Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gelencsér Szabolcs
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
e6dd3a56
authored
Dec 19, 2012
by
root
Committed by
Őry Máté
Dec 25, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
port forward as typical rule
parent
3ae7502b
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
139 additions
and
61 deletions
+139
-61
cloud/urls.py
+1
-0
firewall/admin.py
+2
-2
firewall/fw.py
+65
-52
firewall/models.py
+27
-7
firewall/views.py
+44
-0
No files found.
cloud/urls.py
View file @
e6dd3a56
...
...
@@ -16,4 +16,5 @@ urlpatterns = patterns('',
url
(
r'^vm/show/(?P<iid>\d+)/$'
,
'one.views.vm_show'
,
name
=
'vm_show'
),
url
(
r'^vm/delete/(?P<iid>\d+)/$'
,
'one.views.vm_delete'
,
name
=
'vm_delete'
),
url
(
r'^reload/$'
,
'firewall.views.reload_firewall'
,
name
=
'reload_firewall'
),
url
(
r'^fwapi/$'
,
'firewall.views.firewall_api'
,
name
=
'firewall_api'
),
)
firewall/admin.py
View file @
e6dd3a56
...
...
@@ -7,11 +7,11 @@ class HostAdmin(admin.ModelAdmin):
ordering
=
(
'-hostname'
,)
class
VlanAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'vid'
,
'name'
,
'
en_dst_vlan'
,
'ipv4'
,
'net_ipv4'
,
'ipv6'
,
'net_ipv6'
,
'description'
,
'domain
'
)
list_display
=
(
'vid'
,
'name'
,
'
rules_l'
,
'ipv4'
,
'net_ipv4'
,
'ipv6'
,
'net_ipv6'
,
'description'
,
'domain'
,
'snat_ip'
,
'snat_to_l
'
)
ordering
=
(
'-vid'
,)
class
RuleAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'
description'
,
'vlan'
,
'extra'
,
'direction'
,
'action
'
)
list_display
=
(
'
r_type'
,
'desc'
,
'description'
,
'vlan_l'
,
'owner'
,
'extra'
,
'direction'
,
'action'
,
'nat'
,
'nat_dport
'
)
admin
.
site
.
register
(
Host
,
HostAdmin
)
admin
.
site
.
register
(
Vlan
,
VlanAdmin
)
...
...
firewall/fw.py
View file @
e6dd3a56
...
...
@@ -21,6 +21,7 @@ class firewall:
vlans
=
None
dmz
=
None
pub
=
None
hosts
=
None
fw
=
None
def
iptables
(
self
,
s
):
...
...
@@ -35,39 +36,46 @@ class firewall:
else
:
ipaddr
=
host
.
ipv4
action
=
"LOG_DROP"
if
(
rule
.
action
):
if
((
not
rule
.
direction
)
and
rule
.
vlan
.
name
==
"PUB"
):
action
=
"PUB_OUT"
else
:
action
=
"LOG_ACC"
if
(
rule
.
direction
):
#HOSTHOZ megy
self
.
iptables
(
"-A
%
s_
%
s -d
%
s
%
s -g
%
s"
%
(
rule
.
vlan
,
host
.
vlan
,
ipaddr
,
rule
.
extra
,
action
));
else
:
self
.
iptables
(
"-A
%
s_
%
s -s
%
s
%
s -g
%
s"
%
(
host
.
vlan
,
rule
.
vlan
,
ipaddr
,
rule
.
extra
,
action
));
extra
=
rule
.
extra
if
(
rule
.
nat
and
rule
.
direction
):
extra
=
re
.
sub
(
r'--dport [0-9]+'
,
'--dport
%
i'
%
rule
.
nat_dport
,
rule
.
extra
)
def
fw2vlan
(
self
,
rule
):
snet
=
None
if
(
self
.
IPV6
):
if
((
not
rule
.
direction
)
and
rule
.
vlan
.
name
==
"PUB"
)
:
snet
=
"::0/0
"
for
vlan
in
rule
.
vlan
.
all
(
):
if
(
rule
.
action
):
if
((
not
rule
.
direction
)
and
vlan
.
name
==
"PUB"
):
action
=
"PUB_OUT"
else
:
action
=
"LOG_ACC
"
else
:
snet
=
rule
.
vlan
.
net6
+
"/"
+
str
(
rule
.
vlan
.
prefix6
)
else
:
if
(
(
rule
.
direction
)
and
rule
.
vlan
.
name
==
"PUB"
):
s
net
=
"0.0.0.0/0"
action
=
"LOG_DROP"
if
(
rule
.
direction
):
#HOSTHOZ megy
s
elf
.
iptables
(
"-A
%
s_
%
s -d
%
s
%
s -g
%
s"
%
(
vlan
,
host
.
vlan
,
ipaddr
,
extra
,
action
));
else
:
s
net
=
rule
.
vlan
.
net4
+
"/"
+
str
(
rule
.
vlan
.
prefix4
)
s
elf
.
iptables
(
"-A
%
s_
%
s -s
%
s
%
s -g
%
s"
%
(
host
.
vlan
,
vlan
,
ipaddr
,
extra
,
action
));
if
(
rule
.
direction
):
#HOSTHOZ megy
# self.iptables("-A INPUT -i %s -s: %s %s -m state --state NEW -g %s" % (rule.vlan.interface, snet, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
self
.
iptables
(
"-A INPUT -i
%
s
%
s -g
%
s"
%
(
rule
.
vlan
.
interface
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
action
else
"LOG_DROP"
));
else
:
self
.
iptables
(
"-A OUTPUT -o
%
s
%
s -g
%
s"
%
(
rule
.
vlan
.
interface
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
action
else
"LOG_DROP"
));
def
fw2vlan
(
self
,
rule
):
for
vlan
in
rule
.
vlan
.
all
():
if
(
rule
.
direction
):
#HOSTHOZ megy
self
.
iptables
(
"-A INPUT -i
%
s
%
s -g
%
s"
%
(
vlan
.
interface
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
action
else
"LOG_DROP"
));
else
:
self
.
iptables
(
"-A OUTPUT -o
%
s
%
s -g
%
s"
%
(
vlan
.
interface
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
action
else
"LOG_DROP"
));
def
vlan2vlan
(
self
,
l_vlan
,
rule
):
for
vlan
in
rule
.
vlan
.
all
():
if
(
rule
.
action
):
if
((
not
rule
.
direction
)
and
vlan
.
name
==
"PUB"
):
action
=
"PUB_OUT"
else
:
action
=
"LOG_ACC"
else
:
action
=
"LOG_DROP"
if
(
rule
.
direction
):
#HOSTHOZ megy
self
.
iptables
(
"-A
%
s_
%
s
%
s -g
%
s"
%
(
vlan
,
l_vlan
,
rule
.
extra
,
action
));
else
:
self
.
iptables
(
"-A
%
s_
%
s
%
s -g
%
s"
%
(
l_vlan
,
vlan
,
rule
.
extra
,
action
));
def
prerun
(
self
):
...
...
@@ -155,32 +163,29 @@ class firewall:
self
.
iptablesnat
(
":OUTPUT ACCEPT [1:708]"
)
self
.
iptablesnat
(
":POSTROUTING ACCEPT [1:708]"
)
for
host
in
self
.
dmz
.
host_set
.
all
():
#portforward
for
host
in
self
.
hosts
.
filter
(
pub_ipv4
=
None
):
for
rule
in
host
.
rules
.
filter
(
nat
=
True
,
direction
=
True
):
self
.
iptablesnat
(
"-A PREROUTING -d
%
s
%
s -j DNAT --to-destination
%
s:
%
s"
%
(
host
.
vlan
.
snat_ip
,
rule
.
extra
,
host
.
ipv4
,
rule
.
nat_dport
))
#sajat publikus ipvel rendelkezo gepek szabalyai
for
host
in
self
.
hosts
:
if
(
host
.
pub_ipv4
):
self
.
iptablesnat
(
"-A PREROUTING -d
%
s -j DNAT --to-destination
%
s"
%
(
host
.
pub_ipv4
,
host
.
ipv4
))
self
.
iptablesnat
(
"-A POSTROUTING -s
%
s -j SNAT --to-source
%
s"
%
(
host
.
ipv4
,
host
.
pub_ipv4
))
#natolas a vpn-nek
self
.
iptablesnat
(
"-A POSTROUTING -s 10.1.0.0/16 -o pub -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.1.0.0/16 -o vlan0006 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#natolas az office-nak
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o pub -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0006 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254"
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247"
)
#alapertelmezett nat szabalyok a vlanokra
for
s_vlan
in
self
.
vlans
:
if
(
s_vlan
.
snat_ip
):
for
d_vlan
in
s_vlan
.
snat_to
.
all
():
self
.
iptablesnat
(
"-A POSTROUTING -s
%
s -o
%
s -j SNAT --to-source
%
s"
%
(
s_vlan
.
net_ipv4
(),
d_vlan
.
interface
,
s_vlan
.
snat_ip
))
#natolas a hotspotnak
self
.
iptablesnat
(
"-A POSTROUTING -s 10.4.0.0/16 -o pub -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.4.0.0/16 -o vlan0006 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#natolas a labnak
self
.
iptablesnat
(
"-A POSTROUTING -s 10.7.0.0/16 -o pub -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.7.0.0/16 -o vlan0006 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#natolas a mannak
self
.
iptablesnat
(
"-A POSTROUTING -s 10.3.0.0/16 -o pub -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
self
.
iptablesnat
(
"-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#bedrotozott szabalyok
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254"
)
#man elerheto legyen
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247"
)
#wolf halozat a nyomtatashoz
self
.
iptablesnat
(
"-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#kulonben nemmegy a du
self
.
iptablesnat
(
"COMMIT"
)
...
...
@@ -213,11 +218,8 @@ class firewall:
#vlanok kozotti kommunikacio engedelyezese
for
s_vlan
in
self
.
vlans
:
for
d_vlan
in
s_vlan
.
en_dst
.
all
():
if
(
d_vlan
.
name
==
"PUB"
):
self
.
iptables
(
"-A
%
s_
%
s -g PUB_OUT"
%
(
s_vlan
,
d_vlan
))
else
:
self
.
iptables
(
"-A
%
s_
%
s -g LOG_ACC"
%
(
s_vlan
,
d_vlan
))
for
rule
in
s_vlan
.
rules
.
all
():
self
.
vlan2vlan
(
s_vlan
,
rule
)
#zonak kozotti lancokat zarja le
for
s_vlan
in
self
.
vlans
:
...
...
@@ -237,6 +239,7 @@ class firewall:
self
.
SZABALYOK
=
[]
self
.
IPV6
=
IPV6
self
.
vlans
=
models
.
Vlan
.
objects
.
all
()
self
.
hosts
=
models
.
Host
.
objects
.
all
()
self
.
dmz
=
models
.
Vlan
.
objects
.
get
(
name
=
"DMZ"
)
self
.
pub
=
models
.
Vlan
.
objects
.
get
(
name
=
"PUB"
)
self
.
fw
=
models
.
Firewall
.
objects
.
all
()
...
...
@@ -252,6 +255,11 @@ class firewall:
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/iptables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
+
"
\n
"
.
join
(
self
.
SZABALYOK_NAT
)
+
"
\n
"
)
def
show
(
self
):
if
self
.
IPV6
:
return
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
else
:
return
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
+
"
\n
"
.
join
(
self
.
SZABALYOK_NAT
)
+
"
\n
"
...
...
@@ -260,6 +268,11 @@ def dns():
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$'
)
DNS
=
[]
DNS
.
append
(
"=cloud.ik.bme.hu:152.66.243.98:600::
\n
"
)
#tarokkknak
DNS
.
append
(
"^
%
s.dns1.
%
s.
%
s.
%
s.in-addr.arpa:
%
s:600::
\n
"
%
(
75
,
243
,
66
,
152
,
"se.hpc.iit.bme.hu"
))
DNS
.
append
(
"^
%
s.dns1.
%
s.
%
s.
%
s.in-addr.arpa:
%
s:600::
\n
"
%
(
76
,
243
,
66
,
152
,
"ce.hpc.iit.bme.hu"
))
DNS
.
append
(
"^
%
s.dns1.
%
s.
%
s.
%
s.in-addr.arpa:
%
s:600::
\n
"
%
(
77
,
243
,
66
,
152
,
"mon.hpc.iit.bme.hu"
))
for
i_vlan
in
vlans
:
m
=
regex
.
search
(
i_vlan
.
net4
)
if
(
i_vlan
.
name
!=
"DMZ"
and
i_vlan
.
name
!=
"PUB"
):
...
...
firewall/models.py
View file @
e6dd3a56
...
...
@@ -6,15 +6,25 @@ from firewall.fields import *
from
south.modelsinspector
import
add_introspection_rules
class
Rule
(
models
.
Model
):
# DIRECTION_CH=(('TOHOST', 1), ('FROMHOST', 0
))
CHOICES
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
(
'vlan'
,
'vlan'
))
direction
=
models
.
BooleanField
()
description
=
models
.
TextField
(
blank
=
True
)
vlan
=
models
.
ForeignKey
(
'Vlan'
)
vlan
=
models
.
ManyToManyField
(
'Vlan'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
extra
=
models
.
TextField
(
blank
=
True
);
action
=
models
.
BooleanField
(
default
=
False
)
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
)
r_type
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES
)
nat
=
models
.
BooleanField
(
default
=
False
)
nat_dport
=
models
.
IntegerField
();
def
__unicode__
(
self
):
return
self
.
description
return
self
.
desc
()
def
desc
(
self
):
return
'['
+
self
.
r_type
+
'] '
+
(
self
.
vlan_l
()
+
'->'
+
self
.
r_type
if
self
.
direction
else
self
.
r_type
+
'->'
+
self
.
vlan_l
())
+
' '
+
self
.
description
def
vlan_l
(
self
):
retval
=
[]
for
vl
in
self
.
vlan
.
all
():
retval
.
append
(
vl
.
name
)
return
', '
.
join
(
retval
)
class
Vlan
(
models
.
Model
):
vid
=
models
.
IntegerField
(
unique
=
True
)
...
...
@@ -26,19 +36,29 @@ class Vlan(models.Model):
net6
=
models
.
GenericIPAddressField
(
protocol
=
'ipv6'
,
unique
=
True
)
ipv4
=
models
.
GenericIPAddressField
(
protocol
=
'ipv4'
,
unique
=
True
)
ipv6
=
models
.
GenericIPAddressField
(
protocol
=
'ipv6'
,
unique
=
True
)
en_dst
=
models
.
ManyToManyField
(
'self'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
snat_ip
=
models
.
GenericIPAddressField
(
protocol
=
'ipv4'
,
blank
=
True
,
null
=
True
)
snat_to
=
models
.
ManyToManyField
(
'self'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
rules
=
models
.
ManyToManyField
(
'Rule'
,
related_name
=
"
%(app_label)
s_
%(class)
s_related"
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
description
=
models
.
TextField
(
blank
=
True
)
comment
=
models
.
TextField
(
blank
=
True
)
domain
=
models
.
TextField
(
blank
=
True
,
validators
=
[
val_domain
])
dhcp_pool
=
models
.
TextField
(
blank
=
True
)
def
__unicode__
(
self
):
return
self
.
name
def
en_dst_vlan
(
self
):
return
self
.
en_dst
.
all
()
def
net_ipv6
(
self
):
return
self
.
net6
+
"/"
+
str
(
self
.
prefix6
)
def
net_ipv4
(
self
):
return
self
.
net4
+
"/"
+
str
(
self
.
prefix4
)
def
rules_l
(
self
):
retval
=
[]
for
rl
in
self
.
rules
.
all
():
retval
.
append
(
str
(
rl
))
return
', '
.
join
(
retval
)
def
snat_to_l
(
self
):
retval
=
[]
for
rl
in
self
.
snat_to
.
all
():
retval
.
append
(
str
(
rl
))
return
', '
.
join
(
retval
)
class
Group
(
models
.
Model
):
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
...
...
@@ -73,7 +93,7 @@ class Host(models.Model):
def
rules_l
(
self
):
retval
=
[]
for
rl
in
self
.
rules
.
all
():
retval
.
append
(
rl
.
description
)
retval
.
append
(
str
(
rl
)
)
return
', '
.
join
(
retval
)
...
...
firewall/views.py
View file @
e6dd3a56
...
...
@@ -3,6 +3,12 @@ from django.http import HttpResponse
from
django.shortcuts
import
render_to_response
from
firewall.models
import
*
from
firewall.fw
import
*
from
django.views.decorators.csrf
import
csrf_exempt
from
django.db
import
IntegrityError
import
base64
import
json
import
sys
def
reload_firewall
(
request
):
if
request
.
user
.
is_authenticated
():
...
...
@@ -11,6 +17,7 @@ def reload_firewall(request):
try
:
print
"ipv4"
ipv4
=
firewall
()
# html += ipv4.show()
ipv4
.
reload
()
print
"ipv6"
ipv6
=
firewall
(
True
)
...
...
@@ -20,10 +27,47 @@ def reload_firewall(request):
print
"dhcp"
dhcp
()
print
"vege"
html
+=
"<br>sikerult :)"
except
:
raise
html
+=
"<br>nem sikerult :("
else
:
html
=
u"Be vagy jelentkezve, csak nem vagy admin, kedves
%
s!"
%
request
.
user
.
username
else
:
html
=
u"Nem vagy bejelentkezve, kedves ismeretlen!"
return
HttpResponse
(
html
)
@csrf_exempt
def
firewall_api
(
request
):
if
request
.
method
==
'POST'
:
try
:
data
=
json
.
loads
(
base64
.
b64decode
(
request
.
POST
[
"data"
]))
command
=
request
.
POST
[
"command"
]
if
(
command
!=
"create"
and
command
!=
"destroy"
):
raise
Exception
(
"bajvan"
)
if
(
command
==
"create"
):
# data = {"hostname": "hello", "vlan": "dmz", "mac": "00:90:78:83:56:7f", "ip": "10.2.1.99", "description": "teszt", "portforward": [{"sport": 5353, "dport": "4949", "proto": "tcp"}]}
data
[
"owner"
]
=
"tarokkk"
owner
=
auth
.
models
.
User
.
objects
.
get
(
username
=
data
[
"owner"
])
host
=
models
.
Host
(
hostname
=
data
[
"hostname"
],
vlan
=
models
.
Vlan
.
objects
.
get
(
name
=
data
[
"vlan"
]),
mac
=
data
[
"mac"
],
ipv4
=
data
[
"ip"
],
owner
=
owner
,
description
=
data
[
"description"
])
host
.
save
()
for
p
in
data
[
"portforward"
]:
proto
=
"tcp"
if
(
p
[
"proto"
]
==
"tcp"
)
else
"udp"
rule
=
models
.
Rule
(
direction
=
True
,
owner
=
owner
,
description
=
"
%
s
%
s
%
s->
%
s"
%
(
data
[
"hostname"
],
proto
,
p
[
"sport"
],
p
[
"dport"
]),
extra
=
"-p
%
s --dport
%
s"
%
(
proto
,
int
(
p
[
"sport"
])),
nat
=
True
,
action
=
True
,
r_type
=
"host"
,
nat_dport
=
int
(
p
[
"dport"
]))
rule
.
save
()
rule
.
vlan
.
add
(
models
.
Vlan
.
objects
.
get
(
name
=
"PUB"
))
host
.
rules
.
add
(
rule
)
except
(
ValidationError
,
IntegrityError
,
AttributeError
)
as
e
:
return
HttpResponse
(
u"rosszul hasznalod! :(
\n
%
s
\n
"
%
e
);
except
:
raise
return
HttpResponse
(
u"rosszul hasznalod! :(
\n
"
);
return
HttpResponse
(
u"ok"
);
for
r
in
models
.
Rule
.
objects
.
filter
(
r_type
=
"host"
):
print
[
r
.
host_set
.
all
(),
r
.
group_set
.
all
()]
print
"VEGE"
return
HttpResponse
(
u"ez kerlek egy api lesz!
\n
"
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment