Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gelencsér Szabolcs
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
0731aa4e
authored
Aug 15, 2014
by
Bach Dániel
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'firewall-fixes' into 'master'
Firewall Fixes
parents
601f4803
048d3e30
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
32 additions
and
9 deletions
+32
-9
circle/firewall/fw.py
+18
-6
circle/firewall/iptables.py
+1
-1
circle/firewall/models.py
+7
-1
circle/firewall/templates/firewall/iptables.conf
+6
-1
No files found.
circle/firewall/fw.py
View file @
0731aa4e
...
...
@@ -62,6 +62,15 @@ class BuildFirewall:
extra
=
'-j DNAT --to-destination
%
s:
%
s'
%
(
rule
.
host
.
ipv4
,
rule
.
dport
)))
# SNAT rules for machines with public IPv4
for
host
in
Host
.
objects
.
exclude
(
external_ipv4
=
None
)
.
select_related
(
'vlan'
)
.
prefetch_related
(
'vlan__snat_to'
):
for
vl_out
in
host
.
vlan
.
snat_to
.
all
():
self
.
add_rules
(
POSTROUTING
=
IptRule
(
priority
=
1500
,
src
=
(
host
.
ipv4
,
None
),
extra
=
'-o
%
s -j SNAT --to-source
%
s'
%
(
vl_out
.
name
,
host
.
external_ipv4
)))
# default outbound NAT rules for VLANs
for
vl_in
in
Vlan
.
objects
.
exclude
(
snat_ip
=
None
)
.
prefetch_related
(
'snat_to'
):
...
...
@@ -183,9 +192,12 @@ def generate_ptr_records():
for
host
in
Host
.
objects
.
order_by
(
'vlan'
)
.
all
():
template
=
host
.
vlan
.
reverse_domain
i
=
host
.
get_external_ipv4
()
.
words
reverse
=
(
host
.
reverse
if
host
.
reverse
not
in
[
None
,
''
]
else
host
.
get_fqdn
())
if
not
host
.
shared_ip
and
host
.
external_ipv4
:
# DMZ
i
=
host
.
external_ipv4
.
words
reverse
=
host
.
get_hostname
(
'ipv4'
,
public
=
True
)
else
:
i
=
host
.
ipv4
.
words
reverse
=
host
.
get_hostname
(
'ipv4'
,
public
=
False
)
# ipv4
if
host
.
ipv4
:
...
...
@@ -194,7 +206,7 @@ def generate_ptr_records():
# ipv6
if
host
.
ipv6
:
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
host
.
ipv6
.
reverse_dns
,
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
host
.
ipv6
.
reverse_dns
.
rstrip
(
'.'
)
,
reverse
,
settings
[
'dns_ttl'
]))
return
DNS
...
...
@@ -211,14 +223,14 @@ def generate_records():
'CNAME'
:
'C
%(fqdn)
s:
%(address)
s:
%(ttl)
s'
,
'MX'
:
'@
%(fqdn)
s::
%(address)
s:
%(dist)
s:
%(ttl)
s'
,
'PTR'
:
'^
%(fqdn)
s:
%(address)
s:
%(ttl)
s'
,
'TXT'
:
'
%(fqdn)
s:
%(octal)
s:
%(ttl)
s'
}
'TXT'
:
"'
%(fqdn)
s:
%(octal)
s:
%(ttl)
s"
}
retval
=
[]
for
r
in
Record
.
objects
.
all
():
params
=
{
'fqdn'
:
r
.
fqdn
,
'address'
:
r
.
address
,
'ttl'
:
r
.
ttl
}
if
r
.
type
==
'MX'
:
params
[
'
address'
],
params
[
'dist
'
]
=
r
.
address
.
split
(
':'
,
2
)
params
[
'
dist'
],
params
[
'address
'
]
=
r
.
address
.
split
(
':'
,
2
)
if
r
.
type
==
'AAAA'
:
try
:
params
[
'octal'
]
=
ipv6_to_octal
(
r
.
address
)
...
...
circle/firewall/iptables.py
View file @
0731aa4e
...
...
@@ -22,7 +22,7 @@ from collections import OrderedDict
logger
=
logging
.
getLogger
()
ipv4_re
=
re
.
compile
(
r'
^
(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
)
r'(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
)
class
InvalidRuleExcepion
(
Exception
):
...
...
circle/firewall/models.py
View file @
0731aa4e
...
...
@@ -575,10 +575,14 @@ class Host(models.Model):
# IPv4
if
self
.
ipv4
is
not
None
:
if
not
self
.
shared_ip
and
self
.
external_ipv4
:
# DMZ
ipv4
=
self
.
external_ipv4
else
:
ipv4
=
self
.
ipv4
# update existing records
affected_records
=
Record
.
objects
.
filter
(
host
=
self
,
name
=
self
.
hostname
,
type
=
'A'
)
.
update
(
address
=
self
.
ipv4
)
type
=
'A'
)
.
update
(
address
=
ipv4
)
# create new record
if
affected_records
==
0
:
Record
(
host
=
self
,
...
...
@@ -714,6 +718,8 @@ class Host(models.Model):
:type proto: str.
"""
assert
proto
in
(
'ipv6'
,
'ipv4'
,
)
if
self
.
reverse
:
return
self
.
reverse
try
:
if
proto
==
'ipv6'
:
res
=
self
.
record_set
.
filter
(
type
=
'AAAA'
,
...
...
circle/firewall/templates/firewall/iptables.conf
View file @
0731aa4e
...
...
@@ -35,7 +35,7 @@ COMMIT
{%
if
proto
==
"ipv4"
%}
-
A
FORWARD
-
p
icmp
--
icmp
-
type
echo
-
request
-
g
LOG_ACC
{%
else
%}
-
A
FORWARD
-
p
icmpv6
-
-
icmpv6
-
type
echo
-
request
-
g
LOG_ACC
-
A
FORWARD
-
p
icmpv6
-
g
LOG_ACC
{%
endif
%}
# initialize INPUT chain
...
...
@@ -45,6 +45,11 @@ COMMIT
-
A
INPUT
-
m
state
--
state
INVALID
-
g
LOG_DROP
-
A
INPUT
-
i
lo
-
j
ACCEPT
-
A
INPUT
-
m
state
--
state
ESTABLISHED
,
RELATED
-
j
ACCEPT
{%
if
proto
==
"ipv4"
%}
-
A
INPUT
-
p
icmp
--
icmp
-
type
echo
-
request
-
g
LOG_ACC
{%
else
%}
-
A
INPUT
-
p
icmpv6
-
g
LOG_ACC
{%
endif
%}
# initialize OUTPUT chain
-
A
OUTPUT
-
m
state
--
state
INVALID
-
g
LOG_DROP
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment