Chaîne filtrage

This commit is contained in:
Hugo LEVY-FALK 2019-03-30 14:36:03 +01:00 committed by root
parent 888ceb8d20
commit 043173c742
5 changed files with 97 additions and 29 deletions

View file

@ -39,7 +39,7 @@ table inet firewall {
# #
# On utilise des jumps pour revenir ici une fois la chaîne évaluée. # On utilise des jumps pour revenir ici une fois la chaîne évaluée.
meta iif vmap { meta iif vmap {
$if_adherent : jump from_adh, $if_adherent : jump from_adherent,
$if_admin : jump from_admin, $if_admin : jump from_admin,
$if_federez : jump from_federez, $if_federez : jump from_federez,
$if_supelec : jump from_supelec, $if_supelec : jump from_supelec,
@ -53,7 +53,7 @@ table inet firewall {
# On utilise des goto pour ne pas revenir ici une fois la chaîne # On utilise des goto pour ne pas revenir ici une fois la chaîne
# évaluée. # évaluée.
meta oif vmap { meta oif vmap {
$if_adherent : goto to_adh, $if_adherent : goto to_adherent,
$if_admin : goto to_admin, $if_admin : goto to_admin,
$if_federez : goto to_federez, $if_federez : goto to_federez,
$if_supelec : goto to_supelec, $if_supelec : goto to_supelec,

View file

@ -346,17 +346,22 @@ class NetfilterSet:
'Did not get the right set, too wrong to fix. Got ' 'Did not get the right set, too wrong to fix. Got '
+ str(netfilter_set) + str(netfilter_set)
+ ("\nExpected : " + ("\nExpected : "
"\n\tname: {name}" "\n\tname: \t{name} \t[{name_check}]"
"\n\taddress_family: {family}" "\n\taddress_family: \t{family} \t[{family_check}]"
"\n\ttable: {table}" "\n\ttable: \t{table} \t[{table_check}]"
"\n\tflags: {flags}" "\n\tflags: \t{flags} \t[{flags_check}]"
"\n\ttypes: {types}" "\n\ttypes: \t{types} \t[{types_check}]"
).format( ).format(
name=self.name, name=self.name,
family=self.address_family, family=self.address_family,
table=self.table, table=self.table,
flags=self.flags, flags=self.flags,
types=tuple(self.TYPES[t] for t in self.type) types=tuple(self.TYPES[t] for t in self.type),
name_check= 'v' if self.name == netfilter_set['name'] else 'x',
family_check= 'v' if self.address_family == netfilter_set['address_family'] else 'x',
table_check= 'v' if self.table == netfilter_set['table'] else 'x',
flags_check= 'v' if self.flags == netfilter_set.get('flags', set()) else 'x',
types_check= 'v' if self.has_type(netfilter_set['type']) else 'x',
) )
) )
if parse_elements: if parse_elements:
@ -388,7 +393,7 @@ class NetfilterSet:
'name': values['name'], 'name': values['name'],
'type': values['type'].split(' . '), 'type': values['type'].split(' . '),
'raw_content': values['elements'], 'raw_content': values['elements'],
'flags': values['flags'], 'flags': set(values['flags'].split(', ')),
} }
def get_netfilter_content(self): def get_netfilter_content(self):

View file

@ -35,7 +35,6 @@ api_username = CONFIG.get('Re2o', 'username')
api_client = Re2oAPIClient(api_hostname, api_username, api_password) api_client = Re2oAPIClient(api_hostname, api_username, api_password)
api_client.list('dhcp/hostmacip')
def gen_ip_mac_set(): def gen_ip_mac_set():
"""Generates the ip_mac set in nftables. """Generates the ip_mac set in nftables.

View file

@ -2,11 +2,11 @@
table inet firewall { table inet firewall {
chain to_adh { chain to_adherent {
accept accept
} }
chain from_adh { chain from_adherent {
} }
} }

View file

@ -3,36 +3,100 @@
table inet firewall { table inet firewall {
# Définition de la DMZ set dns {
set z_dmz {
type ipv4_addr type ipv4_addr
flags interval flags interval
elements = {193.48.225.224/27} elements = { 193.48.225.248 }
} }
set dmz_allowed_tcp_in { set www {
type ipv4_addr . inet_service type ipv4_addr
flags interval
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247 }
} }
set dmz_allowed_tcp_out {
type ipv4_addr . inet_service set irc {
type ipv4_addr
flags interval
elements = {193.48.225.244}
} }
set dmz_allowed_udp_in {
type ipv4_addr . inet_service set znc {
type ipv4_addr
flags interval
elements = { 193.48.225.242 }
} }
set dmz_allowed_udp_out {
type ipv4_addr . inet_service set smtp {
type ipv4_addr
flags interval
elements = { 193.48.225.249, 193.48.225.245 }
}
set letsencrypt {
type ipv4_addr
flags interval
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
}
set federez {
type ipv4_addr
flags interval
elements = {193.48.225.201}
}
set gitlab {
type ipv4_addr
flags interval
elements = { 193.48.225.243 }
}
set video {
type ipv4_addr
flags interval
elements = { 193.48.225.240 }
}
set ldap {
type ipv4_addr
flags interval
elements = { 193.48.225.240 }
}
set ldap_clients {
type ipv4_addr
flags interval
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125}
}
set mysql {
type ipv4_addr
flags interval
elements = {10.7.0.243}
} }
chain to_dmz { chain to_dmz {
#ip daddr . tcp dport @dmz_allowed_tcp_in accept ip daddr @smtp tcp dport { 22, 25, 80 } accept
#ip daddr . udp dport @dmz_allowed_udp_in accept ip daddr @dns tcp dport { 22, 53 } accept
accept ip daddr @dns udp dport { 53 } accept
ip daddr @www tcp dport { 21, 22, 80, 443 } accept
ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
ip daddr @federez udp dport { 53, 636 } accept
ip daddr @znc tcp dport { 6667 } accept
ip daddr @letsencrypt tcp dport { 80, 443 } accept
ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept
ip daddr @video tcp dport { 37700, 6754 } accept
ip daddr @video udp dport { 37800 } accept
ip daddr @video tcp dport { 5678 } accept
ip daddr @ldap ip saddr @ldap_clients tcp dport { 389, 636} accept
drop
} }
chain from_dmz { chain from_dmz {
#ip saddr . tcp dport != @dmz_allowed_tcp_out drop ip daddr @mysql ip saddr != @www tcp dport 3306 drop
#ip saddr . udp dport != @dmz_allowed_udp_out drop ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
} }
} }