Hugo Levy-Falk
7 years ago
committed by
root
root
4 changed files with 57 additions and 49 deletions
@ -0,0 +1,6 @@ |
|||||
|
# Re2o firewall with nftables |
||||
|
|
||||
|
dependencies : |
||||
|
|
||||
|
- re2oapi |
||||
|
- python3-click |
||||
@ -1,47 +0,0 @@ |
|||||
#! /usr/bin/python3 |
|
||||
import os |
|
||||
import logging |
|
||||
from logging.handlers import RotatingFileHandler |
|
||||
|
|
||||
import nat |
|
||||
import mac_ip |
|
||||
|
|
||||
BASE_DIR = os.path.dirname(os.path.abspath(__file__)) |
|
||||
|
|
||||
LOG_LEVEL = logging.INFO |
|
||||
|
|
||||
logger = logging.getLogger() |
|
||||
logger.setLevel(LOG_LEVEL) |
|
||||
formatter = logging.Formatter('%(asctime)s :: %(levelname)s :: %(message)s') |
|
||||
file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1) |
|
||||
file_handler.setLevel(LOG_LEVEL) |
|
||||
file_handler.setFormatter(formatter) |
|
||||
logger.addHandler(file_handler) |
|
||||
stream_handler = logging.StreamHandler() |
|
||||
stream_handler.setFormatter(formatter) |
|
||||
stream_handler.setLevel(LOG_LEVEL) |
|
||||
logger.addHandler(stream_handler) |
|
||||
|
|
||||
logger.info("Activation des paramètres noyau") |
|
||||
logging.debug("Activation du routage des paquets") |
|
||||
os.system('echo "1" > /proc/sys/net/ipv4/ip_forward') |
|
||||
logger.debug("Active la protection TCP SYN Cookies (demandes de connexion repetes)") |
|
||||
os.system('echo "1" > /proc/sys/net/ipv4/tcp_syncookies') |
|
||||
logger.debug("Filtrage en mode strict des paquets pour éviter l'IP spoofing " |
|
||||
"(voir RFC3704 Strict Reverse Path)") |
|
||||
os.system('echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter') |
|
||||
os.system('echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter') |
|
||||
logger.debug("Don't accept source routed packets.") |
|
||||
os.system('echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route') |
|
||||
|
|
||||
logger.info("Chargement du firewall") |
|
||||
os.system('nft -I {install_dir} -f {firewall}'.format( |
|
||||
install_dir=BASE_DIR, |
|
||||
firewall=os.path.join(BASE_DIR, 'firewall.nft') |
|
||||
)) |
|
||||
|
|
||||
logger.info("Chargement de la table mac_ip") |
|
||||
mac_ip.update_macip() |
|
||||
|
|
||||
logger.info("Chargement de la table nat") |
|
||||
nat.main() |
|
||||
@ -0,0 +1,49 @@ |
|||||
|
#! /usr/bin/python3 |
||||
|
import os |
||||
|
import logging |
||||
|
from logging.handlers import RotatingFileHandler |
||||
|
|
||||
|
import click |
||||
|
|
||||
|
import nat as _nat |
||||
|
import mac_ip as _mac_ip |
||||
|
|
||||
|
BASE_DIR = os.path.dirname(os.path.abspath(__file__)) |
||||
|
|
||||
|
LOG_LEVEL = logging.INFO |
||||
|
|
||||
|
logger = logging.getLogger() |
||||
|
logger.setLevel(LOG_LEVEL) |
||||
|
formatter = logging.Formatter('%(levelname)s :: %(message)s') |
||||
|
file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1) |
||||
|
file_handler.setLevel(LOG_LEVEL) |
||||
|
file_handler.setFormatter(formatter) |
||||
|
logger.addHandler(file_handler) |
||||
|
stream_handler = logging.StreamHandler() |
||||
|
stream_handler.setFormatter(formatter) |
||||
|
stream_handler.setLevel(LOG_LEVEL) |
||||
|
logger.addHandler(stream_handler) |
||||
|
|
||||
|
@click.group(invoke_without_command=True) |
||||
|
@click.pass_context |
||||
|
def cli(ctx): |
||||
|
logger.info("Starting Re2o firewall manager.") |
||||
|
if ctx.invoked_subcommand is None: |
||||
|
logger.info("Loading firewall.") |
||||
|
os.system('nft -I {install_dir} -f {firewall}'.format( |
||||
|
install_dir=BASE_DIR, |
||||
|
firewall=os.path.join(BASE_DIR, 'firewall.nft') |
||||
|
)) |
||||
|
_mac_ip.update_macip() |
||||
|
_nat.main() |
||||
|
|
||||
|
@cli.command() |
||||
|
def macip(): |
||||
|
_mac_ip.update_macip() |
||||
|
|
||||
|
@cli.command() |
||||
|
def nat(): |
||||
|
_nat.main() |
||||
|
|
||||
|
if __name__ == '__main__': |
||||
|
cli() |
||||
Loading…
Reference in new issue