Fix nat and filtering
This commit is contained in:
parent
53dececaed
commit
58b6f7983e
8 changed files with 45 additions and 55 deletions
|
@ -15,4 +15,12 @@ define website = 193.48.225.242
|
||||||
define intranet = 193.48.225.247
|
define intranet = 193.48.225.247
|
||||||
define bounce_server = 193.48.225.247
|
define bounce_server = 193.48.225.247
|
||||||
|
|
||||||
|
define range_adherent = 10.69.0.0/20
|
||||||
|
define range_admin = 10.7.0.0/24
|
||||||
|
define range_federez = 10.20.0.0/21
|
||||||
|
define range_aloes = 10.66.0.0/27
|
||||||
|
define range_prerezotage = 10.68.0.0/16
|
||||||
|
define range_public = 193.48.225.0/24
|
||||||
|
|
||||||
|
define ip_self_public = 193.48.225.254
|
||||||
|
define ip_radius = 10.7.0.124
|
||||||
|
|
|
@ -24,13 +24,13 @@ table inet firewall {
|
||||||
type filter hook forward priority 0;
|
type filter hook forward priority 0;
|
||||||
|
|
||||||
# Politique par défaut : tout jeter.
|
# Politique par défaut : tout jeter.
|
||||||
policy drop;
|
policy accept
|
||||||
|
|
||||||
# Applique la politique globale
|
# Applique la politique globale
|
||||||
jump global
|
jump global
|
||||||
|
|
||||||
# Passage par le checkmac pour les concernés
|
# Passage par le checkmac pour les concernés
|
||||||
jump checkmac
|
#jump checkmac
|
||||||
|
|
||||||
# Filtre sur les interfaces entrantes, ne pas accepter
|
# Filtre sur les interfaces entrantes, ne pas accepter
|
||||||
# directement dans la chaine, mais retourner.
|
# directement dans la chaine, mais retourner.
|
||||||
|
@ -47,7 +47,7 @@ table inet firewall {
|
||||||
$if_prerezotage : jump from_prerezotage,
|
$if_prerezotage : jump from_prerezotage,
|
||||||
$if_dmz: jump from_dmz
|
$if_dmz: jump from_dmz
|
||||||
}
|
}
|
||||||
|
|
||||||
# Filtre sur les interfaces sortantes, ne pas retourner : drop ou
|
# Filtre sur les interfaces sortantes, ne pas retourner : drop ou
|
||||||
# accept
|
# accept
|
||||||
# On utilise des goto pour ne pas revenir ici une fois la chaîne
|
# On utilise des goto pour ne pas revenir ici une fois la chaîne
|
||||||
|
@ -61,7 +61,7 @@ table inet firewall {
|
||||||
$if_prerezotage : goto to_prerezotage,
|
$if_prerezotage : goto to_prerezotage,
|
||||||
$if_dmz: goto to_dmz
|
$if_dmz: goto to_dmz
|
||||||
}
|
}
|
||||||
|
|
||||||
# Un compteur qui doit être à 0 si on a bien fait notre travail.
|
# Un compteur qui doit être à 0 si on a bien fait notre travail.
|
||||||
counter
|
counter
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,7 +33,7 @@ api_hostname = CONFIG.get('Re2o', 'hostname')
|
||||||
api_password = CONFIG.get('Re2o', 'password')
|
api_password = CONFIG.get('Re2o', 'password')
|
||||||
api_username = CONFIG.get('Re2o', 'username')
|
api_username = CONFIG.get('Re2o', 'username')
|
||||||
|
|
||||||
api_client = Re2oAPIClient(api_hostname, api_username, api_password)
|
api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
|
||||||
|
|
||||||
|
|
||||||
def gen_ip_mac_set():
|
def gen_ip_mac_set():
|
||||||
|
|
31
nat.nft
31
nat.nft
|
@ -1,30 +1,33 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
|
|
||||||
|
set radius_federez {
|
||||||
|
type ipv4_addr
|
||||||
|
elements = { 62.210.81.204, 185.230.78.47 }
|
||||||
|
}
|
||||||
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority 0;
|
type nat hook prerouting priority 0;
|
||||||
meta iifname $if_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
||||||
|
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
|
||||||
|
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636 } dnat $ip_radius;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority 100
|
type nat hook postrouting priority 100
|
||||||
|
|
||||||
meta oifname != $if_supelec return
|
|
||||||
|
|
||||||
meta iifname vmap {
|
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
||||||
$if_adherent : jump adherent_nat,
|
$range_adherent : goto adherent_nat,
|
||||||
$if_admin : jump admin_nat,
|
$range_admin : goto admin_nat,
|
||||||
$if_federez : jump federez_nat,
|
$range_federez : goto federez_nat,
|
||||||
$if_aloes : jump aloes_nat,
|
$range_aloes : goto aloes_nat,
|
||||||
$if_prerezotage : jump prerezotage_nat
|
$range_prerezotage : goto prerezotage_nat
|
||||||
}
|
}
|
||||||
|
|
||||||
counter
|
ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
|
||||||
|
|
||||||
# ip saddr 10.0.0.0/8 snat to 193.48.225.3
|
|
||||||
snat to 193.48.225.3
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
28
nat.py
28
nat.py
|
@ -73,22 +73,9 @@ def create_nat_aloes():
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def create_nat_admin():
|
|
||||||
range_in = CONFIG['NAT']['range_in_admin']
|
|
||||||
range_out = CONFIG['NAT']['range_out_admin']
|
|
||||||
first_port = int(CONFIG['NAT']['first_port_admin'])
|
|
||||||
last_port = int(CONFIG['NAT']['last_port_admin'])
|
|
||||||
return NAT(
|
|
||||||
'admin',
|
|
||||||
range_in,
|
|
||||||
range_out,
|
|
||||||
first_port,
|
|
||||||
last_port
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
nat_log = time.ctime() + "\n"
|
ctime = time.ctime()
|
||||||
|
nat_log = ctime + "\n"
|
||||||
logging.info("Creating adherent nat...")
|
logging.info("Creating adherent nat...")
|
||||||
nat_adherent = create_nat_adherent()
|
nat_adherent = create_nat_adherent()
|
||||||
nat_log += "Adherents :\n"
|
nat_log += "Adherents :\n"
|
||||||
|
@ -104,14 +91,11 @@ def main():
|
||||||
nat_log += "Aloes :\n"
|
nat_log += "Aloes :\n"
|
||||||
nat_log += aloes_nat.manage()
|
nat_log += aloes_nat.manage()
|
||||||
logging.info("Done.")
|
logging.info("Done.")
|
||||||
logging.info("Creating admin nat...")
|
|
||||||
admin_nat = create_nat_admin()
|
|
||||||
nat_log += "Admin :\n"
|
|
||||||
nat_log += admin_nat.manage()
|
|
||||||
logging.info("Done.")
|
|
||||||
|
|
||||||
logging.info("Saving nat table into /var/log/nat.log")
|
filename = "/var/log/nat-%s.log" % ctime
|
||||||
with open('/var/log/nat.log', 'a') as f:
|
|
||||||
|
logging.info("Saving nat table into " + filename)
|
||||||
|
with open(filename, 'a') as f:
|
||||||
f.write(nat_log)
|
f.write(nat_log)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -12,17 +12,8 @@ table inet firewall {
|
||||||
}
|
}
|
||||||
|
|
||||||
table nat {
|
table nat {
|
||||||
# On nate les admins derrière les IPs 193.48.225.215 à 193.48.225.224 en
|
|
||||||
# attribuant les plages de ports 11135-65535 par tranche de 1700 ports.
|
|
||||||
# On a donc 32 Ips de 10.7.0.0/24 derrière chaque Ip.
|
|
||||||
# exemple: 10.7.0.1-10.7.0.31 : 193.48.225.215
|
|
||||||
# On peut aussi ajouter dynamiquement des éléments :
|
|
||||||
# nft add element nat federez_nat_address {10.7.0.1-10.7.0.31 : 193.48.225.215}
|
|
||||||
map admin_nat_address {
|
|
||||||
type ipv4_addr: ipv4_addr
|
|
||||||
flags interval
|
|
||||||
}
|
|
||||||
chain admin_nat {
|
chain admin_nat {
|
||||||
|
snat to $ip_self_public
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -60,13 +60,13 @@ table inet firewall {
|
||||||
set ldap {
|
set ldap {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 193.48.225.240 }
|
elements = { 193.48.225.240, 193.48.225.248 }
|
||||||
}
|
}
|
||||||
|
|
||||||
set ldap_clients {
|
set ldap_clients {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125}
|
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24 }
|
||||||
}
|
}
|
||||||
|
|
||||||
set mysql {
|
set mysql {
|
||||||
|
@ -76,6 +76,8 @@ table inet firewall {
|
||||||
}
|
}
|
||||||
|
|
||||||
chain to_dmz {
|
chain to_dmz {
|
||||||
|
ip saddr 10.7.0.0/16 accept
|
||||||
|
|
||||||
ip daddr @smtp tcp dport { 22, 25, 80 } accept
|
ip daddr @smtp tcp dport { 22, 25, 80 } accept
|
||||||
ip daddr @dns tcp dport { 22, 53 } accept
|
ip daddr @dns tcp dport { 22, 53 } accept
|
||||||
ip daddr @dns udp dport { 53 } accept
|
ip daddr @dns udp dport { 53 } accept
|
||||||
|
@ -89,12 +91,14 @@ table inet firewall {
|
||||||
ip daddr @video udp dport { 37800 } accept
|
ip daddr @video udp dport { 37800 } accept
|
||||||
ip daddr @video tcp dport { 5678 } accept
|
ip daddr @video tcp dport { 5678 } accept
|
||||||
|
|
||||||
ip daddr @ldap ip saddr @ldap_clients tcp dport { 389, 636} accept
|
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
|
||||||
|
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
|
||||||
|
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain from_dmz {
|
chain from_dmz {
|
||||||
|
ip daddr 10.0.0.0/8 accept
|
||||||
ip daddr @mysql ip saddr != @www tcp dport 3306 drop
|
ip daddr @mysql ip saddr != @www tcp dport 3306 drop
|
||||||
ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
|
ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,7 +24,7 @@ table inet firewall {
|
||||||
|
|
||||||
table nat {
|
table nat {
|
||||||
chain prerezotage_nat {
|
chain prerezotage_nat {
|
||||||
masquerade
|
snat to $ip_self_public
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue