diff --git a/firewall/fw.py b/firewall/fw.py index d13a7ba..7648d62 100644 --- a/firewall/fw.py +++ b/firewall/fw.py @@ -139,7 +139,7 @@ class Firewall: self.iptables('-N PUB_OUT') self.iptables('-A FORWARD -m set --match-set blacklist src,dst -j DROP') - self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP') +# self.iptables('-A FORWARD -m state --state INVALID -g LOG_DROP') self.iptables('-A FORWARD -m state --state ESTABLISHED,RELATED ' '-j ACCEPT') self.iptables('-A FORWARD -p icmp --icmp-type echo-request ' @@ -181,6 +181,8 @@ class Firewall: self.iptablesnat(':INPUT ACCEPT [0:0]') self.iptablesnat(':OUTPUT ACCEPT [1:708]') self.iptablesnat(':POSTROUTING ACCEPT [1:708]') + self.iptablesnat('-A POSTROUTING -o pub -s 10.12.2.128/25 -j SNAT ' + '--to-source 152.66.243.130') # portforward for host in self.hosts.exclude(pub_ipv4=None): @@ -212,10 +214,16 @@ class Firewall: # hard-wired rules self.iptablesnat('-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT ' '--to-source 10.3.255.254') # man elerheto legyen - self.iptablesnat('-A POSTROUTING -o vlan0008 -j SNAT ' - '--to-source 10.0.0.247') # wolf network for printing +# self.iptablesnat('-A POSTROUTING -o vlan0008 -j SNAT ' +# '--to-source 10.0.0.247') # wolf network for printing self.iptablesnat('-A POSTROUTING -s 10.3.0.0/16 -p udp --dport 53 -o vlan0002 -j SNAT ' '--to-source %s' % self.pub.ipv4) # kulonben nem megy a dns man-ban + self.iptablesnat('-A PREROUTING -d 192.168.243.1/32 -j DNAT --to-destination 152.66.243.1') + self.iptablesnat('-A PREROUTING -d 152.66.243.4/32 -j DNAT --to-destination 152.66.243.102') + self.iptablesnat('-A PREROUTING -d 152.66.243.1/32 -p tcp --dport smtp -j DNAT --to-destination 152.66.243.102') + self.iptablesnat('-A PREROUTING -d 152.66.243.1/32 -p tcp --dport smtps -j DNAT --to-destination 152.66.243.102') + self.iptablesnat('-A PREROUTING -d 152.66.243.130/32 -p udp --dport 1194 -j DNAT --to-destination 10.12.255.253') + self.iptablesnat('COMMIT') @@ -346,6 +354,8 @@ def ipv6_to_arpa(ipv6): octets.insert(0, int(part[3], 16)) return '.'.join(['%1x' % x for x in octets]) + '.ip6.arpa' +def txt_to_octal(txt): + return '\\' + '\\'.join(['%03o' % ord(x) for x in txt]) # =fqdn:ip:ttl A, PTR # &fqdn:ip:x:ttl NS @@ -354,6 +364,7 @@ def ipv6_to_arpa(ipv6): # ^ PTR # C CNAME # : generic +# 'fqdn:s:ttl TXT def dns(): vlans = models.Vlan.objects.all() @@ -405,6 +416,8 @@ def dns(): 'ttl': d['ttl']}) elif d['type'] == 'PTR': DNS.append("^%s:%s:%s" % (d['name'], d['address'], d['ttl'])) + elif d['type'] == 'TXT': + DNS.append("'%s:%s:%s" % (d['name'], txt_to_octal(d['description']), d['ttl'])) return DNS process = subprocess.Popen(['/usr/bin/ssh', 'tinydns@%s' % diff --git a/firewall/models.py b/firewall/models.py index 349f83e..6f1cb71 100644 --- a/firewall/models.py +++ b/firewall/models.py @@ -393,6 +393,7 @@ class Record(models.Model): return {'name': name, 'type': self.type, 'ttl': self.ttl, + 'description': self.description, 'address': address} class Blacklist(models.Model): diff --git a/firewall/tasks.py b/firewall/tasks.py index 7735cbf..368c9c0 100644 --- a/firewall/tasks.py +++ b/firewall/tasks.py @@ -34,6 +34,7 @@ class Periodic(PeriodicTask): if cache.get('dhcp_lock'): cache.delete("dhcp_lock") reload_dhcp_task.delay(dhcp()) + reload_dhcp_task.apply_async((dhcp(), ), queue='dhcp2') print "dhcp ujratoltese kesz" if cache.get('firewall_lock'): @@ -41,6 +42,7 @@ class Periodic(PeriodicTask): ipv4 = Firewall().get() ipv6 = Firewall(True).get() reload_firewall_task.delay(ipv4, ipv6) + reload_firewall_task.apply_async((ipv4, ipv6), queue='firewall2') print "firewall ujratoltese kesz" if cache.get('blacklist_lock'):