Compare commits
No commits in common. "master" and "lazouz/latoilescoute-snmp" have entirely different histories.
master
...
lazouz/lat
6 changed files with 23 additions and 150 deletions
15
archi.nft
15
archi.nft
|
|
@ -18,28 +18,27 @@
|
||||||
# Interfaces de la machine
|
# Interfaces de la machine
|
||||||
define if_adherent = "bond0.69"
|
define if_adherent = "bond0.69"
|
||||||
define if_admin = "eno1"
|
define if_admin = "eno1"
|
||||||
define if_federez = "bond0.67"
|
define if_federez = "bond0.20"
|
||||||
define if_supelec = "bond0.2"
|
define if_supelec = "bond0.2"
|
||||||
define if_aloes = "bond0.66"
|
define if_aloes = "bond0.66"
|
||||||
define if_prerezotage = "bond0.68"
|
define if_prerezotage = "bond0.68"
|
||||||
define if_dmz = "bond0.13"
|
define if_dmz = "bond0.13"
|
||||||
define if_new_admin = "bond0.70"
|
|
||||||
|
|
||||||
# Ips
|
# Ips
|
||||||
define comnpay = 46.255.53.0/24
|
define comnpay = 46.255.53.0/24
|
||||||
define website = 193.54.193.39
|
define website = 193.48.225.242
|
||||||
define external_dns = 80.67.188.188
|
define external_dns = 80.67.188.188
|
||||||
define intranet = 193.54.193.42
|
define intranet = 193.48.225.247
|
||||||
define bounce_server = 193.54.193.42
|
define bounce_server = 193.48.225.247
|
||||||
|
|
||||||
define range_adherent = 10.69.0.0/20
|
define range_adherent = 10.69.0.0/20
|
||||||
define range_admin = 10.7.0.0/24
|
define range_admin = 10.7.0.0/24
|
||||||
define range_federez = 10.67.0.0/21
|
define range_federez = 10.20.0.0/21
|
||||||
define range_aloes = 10.66.0.0/27
|
define range_aloes = 10.66.0.0/27
|
||||||
define range_prerezotage = 10.68.0.0/16
|
define range_prerezotage = 10.68.0.0/16
|
||||||
define range_public = 193.48.225.0/24
|
define range_public = 193.48.225.0/24
|
||||||
define range_new_admin = 10.70.0.0/16
|
|
||||||
|
|
||||||
define ip_self_public = 193.48.225.254
|
define ip_self_public = 193.48.225.254
|
||||||
|
|
||||||
define monitoring = 10.70.0.11
|
define ip_radius = 10.7.0.124
|
||||||
|
define monitoring = 10.7.0.114
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,6 @@ table inet firewall {
|
||||||
meta iif vmap {
|
meta iif vmap {
|
||||||
$if_adherent : jump from_adherent,
|
$if_adherent : jump from_adherent,
|
||||||
$if_admin : jump from_admin,
|
$if_admin : jump from_admin,
|
||||||
$if_new_admin : jump from_admin,
|
|
||||||
$if_federez : jump from_federez,
|
$if_federez : jump from_federez,
|
||||||
$if_supelec : jump from_supelec,
|
$if_supelec : jump from_supelec,
|
||||||
$if_aloes : jump from_aloes,
|
$if_aloes : jump from_aloes,
|
||||||
|
|
@ -75,7 +74,6 @@ table inet firewall {
|
||||||
meta oif vmap {
|
meta oif vmap {
|
||||||
$if_adherent : goto to_adherent,
|
$if_adherent : goto to_adherent,
|
||||||
$if_admin : goto to_admin,
|
$if_admin : goto to_admin,
|
||||||
$if_new_admin : goto to_admin,
|
|
||||||
$if_federez : goto to_federez,
|
$if_federez : goto to_federez,
|
||||||
$if_supelec : goto to_supelec,
|
$if_supelec : goto to_supelec,
|
||||||
$if_aloes : goto to_aloes,
|
$if_aloes : goto to_aloes,
|
||||||
|
|
@ -90,6 +88,7 @@ table inet firewall {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
policy accept;
|
policy accept;
|
||||||
|
tcp dport {http, https } drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
|
|
|
||||||
|
|
@ -688,7 +688,6 @@ class NAT:
|
||||||
ip_in = netaddr.IPAddress(ip+i)
|
ip_in = netaddr.IPAddress(ip+i)
|
||||||
ports[i].add((ip_in,))
|
ports[i].add((ip_in,))
|
||||||
nat_log += '\t'.join((str(ip_out), port_range(i), str(ip_in), '\n'))
|
nat_log += '\t'.join((str(ip_out), port_range(i), str(ip_in), '\n'))
|
||||||
print(nat_log)
|
|
||||||
|
|
||||||
|
|
||||||
ip_map = NetfilterMap(
|
ip_map = NetfilterMap(
|
||||||
|
|
|
||||||
75
nat.nft
75
nat.nft
|
|
@ -22,77 +22,11 @@ table ip nat {
|
||||||
elements = { 195.154.165.76, 185.230.78.47 }
|
elements = { 195.154.165.76, 185.230.78.47 }
|
||||||
}
|
}
|
||||||
|
|
||||||
chain fwd_aurelian_pinet{
|
|
||||||
# +-----------------------------------------------------+
|
|
||||||
# + asyncnomi port forwarding table +
|
|
||||||
# +------------+------+-----------+-------------+-------+
|
|
||||||
# | Service | Port | Protocole | IP | Fwd |
|
|
||||||
# +------------+------+-----------+-------------+-------|
|
|
||||||
# | EDT 1 | 8000 | Both | 10.69.9.231 | 52000 |
|
|
||||||
# | EDT 2 | 8001 | Both | 10.69.9.231 | 52001 |
|
|
||||||
# | PLYST | 8002 | Both | 10.69.9.231 | 52002 |
|
|
||||||
# | SSH | 22 | Both | 10.69.9.231 | 52003 |
|
|
||||||
# | BF | 80 | Both | 10.69.9.231 | 52004 |
|
|
||||||
# | MediaVault | 2000 | Both | 10.69.9.231 | 52005 |
|
|
||||||
# | E2EE 1 | 6000 | TCP | 10.69.9.231 | 52006 |
|
|
||||||
# | E2EE 2 | 6001 | TCP | 10.69.9.231 | 52007 |
|
|
||||||
# | E2EE 3 | 6002 | TCP | 10.69.9.231 | 52008 |
|
|
||||||
# | Spare 1 | 2001 | Both | 10.69.9.231 | 52009 |
|
|
||||||
# | Spare 2 | 2002 | Both | 10.69.9.231 | 52010 |
|
|
||||||
# | SSH | 22 | Both | 10.69.9.232 | 52011 |
|
|
||||||
# | E2EE 1 | 6000 | TCP | 10.69.9.232 | 52012 |
|
|
||||||
# | E2EE 2 | 6001 | TCP | 10.69.9.232 | 52013 |
|
|
||||||
# | E2EE 3 | 6002 | TCP | 10.69.9.232 | 52014 |
|
|
||||||
# | Spare 1 | 2001 | Both | 10.69.9.232 | 52015 |
|
|
||||||
# | Spare 2 | 2002 | Both | 10.69.9.232 | 52016 |
|
|
||||||
# +------------+------+-----------+-------------+-------+
|
|
||||||
tcp dport 52000 dnat to 10.69.9.231:8000 # EDT 1 tcp
|
|
||||||
udp dport 52000 dnat to 10.69.9.231:8000 # EDT 1 udp
|
|
||||||
tcp dport 52001 dnat to 10.69.9.231:8001 # EDT 2 tcp
|
|
||||||
udp dport 52001 dnat to 10.69.9.231:8001 # EDT 2 tcp
|
|
||||||
tcp dport 52002 dnat to 10.69.9.231:8002 # PLYST tcp
|
|
||||||
udp dport 52002 dnat to 10.69.9.231:8002 # PLYST udp
|
|
||||||
tcp dport 52003 dnat to 10.69.9.231:22 # SSH tcp
|
|
||||||
udp dport 52003 dnat to 10.69.9.231:22 # SSH udp
|
|
||||||
tcp dport 52004 dnat to 10.69.9.231:80 # BF tcp
|
|
||||||
udp dport 52004 dnat to 10.69.9.231:80 # BF udp
|
|
||||||
tcp dport 52005 dnat to 10.69.9.231:2000 # MediaVault tcp
|
|
||||||
udp dport 52005 dnat to 10.69.9.231:2000 # MediaVault udp
|
|
||||||
tcp dport 52006 dnat to 10.69.9.231:6000 # E2EE 1
|
|
||||||
tcp dport 52007 dnat to 10.69.9.231:6001 # E2EE 1
|
|
||||||
tcp dport 52008 dnat to 10.69.9.231:6002 # E2EE 1
|
|
||||||
tcp dport 52009 dnat to 10.69.9.231:2001 # Spare 1 tcp
|
|
||||||
udp dport 52009 dnat to 10.69.9.231:2001 # Spare 1 udp
|
|
||||||
tcp dport 52010 dnat to 10.69.9.231:2002 # Spare 2 tcp
|
|
||||||
udp dport 52010 dnat to 10.69.9.231:2002 # Spare 2 udp
|
|
||||||
|
|
||||||
tcp dport 52011 dnat to 10.69.9.232:22 # SSH tcp
|
|
||||||
udp dport 52011 dnat to 10.69.9.232:22 # SSH udp
|
|
||||||
tcp dport 52012 dnat to 10.69.9.232:6000 # E2EE 1
|
|
||||||
tcp dport 52013 dnat to 10.69.9.232:6001 # E2EE 1
|
|
||||||
tcp dport 52014 dnat to 10.69.9.232:6002 # E2EE 1
|
|
||||||
tcp dport 52015 dnat to 10.69.9.232:2001 # Spare 1 tcp
|
|
||||||
udp dport 52015 dnat to 10.69.9.232:2001 # Spare 1 udp
|
|
||||||
tcp dport 52016 dnat to 10.69.9.232:2002 # Spare 2 tcp
|
|
||||||
udp dport 52016 dnat to 10.69.9.232:2002 # Spare 2 udp
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority 0;
|
type nat hook prerouting priority 0;
|
||||||
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
|
||||||
|
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
|
||||||
# Serveur de Mohammed Ziani
|
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
|
||||||
meta iif $if_supelec ip daddr $ip_self_public tcp dport 51000 counter dnat to 10.69.3.116:22
|
|
||||||
meta iif $if_supelec ip daddr $ip_self_public tcp dport 51001 counter dnat to 10.69.3.116:80
|
|
||||||
meta iif $if_supelec ip daddr $ip_self_public tcp dport 51002 counter dnat to 10.69.3.116:443
|
|
||||||
|
|
||||||
# Serveur de Aurélian Pinet
|
|
||||||
meta iif $if_supelec ip daddr $ip_self_public tcp dport 52000-52016 jump fwd_aurelian_pinet
|
|
||||||
meta iif $if_supelec ip daddr $ip_self_public udp dport 52000-52016 jump fwd_aurelian_pinet
|
|
||||||
|
|
||||||
#ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
|
|
||||||
#ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -101,13 +35,12 @@ table ip nat {
|
||||||
|
|
||||||
meta oifname != $if_supelec return
|
meta oifname != $if_supelec return
|
||||||
|
|
||||||
#ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
|
ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
|
||||||
#ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
|
ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
|
||||||
|
|
||||||
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
|
||||||
$range_adherent : goto adherent_nat,
|
$range_adherent : goto adherent_nat,
|
||||||
$range_admin : goto admin_nat,
|
$range_admin : goto admin_nat,
|
||||||
$range_new_admin : goto admin_nat,
|
|
||||||
$range_federez : goto federez_nat,
|
$range_federez : goto federez_nat,
|
||||||
$range_aloes : goto aloes_nat,
|
$range_aloes : goto aloes_nat,
|
||||||
$range_prerezotage : goto prerezotage_nat
|
$range_prerezotage : goto prerezotage_nat
|
||||||
|
|
|
||||||
26
re2o.conf
26
re2o.conf
|
|
@ -1,26 +0,0 @@
|
||||||
<VirtualHost *:80>
|
|
||||||
ServerName re2o.rezometz.org
|
|
||||||
ServerAlias lorrabelle.rez
|
|
||||||
|
|
||||||
LogLevel warn
|
|
||||||
ErrorLog ${APACHE_LOG_DIR}/re2o-error.log
|
|
||||||
CustomLog ${APACHE_LOG_DIR}/re2o-access.log combined
|
|
||||||
|
|
||||||
#<Directory />
|
|
||||||
# AuthType Basic
|
|
||||||
# AuthName "Password Required"
|
|
||||||
# AuthUserFile /usr/local/password
|
|
||||||
# Require valid-user
|
|
||||||
# #Require all granted
|
|
||||||
#</Directory>
|
|
||||||
|
|
||||||
#Alias /static /var/www/re2o/static_files
|
|
||||||
#Alias /media /var/www/re2o/media
|
|
||||||
|
|
||||||
#WSGIScriptAlias / /var/www/re2o/re2o/wsgi.py
|
|
||||||
#WSGIProcessGroup re2o
|
|
||||||
#WSGIDaemonProcess re2o processes=2 threads=16 maximum-requests=1000 display-name=re2o
|
|
||||||
#WSGIPassAuthorization On
|
|
||||||
|
|
||||||
DocumentRoot /var/www/html
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
@ -20,13 +20,13 @@ table inet firewall {
|
||||||
set dns {
|
set dns {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 193.48.225.248, 193.48.225.204, 193.48.225.213, 193.48.225.29 }
|
elements = { 193.48.225.248, 193.48.225.204 }
|
||||||
}
|
}
|
||||||
|
|
||||||
set www {
|
set www {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.32, 193.48.225.34, 193.48.225.225, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.63, 193.48.225.45, 193.48.225.20, 193.48.225.101}
|
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.203 }
|
||||||
}
|
}
|
||||||
|
|
||||||
set irc {
|
set irc {
|
||||||
|
|
@ -44,13 +44,13 @@ table inet firewall {
|
||||||
set smtp {
|
set smtp {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 193.48.225.207, 193.48.225.37 }
|
elements = { 193.48.225.249, 193.48.225.245, 193.48.225.200 }
|
||||||
}
|
}
|
||||||
|
|
||||||
set letsencrypt {
|
set letsencrypt {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}
|
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
|
||||||
}
|
}
|
||||||
|
|
||||||
set federez {
|
set federez {
|
||||||
|
|
@ -80,7 +80,7 @@ table inet firewall {
|
||||||
set ldap_clients {
|
set ldap_clients {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24, 193.54.193.103 }
|
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24 }
|
||||||
}
|
}
|
||||||
|
|
||||||
set mysql {
|
set mysql {
|
||||||
|
|
@ -101,40 +101,13 @@ table inet firewall {
|
||||||
elements = {193.48.225.203}
|
elements = {193.48.225.203}
|
||||||
}
|
}
|
||||||
|
|
||||||
set dns_rennais {
|
|
||||||
type ipv4_addr
|
|
||||||
flags interval
|
|
||||||
elements = {193.48.225.205}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
set wireguard {
|
|
||||||
type ipv4_addr
|
|
||||||
flags interval
|
|
||||||
elements = { 193.48.225.209 }
|
|
||||||
}
|
|
||||||
|
|
||||||
set radius {
|
|
||||||
type ipv4_addr
|
|
||||||
flags interval
|
|
||||||
elements = { 193.48.225.20 }
|
|
||||||
}
|
|
||||||
|
|
||||||
set dns_recursif {
|
|
||||||
type ipv4_addr
|
|
||||||
flags interval
|
|
||||||
elements = { 193.48.225.30 }
|
|
||||||
}
|
|
||||||
|
|
||||||
chain to_dmz {
|
chain to_dmz {
|
||||||
ip saddr 10.70.0.0/16 accept
|
ip saddr 10.7.0.0/16 accept
|
||||||
|
|
||||||
ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept
|
ip daddr @smtp tcp dport { 22, 25, 80 } accept
|
||||||
ip daddr @dns tcp dport { 22, 53 } accept
|
ip daddr @dns tcp dport { 22, 53 } accept
|
||||||
ip daddr @dns udp dport { 53 } accept
|
ip daddr @dns udp dport { 53 } accept
|
||||||
ip daddr @dns_rennais tcp dport { 22, 53 } accept
|
ip daddr @www tcp dport { 21, 22, 80, 443 } accept
|
||||||
ip daddr @dns_rennais udp dport { 53 } accept
|
|
||||||
ip daddr @www tcp dport { 21, 22, 80, 443, 3000 } accept
|
|
||||||
ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
|
ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
|
||||||
ip daddr @federez udp dport { 53, 636 } accept
|
ip daddr @federez udp dport { 53, 636 } accept
|
||||||
ip daddr @znc tcp dport { 6667 } accept
|
ip daddr @znc tcp dport { 6667 } accept
|
||||||
|
|
@ -143,19 +116,15 @@ table inet firewall {
|
||||||
ip daddr @video tcp dport { 37700, 6754 } accept
|
ip daddr @video tcp dport { 37700, 6754 } accept
|
||||||
ip daddr @video udp dport { 37800 } accept
|
ip daddr @video udp dport { 37800 } accept
|
||||||
ip daddr @video tcp dport { 5678 } accept
|
ip daddr @video tcp dport { 5678 } accept
|
||||||
ip daddr @wireguard udp dport { 51820 } accept
|
|
||||||
ip saddr $monitoring udp dport { 161 } accept
|
ip saddr $monitoring udp dport { 161 } accept
|
||||||
|
|
||||||
ip daddr @minecraft tcp dport { 22, 25565 } accept
|
ip daddr @minecraft tcp dport { 22, 25565 } accept
|
||||||
ip daddr @minecraft udp dport { 22, 25565 } accept
|
ip daddr @minecraft udp dport { 22, 25565 } accept
|
||||||
ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept
|
ip daddr @latoilescoute udp dport { 22, 161 } accept
|
||||||
ip daddr @latoilescoute tcp dport { 22 } accept
|
ip daddr @latoilescoute tcp dport { 22 } accept
|
||||||
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
|
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
|
||||||
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
|
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
|
||||||
|
|
||||||
ip daddr @radius udp dport { 1812, 1814 } accept
|
|
||||||
ip daddr @dns_recursif udp dport { 53, 853, 443 } accept
|
|
||||||
ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept
|
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue