From 043173c742c84011d6b1f4d26fae18b6e22fc7a2 Mon Sep 17 00:00:00 2001 From: Hugo LEVY-FALK Date: Sat, 30 Mar 2019 14:36:03 +0100 Subject: [PATCH] =?UTF-8?q?Cha=C3=AEne=20filtrage?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- firewall.nft | 4 +- firewall.py | 19 +++++---- mac_ip.py | 1 - zones/adherent.nft | 4 +- zones/dmz.nft | 98 ++++++++++++++++++++++++++++++++++++++-------- 5 files changed, 97 insertions(+), 29 deletions(-) diff --git a/firewall.nft b/firewall.nft index 9219d2a..968ab50 100755 --- a/firewall.nft +++ b/firewall.nft @@ -39,7 +39,7 @@ table inet firewall { # # On utilise des jumps pour revenir ici une fois la chaîne évaluée. meta iif vmap { - $if_adherent : jump from_adh, + $if_adherent : jump from_adherent, $if_admin : jump from_admin, $if_federez : jump from_federez, $if_supelec : jump from_supelec, @@ -53,7 +53,7 @@ table inet firewall { # On utilise des goto pour ne pas revenir ici une fois la chaîne # évaluée. meta oif vmap { - $if_adherent : goto to_adh, + $if_adherent : goto to_adherent, $if_admin : goto to_admin, $if_federez : goto to_federez, $if_supelec : goto to_supelec, diff --git a/firewall.py b/firewall.py index 5e31c02..7e007a9 100755 --- a/firewall.py +++ b/firewall.py @@ -346,17 +346,22 @@ class NetfilterSet: 'Did not get the right set, too wrong to fix. Got ' + str(netfilter_set) + ("\nExpected : " - "\n\tname: {name}" - "\n\taddress_family: {family}" - "\n\ttable: {table}" - "\n\tflags: {flags}" - "\n\ttypes: {types}" + "\n\tname: \t{name} \t[{name_check}]" + "\n\taddress_family: \t{family} \t[{family_check}]" + "\n\ttable: \t{table} \t[{table_check}]" + "\n\tflags: \t{flags} \t[{flags_check}]" + "\n\ttypes: \t{types} \t[{types_check}]" ).format( name=self.name, family=self.address_family, table=self.table, flags=self.flags, - types=tuple(self.TYPES[t] for t in self.type) + types=tuple(self.TYPES[t] for t in self.type), + name_check= 'v' if self.name == netfilter_set['name'] else 'x', + family_check= 'v' if self.address_family == netfilter_set['address_family'] else 'x', + table_check= 'v' if self.table == netfilter_set['table'] else 'x', + flags_check= 'v' if self.flags == netfilter_set.get('flags', set()) else 'x', + types_check= 'v' if self.has_type(netfilter_set['type']) else 'x', ) ) if parse_elements: @@ -388,7 +393,7 @@ class NetfilterSet: 'name': values['name'], 'type': values['type'].split(' . '), 'raw_content': values['elements'], - 'flags': values['flags'], + 'flags': set(values['flags'].split(', ')), } def get_netfilter_content(self): diff --git a/mac_ip.py b/mac_ip.py index af67603..ffa50f2 100644 --- a/mac_ip.py +++ b/mac_ip.py @@ -35,7 +35,6 @@ api_username = CONFIG.get('Re2o', 'username') api_client = Re2oAPIClient(api_hostname, api_username, api_password) -api_client.list('dhcp/hostmacip') def gen_ip_mac_set(): """Generates the ip_mac set in nftables. diff --git a/zones/adherent.nft b/zones/adherent.nft index f236b61..ac836bd 100644 --- a/zones/adherent.nft +++ b/zones/adherent.nft @@ -2,11 +2,11 @@ table inet firewall { - chain to_adh { + chain to_adherent { accept } - chain from_adh { + chain from_adherent { } } diff --git a/zones/dmz.nft b/zones/dmz.nft index 87a65df..17f4ab9 100644 --- a/zones/dmz.nft +++ b/zones/dmz.nft @@ -3,36 +3,100 @@ table inet firewall { - # Définition de la DMZ - - set z_dmz { + set dns { type ipv4_addr flags interval - elements = {193.48.225.224/27} + elements = { 193.48.225.248 } } - set dmz_allowed_tcp_in { - type ipv4_addr . inet_service + set www { + type ipv4_addr + flags interval + elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247 } } - set dmz_allowed_tcp_out { - type ipv4_addr . inet_service + + set irc { + type ipv4_addr + flags interval + elements = {193.48.225.244} } - set dmz_allowed_udp_in { - type ipv4_addr . inet_service + + set znc { + type ipv4_addr + flags interval + elements = { 193.48.225.242 } } - set dmz_allowed_udp_out { - type ipv4_addr . inet_service + + set smtp { + type ipv4_addr + flags interval + elements = { 193.48.225.249, 193.48.225.245 } + } + + set letsencrypt { + type ipv4_addr + flags interval + elements = {193.48.225.246, 193.48.225.248, 193.48.225.249} + } + + set federez { + type ipv4_addr + flags interval + elements = {193.48.225.201} + } + + set gitlab { + type ipv4_addr + flags interval + elements = { 193.48.225.243 } + } + + set video { + type ipv4_addr + flags interval + elements = { 193.48.225.240 } + } + + set ldap { + type ipv4_addr + flags interval + elements = { 193.48.225.240 } + } + + set ldap_clients { + type ipv4_addr + flags interval + elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125} + } + + set mysql { + type ipv4_addr + flags interval + elements = {10.7.0.243} } chain to_dmz { - #ip daddr . tcp dport @dmz_allowed_tcp_in accept - #ip daddr . udp dport @dmz_allowed_udp_in accept - accept + ip daddr @smtp tcp dport { 22, 25, 80 } accept + ip daddr @dns tcp dport { 22, 53 } accept + ip daddr @dns udp dport { 53 } accept + ip daddr @www tcp dport { 21, 22, 80, 443 } accept + ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept + ip daddr @federez udp dport { 53, 636 } accept + ip daddr @znc tcp dport { 6667 } accept + ip daddr @letsencrypt tcp dport { 80, 443 } accept + ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept + ip daddr @video tcp dport { 37700, 6754 } accept + ip daddr @video udp dport { 37800 } accept + ip daddr @video tcp dport { 5678 } accept + + ip daddr @ldap ip saddr @ldap_clients tcp dport { 389, 636} accept + + drop } chain from_dmz { - #ip saddr . tcp dport != @dmz_allowed_tcp_out drop - #ip saddr . udp dport != @dmz_allowed_udp_out drop + ip daddr @mysql ip saddr != @www tcp dport 3306 drop + ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop } }