Commit running configuration
This commit is contained in:
parent
06a53d3ceb
commit
624c7142fa
5 changed files with 39 additions and 11 deletions
10
archi.nft
10
archi.nft
|
@ -18,26 +18,28 @@
|
|||
# Interfaces de la machine
|
||||
define if_adherent = "bond0.69"
|
||||
define if_admin = "eno1"
|
||||
define if_federez = "bond0.20"
|
||||
define if_federez = "bond0.67"
|
||||
define if_supelec = "bond0.2"
|
||||
define if_aloes = "bond0.66"
|
||||
define if_prerezotage = "bond0.68"
|
||||
define if_dmz = "bond0.13"
|
||||
define if_new_admin = "bond0.70"
|
||||
|
||||
# Ips
|
||||
define comnpay = 46.255.53.0/24
|
||||
define website = 193.48.225.242
|
||||
define external_dns = 80.67.188.188
|
||||
define intranet = 193.48.225.247
|
||||
define intranet = 193.48.225.225
|
||||
define bounce_server = 193.48.225.247
|
||||
|
||||
define range_adherent = 10.69.0.0/20
|
||||
define range_admin = 10.7.0.0/24
|
||||
define range_federez = 10.20.0.0/21
|
||||
define range_federez = 10.67.0.0/21
|
||||
define range_aloes = 10.66.0.0/27
|
||||
define range_prerezotage = 10.68.0.0/16
|
||||
define range_public = 193.48.225.0/24
|
||||
define range_new_admin = 10.70.0.0/16
|
||||
|
||||
define ip_self_public = 193.48.225.254
|
||||
|
||||
define monitoring = 10.7.0.114
|
||||
define monitoring = 10.70.0.11
|
||||
|
|
|
@ -60,6 +60,7 @@ table inet firewall {
|
|||
meta iif vmap {
|
||||
$if_adherent : jump from_adherent,
|
||||
$if_admin : jump from_admin,
|
||||
$if_new_admin : jump from_admin,
|
||||
$if_federez : jump from_federez,
|
||||
$if_supelec : jump from_supelec,
|
||||
$if_aloes : jump from_aloes,
|
||||
|
@ -74,6 +75,7 @@ table inet firewall {
|
|||
meta oif vmap {
|
||||
$if_adherent : goto to_adherent,
|
||||
$if_admin : goto to_admin,
|
||||
$if_new_admin : goto to_admin,
|
||||
$if_federez : goto to_federez,
|
||||
$if_supelec : goto to_supelec,
|
||||
$if_aloes : goto to_aloes,
|
||||
|
|
|
@ -688,6 +688,7 @@ class NAT:
|
|||
ip_in = netaddr.IPAddress(ip+i)
|
||||
ports[i].add((ip_in,))
|
||||
nat_log += '\t'.join((str(ip_out), port_range(i), str(ip_in), '\n'))
|
||||
print(nat_log)
|
||||
|
||||
|
||||
ip_map = NetfilterMap(
|
||||
|
|
1
nat.nft
1
nat.nft
|
@ -41,6 +41,7 @@ table ip nat {
|
|||
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
||||
$range_adherent : goto adherent_nat,
|
||||
$range_admin : goto admin_nat,
|
||||
$range_new_admin : goto admin_nat,
|
||||
$range_federez : goto federez_nat,
|
||||
$range_aloes : goto aloes_nat,
|
||||
$range_prerezotage : goto prerezotage_nat
|
||||
|
|
|
@ -20,13 +20,13 @@ table inet firewall {
|
|||
set dns {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.248, 193.48.225.204 }
|
||||
elements = { 193.48.225.248, 193.48.225.204, 193.48.225.213, 193.48.225.29 }
|
||||
}
|
||||
|
||||
set www {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.203, 193.48.225.208 }
|
||||
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.32, 193.48.225.34, 193.48.225.225, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.63, 193.48.225.45, 193.48.225.20}
|
||||
}
|
||||
|
||||
set irc {
|
||||
|
@ -44,13 +44,13 @@ table inet firewall {
|
|||
set smtp {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.249, 193.48.225.245, 193.48.225.200 , 193.48.225.207}
|
||||
elements = { 193.48.225.207, 193.48.225.37 }
|
||||
}
|
||||
|
||||
set letsencrypt {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
|
||||
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}
|
||||
}
|
||||
|
||||
set federez {
|
||||
|
@ -108,8 +108,26 @@ table inet firewall {
|
|||
|
||||
}
|
||||
|
||||
set wireguard {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.209 }
|
||||
}
|
||||
|
||||
set radius {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.20 }
|
||||
}
|
||||
|
||||
set dns_recursif {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 193.48.225.30 }
|
||||
}
|
||||
|
||||
chain to_dmz {
|
||||
ip saddr 10.7.0.0/16 accept
|
||||
ip saddr 10.70.0.0/16 accept
|
||||
|
||||
ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept
|
||||
ip daddr @dns tcp dport { 22, 53 } accept
|
||||
|
@ -125,6 +143,7 @@ table inet firewall {
|
|||
ip daddr @video tcp dport { 37700, 6754 } accept
|
||||
ip daddr @video udp dport { 37800 } accept
|
||||
ip daddr @video tcp dport { 5678 } accept
|
||||
ip daddr @wireguard udp dport { 51820 } accept
|
||||
ip saddr $monitoring udp dport { 161 } accept
|
||||
|
||||
ip daddr @minecraft tcp dport { 22, 25565 } accept
|
||||
|
@ -134,6 +153,9 @@ table inet firewall {
|
|||
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
|
||||
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
|
||||
|
||||
ip daddr @radius udp dport { 1812, 1814 } accept
|
||||
ip daddr @dns_recursif udp dport { 53, 853, 443 } accept
|
||||
ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept
|
||||
drop
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue