Fix nat and filtering
This commit is contained in:
Hugo Levy-Falk
root
parent
53dececaed
commit
58b6f7983e
8 changed files with 45 additions and 55 deletions
|
|
@ -15,4 +15,12 @@ define website = 193.48.225.242
|
|||
define intranet = 193.48.225.247
|
||||
define bounce_server = 193.48.225.247
|
||||
|
||||
define range_adherent = 10.69.0.0/20
|
||||
define range_admin = 10.7.0.0/24
|
||||
define range_federez = 10.20.0.0/21
|
||||
define range_aloes = 10.66.0.0/27
|
||||
define range_prerezotage = 10.68.0.0/16
|
||||
define range_public = 193.48.225.0/24
|
||||
|
||||
define ip_self_public = 193.48.225.254
|
||||
define ip_radius = 10.7.0.124
|
||||
|
|
|
|||
|
|
@ -24,13 +24,13 @@ table inet firewall {
|
|||
type filter hook forward priority 0;
|
||||
|
||||
# Politique par défaut : tout jeter.
|
||||
policy drop;
|
||||
policy accept
|
||||
|
||||
# Applique la politique globale
|
||||
jump global
|
||||
|
||||
# Passage par le checkmac pour les concernés
|
||||
jump checkmac
|
||||
#jump checkmac
|
||||
|
||||
# Filtre sur les interfaces entrantes, ne pas accepter
|
||||
# directement dans la chaine, mais retourner.
|
||||
|
|
@ -47,7 +47,7 @@ table inet firewall {
|
|||
$if_prerezotage : jump from_prerezotage,
|
||||
$if_dmz: jump from_dmz
|
||||
}
|
||||
|
||||
|
||||
# Filtre sur les interfaces sortantes, ne pas retourner : drop ou
|
||||
# accept
|
||||
# On utilise des goto pour ne pas revenir ici une fois la chaîne
|
||||
|
|
@ -61,7 +61,7 @@ table inet firewall {
|
|||
$if_prerezotage : goto to_prerezotage,
|
||||
$if_dmz: goto to_dmz
|
||||
}
|
||||
|
||||
|
||||
# Un compteur qui doit être à 0 si on a bien fait notre travail.
|
||||
counter
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ api_hostname = CONFIG.get('Re2o', 'hostname')
|
|||
api_password = CONFIG.get('Re2o', 'password')
|
||||
api_username = CONFIG.get('Re2o', 'username')
|
||||
|
||||
api_client = Re2oAPIClient(api_hostname, api_username, api_password)
|
||||
api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
|
||||
|
||||
|
||||
def gen_ip_mac_set():
|
||||
|
|
|
|||
31
nat.nft
31
nat.nft
|
|
@ -1,30 +1,33 @@
|
|||
#! /sbin/nft -f
|
||||
|
||||
table ip nat {
|
||||
|
||||
set radius_federez {
|
||||
type ipv4_addr
|
||||
elements = { 62.210.81.204, 185.230.78.47 }
|
||||
}
|
||||
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority 0;
|
||||
meta iifname $if_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
||||
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
||||
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
|
||||
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636 } dnat $ip_radius;
|
||||
}
|
||||
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100
|
||||
|
||||
meta oifname != $if_supelec return
|
||||
|
||||
meta iifname vmap {
|
||||
$if_adherent : jump adherent_nat,
|
||||
$if_admin : jump admin_nat,
|
||||
$if_federez : jump federez_nat,
|
||||
$if_aloes : jump aloes_nat,
|
||||
$if_prerezotage : jump prerezotage_nat
|
||||
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
||||
$range_adherent : goto adherent_nat,
|
||||
$range_admin : goto admin_nat,
|
||||
$range_federez : goto federez_nat,
|
||||
$range_aloes : goto aloes_nat,
|
||||
$range_prerezotage : goto prerezotage_nat
|
||||
}
|
||||
|
||||
counter
|
||||
|
||||
# ip saddr 10.0.0.0/8 snat to 193.48.225.3
|
||||
snat to 193.48.225.3
|
||||
|
||||
|
||||
ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
28
nat.py
28
nat.py
|
|
@ -73,22 +73,9 @@ def create_nat_aloes():
|
|||
)
|
||||
|
||||
|
||||
def create_nat_admin():
|
||||
range_in = CONFIG['NAT']['range_in_admin']
|
||||
range_out = CONFIG['NAT']['range_out_admin']
|
||||
first_port = int(CONFIG['NAT']['first_port_admin'])
|
||||
last_port = int(CONFIG['NAT']['last_port_admin'])
|
||||
return NAT(
|
||||
'admin',
|
||||
range_in,
|
||||
range_out,
|
||||
first_port,
|
||||
last_port
|
||||
)
|
||||
|
||||
|
||||
def main():
|
||||
nat_log = time.ctime() + "\n"
|
||||
ctime = time.ctime()
|
||||
nat_log = ctime + "\n"
|
||||
logging.info("Creating adherent nat...")
|
||||
nat_adherent = create_nat_adherent()
|
||||
nat_log += "Adherents :\n"
|
||||
|
|
@ -104,14 +91,11 @@ def main():
|
|||
nat_log += "Aloes :\n"
|
||||
nat_log += aloes_nat.manage()
|
||||
logging.info("Done.")
|
||||
logging.info("Creating admin nat...")
|
||||
admin_nat = create_nat_admin()
|
||||
nat_log += "Admin :\n"
|
||||
nat_log += admin_nat.manage()
|
||||
logging.info("Done.")
|
||||
|
||||
logging.info("Saving nat table into /var/log/nat.log")
|
||||
with open('/var/log/nat.log', 'a') as f:
|
||||
filename = "/var/log/nat-%s.log" % ctime
|
||||
|
||||
logging.info("Saving nat table into " + filename)
|
||||
with open(filename, 'a') as f:
|
||||
f.write(nat_log)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -12,17 +12,8 @@ table inet firewall {
|
|||
}
|
||||
|
||||
table nat {
|
||||
# On nate les admins derrière les IPs 193.48.225.215 à 193.48.225.224 en
|
||||
# attribuant les plages de ports 11135-65535 par tranche de 1700 ports.
|
||||
# On a donc 32 Ips de 10.7.0.0/24 derrière chaque Ip.
|
||||
# exemple: 10.7.0.1-10.7.0.31 : 193.48.225.215
|
||||
# On peut aussi ajouter dynamiquement des éléments :
|
||||
# nft add element nat federez_nat_address {10.7.0.1-10.7.0.31 : 193.48.225.215}
|
||||
map admin_nat_address {
|
||||
type ipv4_addr: ipv4_addr
|
||||
flags interval
|
||||
}
|
||||
chain admin_nat {
|
||||
snat to $ip_self_public
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -60,13 +60,13 @@ table inet firewall {
|
|||
set ldap {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.240 }
|
||||
elements = { 193.48.225.240, 193.48.225.248 }
|
||||
}
|
||||
|
||||
set ldap_clients {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125}
|
||||
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24 }
|
||||
}
|
||||
|
||||
set mysql {
|
||||
|
|
@ -76,6 +76,8 @@ table inet firewall {
|
|||
}
|
||||
|
||||
chain to_dmz {
|
||||
ip saddr 10.7.0.0/16 accept
|
||||
|
||||
ip daddr @smtp tcp dport { 22, 25, 80 } accept
|
||||
ip daddr @dns tcp dport { 22, 53 } accept
|
||||
ip daddr @dns udp dport { 53 } accept
|
||||
|
|
@ -89,12 +91,14 @@ table inet firewall {
|
|||
ip daddr @video udp dport { 37800 } accept
|
||||
ip daddr @video tcp dport { 5678 } accept
|
||||
|
||||
ip daddr @ldap ip saddr @ldap_clients tcp dport { 389, 636} accept
|
||||
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
|
||||
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
|
||||
|
||||
drop
|
||||
}
|
||||
|
||||
chain from_dmz {
|
||||
ip daddr 10.0.0.0/8 accept
|
||||
ip daddr @mysql ip saddr != @www tcp dport 3306 drop
|
||||
ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ table inet firewall {
|
|||
|
||||
table nat {
|
||||
chain prerezotage_nat {
|
||||
masquerade
|
||||
snat to $ip_self_public
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue