rezometz/firewall
9
0
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

License

Browse source
This commit is contained in:
Hugo Levy-Falk 2019-12-20 19:18:10 +01:00 committed by root
parent d1f0ef10d8
commit 9512cd35ac
16 changed files with 207 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
archi.nft
View file

@ -1,3 +1,18 @@
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Variables prpres à l'architecture pour le pare-feu
# Interfaces de la machine

15
checkmac.nft
View file

@ -1,3 +1,18 @@
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Table checkmac, à bas le spoof d'ips.
table inet firewall {

15
firewall.nft
View file

@ -1,5 +1,20 @@
#! /usr/sbin/nft -I /usr/local/firewall -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Remise à zéro des règles du pare-feu
flush ruleset

1
firewall.py
View file

@ -14,6 +14,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2017 David Sinquin <david.re2o@sinquin.eu>
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
"""

14
global_policy.nft
View file

@ -1,3 +1,17 @@
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
chain global {

2
mac_ip.py
View file

@ -13,7 +13,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2019 Hugo Levy-Falk <me@klafyvel.me>
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
"""
Creates the nat set.

26
main.py
View file

@ -1,4 +1,20 @@
#! /usr/bin/python3
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
import os
import tempfile
import logging
@ -58,7 +74,7 @@ def _structure(keep_nat, keep_macip):
macip_file.write(nat.encode('utf-8'))
CommandExec.run([
'nft',
'nft',
'-I',
BASE_DIR,
'-f',
@ -67,7 +83,7 @@ def _structure(keep_nat, keep_macip):
if keep_macip:
logging.info("Retreiving the current macip set.")
CommandExec.run([
'nft',
'nft',
'-I',
BASE_DIR,
'-f',
@ -79,7 +95,7 @@ def _structure(keep_nat, keep_macip):
if keep_nat:
logging.info("Retreiving the current NAT table.")
CommandExec.run([
'nft',
'nft',
'-I',
BASE_DIR,
'-f',
@ -98,7 +114,7 @@ def cli(ctx, keep_nat, keep_macip):
"""Re2o firewall manager.
Used without command, the firewall manager will load the whole firewall (i.e. the struture, the macip set and the MAC table). By default it erases the current NAT table and macp set. You can choose to keep the current values for these with the flags.
"""
if ctx.invoked_subcommand is None:
logger.info("Starting Re2o firewall manager.")
@ -112,7 +128,7 @@ def macip():
"""
_mac_ip.update_macip()
@cli.command()
def nat():
"""Load the NAT table.

25
nat.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table ip nat {
set radius_federez {
@ -10,8 +25,8 @@ table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
}
@ -20,8 +35,8 @@ table ip nat {
meta oifname != $if_supelec return
ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
$range_adherent : goto adherent_nat,
@ -30,7 +45,7 @@ table ip nat {
$range_aloes : goto aloes_nat,
$range_prerezotage : goto prerezotage_nat
}
ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
}

2
nat.py
View file

@ -13,7 +13,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2019 Hugo Levy-Falk <me@klafyvel.me>
# Copyright © 2019 Hugo Levy-Falk <hugo@klafyvel.me>
"""
Creates the nat set.

15
zones/adherent.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
chain to_adherent {

15
zones/admin.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
chain to_admin {

15
zones/aloes.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
chain to_aloes {

14
zones/dmz.nft
View file

@ -1,5 +1,19 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {

15
zones/federez.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
chain to_federez {

15
zones/prerezotage.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
set allowed_daddr_prerezotage {

15
zones/supelec.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall {
chain to_supelec {