZ" and i_vlan.name != "PUB"): if(i_vlan.name != "DMZ" and i_vlan.name != "PUB"):
......
...@@ -6,15 +6,25 @@ from firewall.fields import * ...@@ -6,15 +6,25 @@ from firewall.fields import *
from south.modelsinspector import add_introspection_rules from south.modelsinspector import add_introspection_rules
class Rule(models.Model): class Rule(models.Model):
# DIRECTION_CH=(('TOHOST', 1), ('FROMHOST', 0)) CHOICES = (('host', 'host'), ('firewall', 'firewall'), ('vlan', 'vlan'))
direction = models.BooleanField() direction = models.BooleanField()
description = models.TextField(blank=True) description = models.TextField(blank=True)
vlan = models.ForeignKey('Vlan') vlan = models.ManyToManyField('Vlan', symmetrical=False, blank=True, null=True)
extra = models.TextField(blank=True); extra = models.TextField(blank=True);
action = models.BooleanField(default=False) action = models.BooleanField(default=False)
owner = models.ForeignKey(User, blank=True, null=True) owner = models.ForeignKey(User, blank=True, null=True)
r_type = models.CharField(max_length=10, choices=CHOICES)
nat = models.BooleanField(default=False)
nat_dport = models.IntegerField();
def __unicode__(self): def __unicode__(self):
return self.description return self.desc()
def desc(self):
return '[' + self.r_type + '] ' + (self.vlan_l() + '->' + self.r_type if self.direction else self.r_type + '->' + self.vlan_l()) + ' ' + self.description
def vlan_l(self):
retval = []
for vl in self.vlan.all():
retval.append(vl.name)
return ', '.join(retval)
class Vlan(models.Model): class Vlan(models.Model):
vid = models.IntegerField(unique=True) vid = models.IntegerField(unique=True)
...@@ -26,19 +36,29 @@ class Vlan(models.Model): ...@@ -26,19 +36,29 @@ class Vlan(models.Model):
net6 = models.GenericIPAddressField(protocol='ipv6', unique=True) net6 = models.GenericIPAddressField(protocol='ipv6', unique=True)
ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True) ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True)
ipv6 = models.GenericIPAddressField(protocol='ipv6', unique=True) ipv6 = models.GenericIPAddressField(protocol='ipv6', unique=True)
en_dst = models.ManyToManyField('self', symmetrical=False, blank=True, null=True) snat_ip = models.GenericIPAddressField(protocol='ipv4', blank=True, null=True)
snat_to = models.ManyToManyField('self', symmetrical=False, blank=True, null=True)
rules = models.ManyToManyField('Rule', related_name="%(app_label)s_%(class)s_related", symmetrical=False, blank=True, null=True)
description = models.TextField(blank=True) description = models.TextField(blank=True)
comment = models.TextField(blank=True) comment = models.TextField(blank=True)
domain = models.TextField(blank=True, validators=[val_domain]) domain = models.TextField(blank=True, validators=[val_domain])
dhcp_pool = models.TextField(blank=True) dhcp_pool = models.TextField(blank=True)
def __unicode__(self): def __unicode__(self):
return self.name return self.name
def en_dst_vlan(self):
return self.en_dst.all()
def net_ipv6(self): def net_ipv6(self):
return self.net6 + "/" + str(self.prefix6) return self.net6 + "/" + str(self.prefix6)
def net_ipv4(self): def net_ipv4(self):
return self.net4 + "/" + str(self.prefix4) return self.net4 + "/" + str(self.prefix4)
def rules_l(self):
retval = []
for rl in self.rules.all():
retval.append(str(rl))
return ', '.join(retval)
def snat_to_l(self):
retval = []
for rl in self.snat_to.all():
retval.append(str(rl))
return ', '.join(retval)
class Group(models.Model): class Group(models.Model):
name = models.CharField(max_length=20, unique=True) name = models.CharField(max_length=20, unique=True)
...@@ -73,7 +93,7 @@ class Host(models.Model): ...@@ -73,7 +93,7 @@ class Host(models.Model):
def rules_l(self): def rules_l(self):
retval = [] retval = []
for rl in self.rules.all(): for rl in self.rules.all():
retval.append(rl.description) retval.append(str(rl))
return ', '.join(retval) return ', '.join(retval)
......
...@@ -3,6 +3,12 @@ from django.http import HttpResponse ...@@ -3,6 +3,12 @@ from django.http import HttpResponse
from django.shortcuts import render_to_response from django.shortcuts import render_to_response
from firewall.models import * from firewall.models import *
from firewall.fw import * from firewall.fw import *
from django.views.decorators.csrf import csrf_exempt
from django.db import IntegrityError
import base64
import json
import sys
def reload_firewall(request): def reload_firewall(request):
if request.user.is_authenticated(): if request.user.is_authenticated():
...@@ -11,6 +17,7 @@ def reload_firewall(request): ...@@ -11,6 +17,7 @@ def reload_firewall(request):
try: try:
print "ipv4" print "ipv4"
ipv4 = firewall() ipv4 = firewall()
# html += ipv4.show()
ipv4.reload() ipv4.reload()
print "ipv6" print "ipv6"
ipv6 = firewall(True) ipv6 = firewall(True)
...@@ -20,10 +27,47 @@ def reload_firewall(request): ...@@ -20,10 +27,47 @@ def reload_firewall(request):
print "dhcp" print "dhcp"
dhcp() dhcp()
print "vege" print "vege"
html += "<br>sikerult :)"
except: except:
raise
html += "<br>nem sikerult :(" html += "<br>nem sikerult :("
else: else:
html = u"Be vagy jelentkezve, csak nem vagy admin, kedves %s!" % request.user.username html = u"Be vagy jelentkezve, csak nem vagy admin, kedves %s!" % request.user.username
else: else:
html = u"Nem vagy bejelentkezve, kedves ismeretlen!" html = u"Nem vagy bejelentkezve, kedves ismeretlen!"
return HttpResponse(html) return HttpResponse(html)
@csrf_exempt
def firewall_api(request):
if request.method == 'POST':
try:
data=json.loads(base64.b64decode(request.POST["data"]))
command = request.POST["command"]
if(command != "create" and command != "destroy"):
raise Exception("bajvan")
if(command == "create"):
# data = {"hostname": "hello", "vlan": "dmz", "mac": "00:90:78:83:56:7f", "ip": "10.2.1.99", "description": "teszt", "portforward": [{"sport": 5353, "dport": "4949", "proto": "tcp"}]}
data["owner"] = "tarokkk"
owner = auth.models.User.objects.get(username=data["owner"])
host = models.Host(hostname=data["hostname"], vlan=models.Vlan.objects.get(name=data["vlan"]), mac=data["mac"], ipv4=data["ip"], owner=owner, description=data["description"])
host.save()
for p in data["portforward"]:
proto = "tcp" if (p["proto"] == "tcp") else "udp"
rule = models.Rule(direction=True, owner=owner, description="%s %s %s->%s" % (data["hostname"], proto, p["sport"], p["dport"]), extra = "-p %s --dport %s" % (proto, int(p["sport"])), nat=True, action=True, r_type="host", nat_dport=int(p["dport"]))
rule.save()
rule.vlan.add(models.Vlan.objects.get(name="PUB"))
host.rules.add(rule)
except (ValidationError, IntegrityError, AttributeError) as e:
return HttpResponse(u"rosszul hasznalod! :(\n%s\n" % e);
except:
raise
return HttpResponse(u"rosszul hasznalod! :(\n");
return HttpResponse(u"ok");
for r in models.Rule.objects.filter(r_type="host"):
print [r.host_set.all(), r.group_set.all()]
print "VEGE"
return HttpResponse(u"ez kerlek egy api lesz!\n");
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment