54 lines
1.5 KiB
Markdown
54 lines
1.5 KiB
Markdown
# Re2o firewall with nftables
|
|
|
|
This script creates a firewall from Re2o information using nftables.
|
|
|
|
# What it does :
|
|
|
|
- Fetch mac-ip table from re2o and filter traffic from the adherent NAT with it;
|
|
- Create a NAT table for FedeRez and Adherent, and NAT the admin and prerezotage VLANs properly.
|
|
|
|
# What it does not do (yet) :
|
|
|
|
- Fetch opened ports on Re2o and filter traffic with these infos.
|
|
|
|
# Install :
|
|
|
|
```
|
|
cd /usr/local/
|
|
git clone --recursive https://gitlab.rezometz.org/klafyvel/firewall.git
|
|
apt install python3 python3-click python3-iso8601
|
|
cp config.ini.example config.ini
|
|
vim config.ini
|
|
chmod +x main.py
|
|
cp firewall.service /etc/systemd/system/
|
|
systemctl start firewall.service
|
|
echo "* * * * * root /usr/bin/python3 main.py macip 2>&1 | /usr/bin/logger -t firewall" >> /etc/cron.d/firewall
|
|
```
|
|
|
|
# Usage :
|
|
|
|
```
|
|
Usage: main.py [OPTIONS] COMMAND [ARGS]...
|
|
|
|
Re2o firewall manager.
|
|
|
|
Used without command, the firewall manager will load the whole firewall
|
|
(i.e. the struture, the macip set and the MAC table). By default it erases
|
|
the current NAT table and macp set. You can choose to keep the current
|
|
values for these with the flags.
|
|
|
|
Options:
|
|
--keep-nat / --dont-keep-nat Should I keep the current NAT table ?
|
|
--keep-macip / --dont-keep-macip
|
|
Should I keep the current macip set ?
|
|
--help Show this message and exit.
|
|
|
|
Commands:
|
|
macip Load the macip set.
|
|
nat Load the NAT table.
|
|
```
|
|
|
|
# Dependencies :
|
|
|
|
- re2oapi
|
|
- python3-click
|