rezometz/firewall
9
0
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

Make the cli more friendly.

Browse source
This commit is contained in:
Hugo Levy-Falk 2019-04-30 00:16:32 +02:00 committed by root
parent 58b6f7983e
commit f0c2d3bf50
4 changed files with 57 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md Normal file
View file

@ -0,0 +1,6 @@
# Re2o firewall with nftables
dependencies :
- re2oapi
- python3-click

4
firewall.service
View file

@ -5,8 +5,8 @@ After=network.target
[Service] [Service]
Type=oneshot Type=oneshot
RemainAfterExit=yes RemainAfterExit=yes
ExecStart=/usr/local/firewall/init_firewall.py ExecStart=/usr/local/firewall/main.py
ExecReload=/usr/local/firewall/init_firewall.py ExecReload=/usr/local/firewall/main.py
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

47
init_firewall.py
View file

@ -1,47 +0,0 @@
#! /usr/bin/python3
import os
import logging
from logging.handlers import RotatingFileHandler
import nat
import mac_ip
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
LOG_LEVEL = logging.INFO
logger = logging.getLogger()
logger.setLevel(LOG_LEVEL)
formatter = logging.Formatter('%(asctime)s :: %(levelname)s :: %(message)s')
file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1)
file_handler.setLevel(LOG_LEVEL)
file_handler.setFormatter(formatter)
logger.addHandler(file_handler)
stream_handler = logging.StreamHandler()
stream_handler.setFormatter(formatter)
stream_handler.setLevel(LOG_LEVEL)
logger.addHandler(stream_handler)
logger.info("Activation des paramètres noyau")
logging.debug("Activation du routage des paquets")
os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
logger.debug("Active la protection TCP SYN Cookies (demandes de connexion repetes)")
os.system('echo "1" > /proc/sys/net/ipv4/tcp_syncookies')
logger.debug("Filtrage en mode strict des paquets pour éviter l'IP spoofing "
"(voir RFC3704 Strict Reverse Path)")
os.system('echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter')
os.system('echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter')
logger.debug("Don't accept source routed packets.")
os.system('echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route')
logger.info("Chargement du firewall")
os.system('nft -I {install_dir} -f {firewall}'.format(
install_dir=BASE_DIR,
firewall=os.path.join(BASE_DIR, 'firewall.nft')
))
logger.info("Chargement de la table mac_ip")
mac_ip.update_macip()
logger.info("Chargement de la table nat")
nat.main()

49
main.py Executable file
View file

@ -0,0 +1,49 @@
#! /usr/bin/python3
import os
import logging
from logging.handlers import RotatingFileHandler
import click
import nat as _nat
import mac_ip as _mac_ip
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
LOG_LEVEL = logging.INFO
logger = logging.getLogger()
logger.setLevel(LOG_LEVEL)
formatter = logging.Formatter('%(levelname)s :: %(message)s')
file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1)
file_handler.setLevel(LOG_LEVEL)
file_handler.setFormatter(formatter)
logger.addHandler(file_handler)
stream_handler = logging.StreamHandler()
stream_handler.setFormatter(formatter)
stream_handler.setLevel(LOG_LEVEL)
logger.addHandler(stream_handler)
@click.group(invoke_without_command=True)
@click.pass_context
def cli(ctx):
logger.info("Starting Re2o firewall manager.")
if ctx.invoked_subcommand is None:
logger.info("Loading firewall.")
os.system('nft -I {install_dir} -f {firewall}'.format(
install_dir=BASE_DIR,
firewall=os.path.join(BASE_DIR, 'firewall.nft')
))
_mac_ip.update_macip()
_nat.main()
@cli.command()
def macip():
_mac_ip.update_macip()
@cli.command()
def nat():
_nat.main()
if __name__ == '__main__':
cli()