diff --git a/README.md b/README.md new file mode 100644 index 0000000..aea672f --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +# Re2o firewall with nftables + +dependencies : + + - re2oapi + - python3-click diff --git a/firewall.service b/firewall.service index b769ff9..b8b82ef 100644 --- a/firewall.service +++ b/firewall.service @@ -5,8 +5,8 @@ After=network.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/local/firewall/init_firewall.py -ExecReload=/usr/local/firewall/init_firewall.py +ExecStart=/usr/local/firewall/main.py +ExecReload=/usr/local/firewall/main.py [Install] WantedBy=multi-user.target diff --git a/init_firewall.py b/init_firewall.py deleted file mode 100755 index 324ab75..0000000 --- a/init_firewall.py +++ /dev/null @@ -1,47 +0,0 @@ -#! /usr/bin/python3 -import os -import logging -from logging.handlers import RotatingFileHandler - -import nat -import mac_ip - -BASE_DIR = os.path.dirname(os.path.abspath(__file__)) - -LOG_LEVEL = logging.INFO - -logger = logging.getLogger() -logger.setLevel(LOG_LEVEL) -formatter = logging.Formatter('%(asctime)s :: %(levelname)s :: %(message)s') -file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1) -file_handler.setLevel(LOG_LEVEL) -file_handler.setFormatter(formatter) -logger.addHandler(file_handler) -stream_handler = logging.StreamHandler() -stream_handler.setFormatter(formatter) -stream_handler.setLevel(LOG_LEVEL) -logger.addHandler(stream_handler) - -logger.info("Activation des paramètres noyau") -logging.debug("Activation du routage des paquets") -os.system('echo "1" > /proc/sys/net/ipv4/ip_forward') -logger.debug("Active la protection TCP SYN Cookies (demandes de connexion repetes)") -os.system('echo "1" > /proc/sys/net/ipv4/tcp_syncookies') -logger.debug("Filtrage en mode strict des paquets pour éviter l'IP spoofing " - "(voir RFC3704 Strict Reverse Path)") -os.system('echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter') -os.system('echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter') -logger.debug("Don't accept source routed packets.") -os.system('echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route') - -logger.info("Chargement du firewall") -os.system('nft -I {install_dir} -f {firewall}'.format( - install_dir=BASE_DIR, - firewall=os.path.join(BASE_DIR, 'firewall.nft') -)) - -logger.info("Chargement de la table mac_ip") -mac_ip.update_macip() - -logger.info("Chargement de la table nat") -nat.main() diff --git a/main.py b/main.py new file mode 100755 index 0000000..987f114 --- /dev/null +++ b/main.py @@ -0,0 +1,49 @@ +#! /usr/bin/python3 +import os +import logging +from logging.handlers import RotatingFileHandler + +import click + +import nat as _nat +import mac_ip as _mac_ip + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) + +LOG_LEVEL = logging.INFO + +logger = logging.getLogger() +logger.setLevel(LOG_LEVEL) +formatter = logging.Formatter('%(levelname)s :: %(message)s') +file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1) +file_handler.setLevel(LOG_LEVEL) +file_handler.setFormatter(formatter) +logger.addHandler(file_handler) +stream_handler = logging.StreamHandler() +stream_handler.setFormatter(formatter) +stream_handler.setLevel(LOG_LEVEL) +logger.addHandler(stream_handler) + +@click.group(invoke_without_command=True) +@click.pass_context +def cli(ctx): + logger.info("Starting Re2o firewall manager.") + if ctx.invoked_subcommand is None: + logger.info("Loading firewall.") + os.system('nft -I {install_dir} -f {firewall}'.format( + install_dir=BASE_DIR, + firewall=os.path.join(BASE_DIR, 'firewall.nft') + )) + _mac_ip.update_macip() + _nat.main() + +@cli.command() +def macip(): + _mac_ip.update_macip() + +@cli.command() +def nat(): + _nat.main() + +if __name__ == '__main__': + cli()