rezometz/firewall
9
0
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

Fix nat and filtering

Browse source
This commit is contained in:
Hugo Levy-Falk 2019-04-30 00:12:26 +02:00 committed by root
parent 53dececaed
commit 58b6f7983e
8 changed files with 45 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
archi.nft
View file

@ -15,4 +15,12 @@ define website = 193.48.225.242
define intranet = 193.48.225.247 define intranet = 193.48.225.247
define bounce_server = 193.48.225.247 define bounce_server = 193.48.225.247
define range_adherent = 10.69.0.0/20
define range_admin = 10.7.0.0/24
define range_federez = 10.20.0.0/21
define range_aloes = 10.66.0.0/27
define range_prerezotage = 10.68.0.0/16
define range_public = 193.48.225.0/24
define ip_self_public = 193.48.225.254
define ip_radius = 10.7.0.124

8
firewall.nft
View file

@ -24,13 +24,13 @@ table inet firewall {
type filter hook forward priority 0; type filter hook forward priority 0;
# Politique par défaut : tout jeter. # Politique par défaut : tout jeter.
policy drop; policy accept
# Applique la politique globale # Applique la politique globale
jump global jump global
# Passage par le checkmac pour les concernés # Passage par le checkmac pour les concernés
jump checkmac #jump checkmac
# Filtre sur les interfaces entrantes, ne pas accepter # Filtre sur les interfaces entrantes, ne pas accepter
# directement dans la chaine, mais retourner. # directement dans la chaine, mais retourner.
@ -47,7 +47,7 @@ table inet firewall {
$if_prerezotage : jump from_prerezotage, $if_prerezotage : jump from_prerezotage,
$if_dmz: jump from_dmz $if_dmz: jump from_dmz
} }
# Filtre sur les interfaces sortantes, ne pas retourner : drop ou # Filtre sur les interfaces sortantes, ne pas retourner : drop ou
# accept # accept
# On utilise des goto pour ne pas revenir ici une fois la chaîne # On utilise des goto pour ne pas revenir ici une fois la chaîne
@ -61,7 +61,7 @@ table inet firewall {
$if_prerezotage : goto to_prerezotage, $if_prerezotage : goto to_prerezotage,
$if_dmz: goto to_dmz $if_dmz: goto to_dmz
} }
# Un compteur qui doit être à 0 si on a bien fait notre travail. # Un compteur qui doit être à 0 si on a bien fait notre travail.
counter counter
} }

2
mac_ip.py
View file

@ -33,7 +33,7 @@ api_hostname = CONFIG.get('Re2o', 'hostname')
api_password = CONFIG.get('Re2o', 'password') api_password = CONFIG.get('Re2o', 'password')
api_username = CONFIG.get('Re2o', 'username') api_username = CONFIG.get('Re2o', 'username')
api_client = Re2oAPIClient(api_hostname, api_username, api_password) api_client = Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
def gen_ip_mac_set(): def gen_ip_mac_set():

31
nat.nft
View file

@ -1,30 +1,33 @@
#! /sbin/nft -f #! /sbin/nft -f
table ip nat { table ip nat {
set radius_federez {
type ipv4_addr
elements = { 62.210.81.204, 185.230.78.47 }
}
chain prerouting { chain prerouting {
type nat hook prerouting priority 0; type nat hook prerouting priority 0;
meta iifname $if_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server; ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636 } dnat $ip_radius;
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority 100 type nat hook postrouting priority 100
meta oifname != $if_supelec return
meta iifname vmap { ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
$if_adherent : jump adherent_nat, $range_adherent : goto adherent_nat,
$if_admin : jump admin_nat, $range_admin : goto admin_nat,
$if_federez : jump federez_nat, $range_federez : goto federez_nat,
$if_aloes : jump aloes_nat, $range_aloes : goto aloes_nat,
$if_prerezotage : jump prerezotage_nat $range_prerezotage : goto prerezotage_nat
} }
counter ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
# ip saddr 10.0.0.0/8 snat to 193.48.225.3
snat to 193.48.225.3
} }
} }

28
nat.py
View file

@ -73,22 +73,9 @@ def create_nat_aloes():
) )
def create_nat_admin():
range_in = CONFIG['NAT']['range_in_admin']
range_out = CONFIG['NAT']['range_out_admin']
first_port = int(CONFIG['NAT']['first_port_admin'])
last_port = int(CONFIG['NAT']['last_port_admin'])
return NAT(
'admin',
range_in,
range_out,
first_port,
last_port
)
def main(): def main():
nat_log = time.ctime() + "\n" ctime = time.ctime()
nat_log = ctime + "\n"
logging.info("Creating adherent nat...") logging.info("Creating adherent nat...")
nat_adherent = create_nat_adherent() nat_adherent = create_nat_adherent()
nat_log += "Adherents :\n" nat_log += "Adherents :\n"
@ -104,14 +91,11 @@ def main():
nat_log += "Aloes :\n" nat_log += "Aloes :\n"
nat_log += aloes_nat.manage() nat_log += aloes_nat.manage()
logging.info("Done.") logging.info("Done.")
logging.info("Creating admin nat...")
admin_nat = create_nat_admin()
nat_log += "Admin :\n"
nat_log += admin_nat.manage()
logging.info("Done.")
logging.info("Saving nat table into /var/log/nat.log") filename = "/var/log/nat-%s.log" % ctime
with open('/var/log/nat.log', 'a') as f:
logging.info("Saving nat table into " + filename)
with open(filename, 'a') as f:
f.write(nat_log) f.write(nat_log)

11
zones/admin.nft
View file

@ -12,17 +12,8 @@ table inet firewall {
} }
table nat { table nat {
# On nate les admins derrière les IPs 193.48.225.215 à 193.48.225.224 en
# attribuant les plages de ports 11135-65535 par tranche de 1700 ports.
# On a donc 32 Ips de 10.7.0.0/24 derrière chaque Ip.
# exemple: 10.7.0.1-10.7.0.31 : 193.48.225.215
# On peut aussi ajouter dynamiquement des éléments :
# nft add element nat federez_nat_address {10.7.0.1-10.7.0.31 : 193.48.225.215}
map admin_nat_address {
type ipv4_addr: ipv4_addr
flags interval
}
chain admin_nat { chain admin_nat {
snat to $ip_self_public
} }
} }

10
zones/dmz.nft
View file

@ -60,13 +60,13 @@ table inet firewall {
set ldap { set ldap {
type ipv4_addr type ipv4_addr
flags interval flags interval
elements = { 193.48.225.240 } elements = { 193.48.225.240, 193.48.225.248 }
} }
set ldap_clients { set ldap_clients {
type ipv4_addr type ipv4_addr
flags interval flags interval
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125} elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24 }
} }
set mysql { set mysql {
@ -76,6 +76,8 @@ table inet firewall {
} }
chain to_dmz { chain to_dmz {
ip saddr 10.7.0.0/16 accept
ip daddr @smtp tcp dport { 22, 25, 80 } accept ip daddr @smtp tcp dport { 22, 25, 80 } accept
ip daddr @dns tcp dport { 22, 53 } accept ip daddr @dns tcp dport { 22, 53 } accept
ip daddr @dns udp dport { 53 } accept ip daddr @dns udp dport { 53 } accept
@ -89,12 +91,14 @@ table inet firewall {
ip daddr @video udp dport { 37800 } accept ip daddr @video udp dport { 37800 } accept
ip daddr @video tcp dport { 5678 } accept ip daddr @video tcp dport { 5678 } accept
ip daddr @ldap ip saddr @ldap_clients tcp dport { 389, 636} accept ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
drop drop
} }
chain from_dmz { chain from_dmz {
ip daddr 10.0.0.0/8 accept
ip daddr @mysql ip saddr != @www tcp dport 3306 drop ip daddr @mysql ip saddr != @www tcp dport 3306 drop
ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
} }

2
zones/prerezotage.nft
View file

@ -24,7 +24,7 @@ table inet firewall {
table nat { table nat {
chain prerezotage_nat { chain prerezotage_nat {
masquerade snat to $ip_self_public
} }
} }