License
This commit is contained in:
parent
d1f0ef10d8
commit
9512cd35ac
16 changed files with 207 additions and 12 deletions
15
archi.nft
15
archi.nft
|
@ -1,3 +1,18 @@
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
# Variables prpres à l'architecture pour le pare-feu
|
# Variables prpres à l'architecture pour le pare-feu
|
||||||
|
|
||||||
# Interfaces de la machine
|
# Interfaces de la machine
|
||||||
|
|
15
checkmac.nft
15
checkmac.nft
|
@ -1,3 +1,18 @@
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
# Table checkmac, à bas le spoof d'ips.
|
# Table checkmac, à bas le spoof d'ips.
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
15
firewall.nft
15
firewall.nft
|
@ -1,5 +1,20 @@
|
||||||
#! /usr/sbin/nft -I /usr/local/firewall -f
|
#! /usr/sbin/nft -I /usr/local/firewall -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
# Remise à zéro des règles du pare-feu
|
# Remise à zéro des règles du pare-feu
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
|
|
|
@ -14,6 +14,7 @@
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
# Copyright © 2017 David Sinquin <david.re2o@sinquin.eu>
|
# Copyright © 2017 David Sinquin <david.re2o@sinquin.eu>
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -1,3 +1,17 @@
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
chain global {
|
chain global {
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
# Copyright © 2019 Hugo Levy-Falk <me@klafyvel.me>
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
"""
|
"""
|
||||||
Creates the nat set.
|
Creates the nat set.
|
||||||
|
|
26
main.py
26
main.py
|
@ -1,4 +1,20 @@
|
||||||
#! /usr/bin/python3
|
#! /usr/bin/python3
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
import os
|
import os
|
||||||
import tempfile
|
import tempfile
|
||||||
import logging
|
import logging
|
||||||
|
@ -58,7 +74,7 @@ def _structure(keep_nat, keep_macip):
|
||||||
macip_file.write(nat.encode('utf-8'))
|
macip_file.write(nat.encode('utf-8'))
|
||||||
|
|
||||||
CommandExec.run([
|
CommandExec.run([
|
||||||
'nft',
|
'nft',
|
||||||
'-I',
|
'-I',
|
||||||
BASE_DIR,
|
BASE_DIR,
|
||||||
'-f',
|
'-f',
|
||||||
|
@ -67,7 +83,7 @@ def _structure(keep_nat, keep_macip):
|
||||||
if keep_macip:
|
if keep_macip:
|
||||||
logging.info("Retreiving the current macip set.")
|
logging.info("Retreiving the current macip set.")
|
||||||
CommandExec.run([
|
CommandExec.run([
|
||||||
'nft',
|
'nft',
|
||||||
'-I',
|
'-I',
|
||||||
BASE_DIR,
|
BASE_DIR,
|
||||||
'-f',
|
'-f',
|
||||||
|
@ -79,7 +95,7 @@ def _structure(keep_nat, keep_macip):
|
||||||
if keep_nat:
|
if keep_nat:
|
||||||
logging.info("Retreiving the current NAT table.")
|
logging.info("Retreiving the current NAT table.")
|
||||||
CommandExec.run([
|
CommandExec.run([
|
||||||
'nft',
|
'nft',
|
||||||
'-I',
|
'-I',
|
||||||
BASE_DIR,
|
BASE_DIR,
|
||||||
'-f',
|
'-f',
|
||||||
|
@ -98,7 +114,7 @@ def cli(ctx, keep_nat, keep_macip):
|
||||||
"""Re2o firewall manager.
|
"""Re2o firewall manager.
|
||||||
|
|
||||||
Used without command, the firewall manager will load the whole firewall (i.e. the struture, the macip set and the MAC table). By default it erases the current NAT table and macp set. You can choose to keep the current values for these with the flags.
|
Used without command, the firewall manager will load the whole firewall (i.e. the struture, the macip set and the MAC table). By default it erases the current NAT table and macp set. You can choose to keep the current values for these with the flags.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
if ctx.invoked_subcommand is None:
|
if ctx.invoked_subcommand is None:
|
||||||
logger.info("Starting Re2o firewall manager.")
|
logger.info("Starting Re2o firewall manager.")
|
||||||
|
@ -112,7 +128,7 @@ def macip():
|
||||||
"""
|
"""
|
||||||
_mac_ip.update_macip()
|
_mac_ip.update_macip()
|
||||||
|
|
||||||
|
|
||||||
@cli.command()
|
@cli.command()
|
||||||
def nat():
|
def nat():
|
||||||
"""Load the NAT table.
|
"""Load the NAT table.
|
||||||
|
|
25
nat.nft
25
nat.nft
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
|
|
||||||
set radius_federez {
|
set radius_federez {
|
||||||
|
@ -10,8 +25,8 @@ table ip nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority 0;
|
type nat hook prerouting priority 0;
|
||||||
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
||||||
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
|
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
|
||||||
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
|
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -20,8 +35,8 @@ table ip nat {
|
||||||
|
|
||||||
meta oifname != $if_supelec return
|
meta oifname != $if_supelec return
|
||||||
|
|
||||||
ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
|
ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
|
||||||
ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
|
ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
|
||||||
|
|
||||||
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
||||||
$range_adherent : goto adherent_nat,
|
$range_adherent : goto adherent_nat,
|
||||||
|
@ -30,7 +45,7 @@ table ip nat {
|
||||||
$range_aloes : goto aloes_nat,
|
$range_aloes : goto aloes_nat,
|
||||||
$range_prerezotage : goto prerezotage_nat
|
$range_prerezotage : goto prerezotage_nat
|
||||||
}
|
}
|
||||||
|
|
||||||
ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
|
ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
2
nat.py
2
nat.py
|
@ -13,7 +13,7 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
# Copyright © 2019 Hugo Levy-Falk <me@klafyvel.me>
|
# Copyright © 2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
"""
|
"""
|
||||||
Creates the nat set.
|
Creates the nat set.
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
chain to_adherent {
|
chain to_adherent {
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
chain to_admin {
|
chain to_admin {
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
chain to_aloes {
|
chain to_aloes {
|
||||||
|
|
|
@ -1,5 +1,19 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
chain to_federez {
|
chain to_federez {
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
set allowed_daddr_prerezotage {
|
set allowed_daddr_prerezotage {
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
#! /sbin/nft -f
|
#! /sbin/nft -f
|
||||||
|
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
|
||||||
chain to_supelec {
|
chain to_supelec {
|
||||||
|
|
Loading…
Reference in a new issue