diff --git a/firewall.service b/firewall.service new file mode 100644 index 0000000..c273d44 --- /dev/null +++ b/firewall.service @@ -0,0 +1,13 @@ +[Unit] +Description=RezoMetz Firewall Service +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=python3 /usr/local/firewall/init_firewall.py +ExecReload=python3 /usr/local/firewall/init_firewall.py + +[Install] +WantedBy=multi-user.target +Alias=firewall.service diff --git a/init_firewall.py b/init_firewall.py new file mode 100644 index 0000000..53f84d4 --- /dev/null +++ b/init_firewall.py @@ -0,0 +1,46 @@ +import os +import logging +from logging.handlers import RotatingFileHandler + +import nat +import mac_ip + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) + +LOG_LEVEL = logging.INFO + +logger = logging.getLogger() +logger.setLevel(LOG_LEVEL) +formatter = logging.Formatter('%(asctime)s :: %(levelname)s :: %(message)s') +file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1) +file_handler.setLevel(LOG_LEVEL) +file_handler.setFormatter(formatter) +logger.addHandler(file_handler) +stream_handler = logging.StreamHandler() +stream_handler.setFormatter(formatter) +stream_handler.setLevel(LOG_LEVEL) +logger.addHandler(stream_handler) + +logger.info("Activation des paramètres noyau") +logging.debug("Activation du routage des paquets") +os.system('echo "1" > /proc/sys/net/ipv4/ip_forward') +logger.debug("Active la protection TCP SYN Cookies (demandes de connexion repetes)") +os.system('echo "1" > /proc/sys/net/ipv4/tcp_syncookies') +logger.debug("Filtrage en mode strict des paquets pour éviter l'IP spoofing " + "(voir RFC3704 Strict Reverse Path)") +os.system('echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter') +os.system('echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter') +logger.debug("Don't accept source routed packets.") +os.system('echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route') + +logger.info("Chargement du firewall") +os.system('nft -I {install_dir} -f {firewall}'.format( + install_dir=BASE_DIR, + firewall=os.path.join(BASE_DIR, 'firewall.nft') +)) + +logger.info("Chargement de la table mac_ip") +mac_ip.update_macip() + +logger.info("Chargement de la table nat") +nat.main()