port forward as typical rule

cloud/urls.py

@@ -16,4 +16,5 @@ urlpatterns = patterns('',
      url(r'^vm/show/(?P<iid>\d+)/$', 'one.views.vm_show', name='vm_show'),
      url(r'^vm/delete/(?P<iid>\d+)/$', 'one.views.vm_delete', name='vm_delete'),
      url(r'^reload/$', 'firewall.views.reload_firewall', name='reload_firewall'),
+     url(r'^fwapi/$', 'firewall.views.firewall_api', name='firewall_api'),
 )

firewall/admin.py

@@ -7,11 +7,11 @@ class HostAdmin(admin.ModelAdmin):
     ordering = ('-hostname',)
 
 class VlanAdmin(admin.ModelAdmin):
-    list_display = ('vid', 'name', 'en_dst_vlan', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain')
+    list_display = ('vid', 'name', 'rules_l', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain', 'snat_ip', 'snat_to_l')
     ordering = ('-vid',)
 
 class RuleAdmin(admin.ModelAdmin):
-    list_display = ('description', 'vlan', 'extra', 'direction', 'action')
+    list_display = ('r_type', 'desc', 'description', 'vlan_l', 'owner', 'extra', 'direction', 'action', 'nat', 'nat_dport')
 
 admin.site.register(Host, HostAdmin)
 admin.site.register(Vlan, VlanAdmin)

firewall/fw.py

@@ -21,6 +21,7 @@ class firewall:
 	vlans = None
 	dmz = None
 	pub = None
+	hosts = None
 	fw = None
 
 	def iptables(self, s):
@@ -35,39 +36,46 @@ class firewall:
 		else:
 			ipaddr = host.ipv4
 
-		action = "LOG_DROP"
-		if(rule.action):
-			if((not rule.direction) and rule.vlan.name == "PUB"):
-				action = "PUB_OUT"
-			else:
-				action = "LOG_ACC"
-
-		if(rule.direction): #HOSTHOZ megy
-			self.iptables("-A %s_%s -d %s %s -g %s" % (rule.vlan, host.vlan, ipaddr, rule.extra, action));
-		else:
-			self.iptables("-A %s_%s -s %s %s -g %s" % (host.vlan, rule.vlan, ipaddr, rule.extra, action));
+		extra = rule.extra
+		if(rule.nat and rule.direction):
+			extra = re.sub(r'--dport [0-9]+', '--dport %i' %rule.nat_dport, rule.extra)
 
-	def fw2vlan(self, rule):
-		snet=None
-	
-		if(self.IPV6):
-			if((not rule.direction) and rule.vlan.name == "PUB"):
-				snet = "::0/0"
+		for vlan in rule.vlan.all():
+			if(rule.action):
+				if((not rule.direction) and vlan.name == "PUB"):
+					action = "PUB_OUT"
+				else:
+					action = "LOG_ACC"
 			else:
-				snet = rule.vlan.net6 + "/" + str(rule.vlan.prefix6)
-		else:
-			if((rule.direction) and rule.vlan.name == "PUB"):
-				snet = "0.0.0.0/0"
+				action = "LOG_DROP"
+
+			if(rule.direction): #HOSTHOZ megy
+				self.iptables("-A %s_%s -d %s %s -g %s" % (vlan, host.vlan, ipaddr, extra, action));
 			else:
-				snet = rule.vlan.net4 + "/" + str(rule.vlan.prefix4)
+				self.iptables("-A %s_%s -s %s %s -g %s" % (host.vlan, vlan, ipaddr, extra, action));
 
 
-		if(rule.direction): #HOSTHOZ megy
-#			self.iptables("-A INPUT -i %s -s: %s %s -m state --state NEW -g %s" % (rule.vlan.interface, snet, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
-			self.iptables("-A INPUT -i %s %s -g %s" % (rule.vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
-		else:
-			self.iptables("-A OUTPUT -o %s %s -g %s" % (rule.vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
+	def fw2vlan(self, rule):	
+		for vlan in rule.vlan.all():
+			if(rule.direction): #HOSTHOZ megy
+				self.iptables("-A INPUT -i %s %s -g %s" % (vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
+			else:
+				self.iptables("-A OUTPUT -o %s %s -g %s" % (vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
+
+	def vlan2vlan(self, l_vlan, rule):
+		for vlan in rule.vlan.all():
+			if(rule.action):
+				if((not rule.direction) and vlan.name == "PUB"):
+					action = "PUB_OUT"
+				else:
+					action = "LOG_ACC"
+			else:
+				action = "LOG_DROP"
 
+			if(rule.direction): #HOSTHOZ megy
+				self.iptables("-A %s_%s %s -g %s" % (vlan, l_vlan, rule.extra, action));
+			else:
+				self.iptables("-A %s_%s %s -g %s" % (l_vlan, vlan, rule.extra, action));			
 
 
 	def prerun(self):
@@ -155,32 +163,29 @@ class firewall:
 		self.iptablesnat(":OUTPUT ACCEPT [1:708]")
 		self.iptablesnat(":POSTROUTING ACCEPT [1:708]")
 
-		for host in self.dmz.host_set.all():
+
+		#portforward
+		for host in self.hosts.filter(pub_ipv4=None):
+			for rule in host.rules.filter(nat=True, direction=True):
+				self.iptablesnat("-A PREROUTING -d %s %s -j DNAT --to-destination %s:%s" % (host.vlan.snat_ip, rule.extra, host.ipv4, rule.nat_dport))
+
+		#sajat publikus ipvel rendelkezo gepek szabalyai
+		for host in self.hosts:
 			if(host.pub_ipv4):
 				self.iptablesnat("-A PREROUTING -d %s -j DNAT --to-destination %s" % (host.pub_ipv4, host.ipv4))
 				self.iptablesnat("-A POSTROUTING -s %s -j SNAT --to-source %s" % (host.ipv4, host.pub_ipv4))
 
-		#natolas a vpn-nek
-		self.iptablesnat("-A POSTROUTING -s 10.1.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
-		self.iptablesnat("-A POSTROUTING -s 10.1.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
-
-		#natolas az office-nak
-		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
-		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
-		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254")
-		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247")
+		#alapertelmezett nat szabalyok a vlanokra
+		for s_vlan in self.vlans:
+			if(s_vlan.snat_ip):
+				for d_vlan in s_vlan.snat_to.all():
+					self.iptablesnat("-A POSTROUTING -s %s -o %s -j SNAT --to-source %s" % (s_vlan.net_ipv4(), d_vlan.interface, s_vlan.snat_ip))
 
-		#natolas a hotspotnak
-		self.iptablesnat("-A POSTROUTING -s 10.4.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
-		self.iptablesnat("-A POSTROUTING -s 10.4.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
 
-		#natolas a labnak
-		self.iptablesnat("-A POSTROUTING -s 10.7.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
-		self.iptablesnat("-A POSTROUTING -s 10.7.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
-		
-		#natolas a mannak
-		self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o pub -j SNAT --to-source %s" % self.pub.ipv4)
-		self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4)
+		#bedrotozott szabalyok
+		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254") #man elerheto legyen
+		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247") #wolf halozat a nyomtatashoz
+		self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4) #kulonben nemmegy a du
 
 		self.iptablesnat("COMMIT")
 
@@ -213,11 +218,8 @@ class firewall:
 
 		#vlanok kozotti kommunikacio engedelyezese
 		for s_vlan in self.vlans:
-			for d_vlan in s_vlan.en_dst.all():
-				if(d_vlan.name == "PUB"):
-					self.iptables("-A %s_%s -g PUB_OUT" % (s_vlan, d_vlan))
-				else:
-					self.iptables("-A %s_%s -g LOG_ACC" % (s_vlan, d_vlan))
+			for rule in s_vlan.rules.all():
+				self.vlan2vlan(s_vlan, rule)
 
 		#zonak kozotti lancokat zarja le
 		for s_vlan in self.vlans:
@@ -237,6 +239,7 @@ class firewall:
 		self.SZABALYOK=[]
 		self.IPV6 = IPV6
 		self.vlans = models.Vlan.objects.all()
+		self.hosts = models.Host.objects.all()
 		self.dmz = models.Vlan.objects.get(name="DMZ")
 		self.pub = models.Vlan.objects.get(name="PUB")
 		self.fw = models.Firewall.objects.all()
@@ -252,6 +255,11 @@ class firewall:
 			process = subprocess.Popen(['/usr/bin/ssh', 'fw2', '/usr/bin/sudo', '/sbin/iptables-restore', '-c'], shell=False, stdin=subprocess.PIPE)
 			process.communicate("\n".join(self.SZABALYOK)+"\n"+"\n".join(self.SZABALYOK_NAT)+"\n")
 
+	def show(self):
+		if self.IPV6:
+			return "\n".join(self.SZABALYOK)+"\n"
+		else:
+			return "\n".join(self.SZABALYOK)+"\n"+"\n".join(self.SZABALYOK_NAT)+"\n"
 
 
 
@@ -260,6 +268,11 @@ def dns():
 	regex = re.compile(r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$')
 	DNS = []
 	DNS.append("=cloud.ik.bme.hu:152.66.243.98:600::\n")
+#tarokkknak
+	DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (75, 243, 66, 152, "se.hpc.iit.bme.hu"))
+	DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (76, 243, 66, 152, "ce.hpc.iit.bme.hu"))
+	DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (77, 243, 66, 152, "mon.hpc.iit.bme.hu"))
+
 	for i_vlan in vlans:
 		m = regex.search(i_vlan.net4)
 		if(i_vlan.name != "DMZ" and i_vlan.name != "PUB"):

firewall/models.py

@@ -6,15 +6,25 @@ from firewall.fields import *
 from south.modelsinspector import add_introspection_rules
 
 class Rule(models.Model):
-#     DIRECTION_CH=(('TOHOST', 1), ('FROMHOST', 0))
+     CHOICES = (('host', 'host'), ('firewall', 'firewall'), ('vlan', 'vlan'))
      direction = models.BooleanField()
      description = models.TextField(blank=True)
-     vlan = models.ForeignKey('Vlan')
+     vlan = models.ManyToManyField('Vlan', symmetrical=False, blank=True, null=True)
      extra = models.TextField(blank=True);
      action = models.BooleanField(default=False)
      owner = models.ForeignKey(User, blank=True, null=True)
+     r_type = models.CharField(max_length=10, choices=CHOICES)
+     nat = models.BooleanField(default=False)
+     nat_dport = models.IntegerField();
      def __unicode__(self):
-        return self.description
+        return self.desc()
+     def desc(self):
+	return '[' + self.r_type + '] ' + (self.vlan_l() + '->' + self.r_type if self.direction else self.r_type + '->' + self.vlan_l()) + ' ' + self.description
+     def vlan_l(self):
+	retval = []
+	for vl in self.vlan.all():
+		retval.append(vl.name)
+	return ', '.join(retval)
 
 class Vlan(models.Model):
     vid = models.IntegerField(unique=True)
@@ -26,19 +36,29 @@ class Vlan(models.Model):
     net6 = models.GenericIPAddressField(protocol='ipv6', unique=True)
     ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True)
     ipv6 = models.GenericIPAddressField(protocol='ipv6', unique=True)
-    en_dst = models.ManyToManyField('self', symmetrical=False, blank=True, null=True)
+    snat_ip = models.GenericIPAddressField(protocol='ipv4', blank=True, null=True)
+    snat_to = models.ManyToManyField('self', symmetrical=False, blank=True, null=True)
+    rules = models.ManyToManyField('Rule', related_name="%(app_label)s_%(class)s_related", symmetrical=False, blank=True, null=True)
     description = models.TextField(blank=True)
     comment = models.TextField(blank=True)
     domain = models.TextField(blank=True, validators=[val_domain])
     dhcp_pool = models.TextField(blank=True)
     def __unicode__(self):
         return self.name
-    def en_dst_vlan(self):
-        return self.en_dst.all()
     def net_ipv6(self):
 	return self.net6 + "/" + str(self.prefix6)
     def net_ipv4(self):
 	return self.net4 + "/" + str(self.prefix4)
+    def rules_l(self):
+	retval = []
+	for rl in self.rules.all():
+		retval.append(str(rl))
+	return ', '.join(retval)
+    def snat_to_l(self):
+	retval = []
+	for rl in self.snat_to.all():
+		retval.append(str(rl))
+	return ', '.join(retval)
 
 class Group(models.Model):
     name = models.CharField(max_length=20, unique=True)
@@ -73,7 +93,7 @@ class Host(models.Model):
     def rules_l(self):
 	retval = []
 	for rl in self.rules.all():
-		retval.append(rl.description)
+		retval.append(str(rl))
 	return ', '.join(retval)
 		
 

firewall/views.py

@@ -3,6 +3,12 @@ from django.http import HttpResponse
 from django.shortcuts import render_to_response
 from firewall.models import *
 from firewall.fw import *
+from django.views.decorators.csrf import csrf_exempt              
+from django.db import IntegrityError               
+
+import base64
+import json
+import sys
 
 def reload_firewall(request):
 	if request.user.is_authenticated():
@@ -11,6 +17,7 @@ def reload_firewall(request):
 			try:
 				print "ipv4"
 				ipv4 = firewall()
+#				html += ipv4.show()
 				ipv4.reload()
 				print "ipv6"
 				ipv6 = firewall(True)
@@ -20,10 +27,47 @@ def reload_firewall(request):
 				print "dhcp"
 				dhcp()
 				print "vege"
+				html += "<br>sikerult :)"
 			except:
+				raise
 				html += "<br>nem sikerult :("
 		else:
 			html = u"Be vagy jelentkezve, csak nem vagy admin, kedves %s!" % request.user.username
 	else:
 		html = u"Nem vagy bejelentkezve, kedves ismeretlen!"
 	return HttpResponse(html)
+
+@csrf_exempt
+def firewall_api(request):
+	if request.method == 'POST':
+		try:
+			data=json.loads(base64.b64decode(request.POST["data"]))
+			command = request.POST["command"]
+			if(command != "create" and command != "destroy"):
+				raise Exception("bajvan")
+			if(command == "create"):
+#				data = {"hostname": "hello", "vlan": "dmz", "mac": "00:90:78:83:56:7f", "ip": "10.2.1.99", "description": "teszt", "portforward": [{"sport": 5353, "dport": "4949", "proto": "tcp"}]}
+				data["owner"] = "tarokkk"
+				owner = auth.models.User.objects.get(username=data["owner"])
+				host = models.Host(hostname=data["hostname"], vlan=models.Vlan.objects.get(name=data["vlan"]), mac=data["mac"], ipv4=data["ip"], owner=owner, description=data["description"])
+				host.save()
+				for p in data["portforward"]:
+					proto = "tcp" if (p["proto"] == "tcp") else "udp"
+					rule = models.Rule(direction=True, owner=owner, description="%s %s %s->%s" % (data["hostname"], proto, p["sport"], p["dport"]), extra = "-p %s --dport %s" % (proto, int(p["sport"])), nat=True, action=True, r_type="host", nat_dport=int(p["dport"]))
+					rule.save()
+					rule.vlan.add(models.Vlan.objects.get(name="PUB"))
+					host.rules.add(rule)
+
+		except (ValidationError, IntegrityError, AttributeError) as e:
+			return HttpResponse(u"rosszul hasznalod! :(\n%s\n" % e);
+		except:
+			raise
+			return HttpResponse(u"rosszul hasznalod! :(\n");
+		
+		return HttpResponse(u"ok");
+
+	for r in models.Rule.objects.filter(r_type="host"):
+		print [r.host_set.all(), r.group_set.all()]
+		print "VEGE"
+	return HttpResponse(u"ez kerlek egy api lesz!\n");
+