diff --git a/firewall.nft b/firewall.nft index 4f0d2d7..2363671 100755 --- a/firewall.nft +++ b/firewall.nft @@ -30,6 +30,7 @@ include "zones/admin.nft" include "zones/dmz.nft" include "zones/prerezotage.nft" include "nat.nft" +include "roulette.nft" # Table principale table inet firewall { @@ -44,6 +45,9 @@ table inet firewall { # Applique la politique globale jump global + # La roulette pour les n1as + jump roulette + # Passage par le checkmac pour les concernés # jump checkmac diff --git a/mac_ip.py b/mac_ip.py index 3946aa7..d821eba 100644 --- a/mac_ip.py +++ b/mac_ip.py @@ -36,7 +36,7 @@ api_hostname = CONFIG.get('Re2o', 'hostname') api_password = CONFIG.get('Re2o', 'password') api_username = CONFIG.get('Re2o', 'username') -api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False) +api_client = Re2oAPIClient(api_hostname, api_username, api_password) def gen_ip_mac_set(): diff --git a/roulette.nft b/roulette.nft new file mode 100644 index 0000000..47fe87d --- /dev/null +++ b/roulette.nft @@ -0,0 +1,27 @@ +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + +# Gestion de la roulette + +table inet firewall { + set ip_roulette { + type ipv4_addr + } + chain roulette { + ip saddr @ip_roulette ip daddr != 92.242.132.24 drop + ip daddr @ip_roulette ip saddr != 92.242.132.24 drop + } +} + diff --git a/roulette.py b/roulette.py new file mode 100755 index 0000000..04bd687 --- /dev/null +++ b/roulette.py @@ -0,0 +1,14 @@ +#! /usr/bin/python3 + +import requests +from firewall import NetfilterSet + +ips = requests.get('http://roulette.rez/banned_ip').text.split('\n') +content = [(i,) for i in ips if i] or None +s = NetfilterSet( + target_content=content, + type_=('IPv4',), + name='ip_roulette', + table_name='firewall' +) +s.manage()