rezometz
/
firewall
9
0
Fork 0
Code Issues Pull Requests 1 Releases Wiki Activity
Browse Source

Commit running configuration

master
Thomas Chevalier 2 years ago
parent
06a53d3ceb
commit
624c7142fa
5 changed files with 39 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      archi.nft
  2. 2
      firewall.nft
  3. 1
      firewall.py
  4. 1
      nat.nft
  5. 36
      zones/dmz.nft

10
archi.nft
View File

@ -18,26 +18,28 @@
# Interfaces de la machine
define if_adherent = "bond0.69"
define if_admin = "eno1"
define if_federez = "bond0.20"
define if_federez = "bond0.67"
define if_supelec = "bond0.2"
define if_aloes = "bond0.66"
define if_prerezotage = "bond0.68"
define if_dmz = "bond0.13"
define if_new_admin = "bond0.70"
# Ips
define comnpay = 46.255.53.0/24
define website = 193.48.225.242
define external_dns = 80.67.188.188
define intranet = 193.48.225.247
define intranet = 193.48.225.225
define bounce_server = 193.48.225.247
define range_adherent = 10.69.0.0/20
define range_admin = 10.7.0.0/24
define range_federez = 10.20.0.0/21
define range_federez = 10.67.0.0/21
define range_aloes = 10.66.0.0/27
define range_prerezotage = 10.68.0.0/16
define range_public = 193.48.225.0/24
define range_new_admin = 10.70.0.0/16
define ip_self_public = 193.48.225.254
define monitoring = 10.7.0.114
define monitoring = 10.70.0.11

2
firewall.nft
View File

@ -60,6 +60,7 @@ table inet firewall {
meta iif vmap {
$if_adherent : jump from_adherent,
$if_admin : jump from_admin,
$if_new_admin : jump from_admin,
$if_federez : jump from_federez,
$if_supelec : jump from_supelec,
$if_aloes : jump from_aloes,
@ -74,6 +75,7 @@ table inet firewall {
meta oif vmap {
$if_adherent : goto to_adherent,
$if_admin : goto to_admin,
$if_new_admin : goto to_admin,
$if_federez : goto to_federez,
$if_supelec : goto to_supelec,
$if_aloes : goto to_aloes,

1
firewall.py
View File

@ -688,6 +688,7 @@ class NAT:
ip_in = netaddr.IPAddress(ip+i)
ports[i].add((ip_in,))
nat_log += '\t'.join((str(ip_out), port_range(i), str(ip_in), '\n'))
print(nat_log)
ip_map = NetfilterMap(

1
nat.nft
View File

@ -41,6 +41,7 @@ table ip nat {
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
$range_adherent : goto adherent_nat,
$range_admin : goto admin_nat,
$range_new_admin : goto admin_nat,
$range_federez : goto federez_nat,
$range_aloes : goto aloes_nat,
$range_prerezotage : goto prerezotage_nat

36
zones/dmz.nft
View File

@ -20,13 +20,13 @@ table inet firewall {
set dns {
type ipv4_addr
flags interval
elements = { 193.48.225.248, 193.48.225.204 }
elements = { 193.48.225.248, 193.48.225.204, 193.48.225.213, 193.48.225.29 }
}
set www {
type ipv4_addr
flags interval
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.203, 193.48.225.208 }
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.32, 193.48.225.34, 193.48.225.225, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.63, 193.48.225.45, 193.48.225.20}
}
set irc {
@ -44,13 +44,13 @@ table inet firewall {
set smtp {
type ipv4_addr
flags interval
elements = { 193.48.225.249, 193.48.225.245, 193.48.225.200 , 193.48.225.207}
elements = { 193.48.225.207, 193.48.225.37 }
}
set letsencrypt {
type ipv4_addr
flags interval
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}
}
set federez {
@ -108,8 +108,26 @@ table inet firewall {
}
set wireguard {
type ipv4_addr
flags interval
elements = { 193.48.225.209 }
}
set radius {
type ipv4_addr
flags interval
elements = { 193.48.225.20 }
}
set dns_recursif {
type ipv4_addr
flags interval
elements = { 193.48.225.30 }
}
chain to_dmz {
ip saddr 10.7.0.0/16 accept
ip saddr 10.70.0.0/16 accept
ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept
ip daddr @dns tcp dport { 22, 53 } accept
@ -125,15 +143,19 @@ table inet firewall {
ip daddr @video tcp dport { 37700, 6754 } accept
ip daddr @video udp dport { 37800 } accept
ip daddr @video tcp dport { 5678 } accept
ip daddr @wireguard udp dport { 51820 } accept
ip saddr $monitoring udp dport { 161 } accept
ip daddr @minecraft tcp dport { 22, 25565 } accept
ip daddr @minecraft udp dport { 22, 25565 } accept
ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept
ip daddr @latoilescoute tcp dport { 22 } accept
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
ip daddr @radius udp dport { 1812, 1814 } accept
ip daddr @dns_recursif udp dport { 53, 853, 443 } accept
ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept
drop
}

Write Preview
Loading…
Cancel
Save