From 624c7142fab481be9e7d95eaa71209edfd5a89b7 Mon Sep 17 00:00:00 2001
From: Thomas Chevalier <avrstud@rezo-rm.fr>
Date: Mon, 1 Aug 2022 12:10:08 +0200
Subject: [PATCH] Commit running configuration

---
 archi.nft     | 10 ++++++----
 firewall.nft  |  2 ++
 firewall.py   |  1 +
 nat.nft       |  1 +
 zones/dmz.nft | 36 +++++++++++++++++++++++++++++-------
 5 files changed, 39 insertions(+), 11 deletions(-)

diff --git a/archi.nft b/archi.nft
index f9e07cf..afa8cac 100644
--- a/archi.nft
+++ b/archi.nft
@@ -18,26 +18,28 @@
 # Interfaces de la machine
 define if_adherent = "bond0.69"
 define if_admin = "eno1"
-define if_federez = "bond0.20"
+define if_federez = "bond0.67"
 define if_supelec = "bond0.2"
 define if_aloes = "bond0.66"
 define if_prerezotage = "bond0.68"
 define if_dmz = "bond0.13"
+define if_new_admin = "bond0.70"
 
 # Ips
 define comnpay = 46.255.53.0/24
 define website = 193.48.225.242
 define external_dns = 80.67.188.188
-define intranet = 193.48.225.247
+define intranet = 193.48.225.225
 define bounce_server = 193.48.225.247
 
 define range_adherent = 10.69.0.0/20
 define range_admin = 10.7.0.0/24
-define range_federez = 10.20.0.0/21
+define range_federez = 10.67.0.0/21
 define range_aloes = 10.66.0.0/27
 define range_prerezotage = 10.68.0.0/16
 define range_public = 193.48.225.0/24
+define range_new_admin = 10.70.0.0/16
 
 define ip_self_public = 193.48.225.254
 
-define monitoring = 10.7.0.114
+define monitoring = 10.70.0.11
diff --git a/firewall.nft b/firewall.nft
index 5837915..7b27035 100755
--- a/firewall.nft
+++ b/firewall.nft
@@ -60,6 +60,7 @@ table inet firewall {
 		meta iif vmap {
 			$if_adherent : jump from_adherent,
 			$if_admin : jump from_admin,
+			$if_new_admin : jump from_admin,
 			$if_federez : jump from_federez,
 			$if_supelec : jump from_supelec,
 			$if_aloes : jump from_aloes,
@@ -74,6 +75,7 @@ table inet firewall {
 		meta oif vmap {
 			$if_adherent : goto to_adherent,
 			$if_admin : goto to_admin,
+			$if_new_admin : goto to_admin,
 			$if_federez : goto to_federez,
 			$if_supelec : goto to_supelec,
 			$if_aloes : goto to_aloes,
diff --git a/firewall.py b/firewall.py
index 42a74ae..f249526 100755
--- a/firewall.py
+++ b/firewall.py
@@ -688,6 +688,7 @@ class NAT:
                 ip_in = netaddr.IPAddress(ip+i)
                 ports[i].add((ip_in,))
                 nat_log += '\t'.join((str(ip_out), port_range(i), str(ip_in), '\n'))
+                print(nat_log)
 
 
         ip_map = NetfilterMap(
diff --git a/nat.nft b/nat.nft
index d4670ca..fdee9f5 100644
--- a/nat.nft
+++ b/nat.nft
@@ -41,6 +41,7 @@ table ip nat {
 		ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
 			$range_adherent : goto adherent_nat,
 			$range_admin : goto admin_nat,
+			$range_new_admin : goto admin_nat,
 			$range_federez : goto federez_nat,
 			$range_aloes : goto aloes_nat,
 			$range_prerezotage : goto prerezotage_nat
diff --git a/zones/dmz.nft b/zones/dmz.nft
index 05e0c76..2c79c11 100644
--- a/zones/dmz.nft
+++ b/zones/dmz.nft
@@ -20,13 +20,13 @@ table inet firewall {
 	set dns {
 		type ipv4_addr
 		flags interval
-		elements = { 193.48.225.248, 193.48.225.204 }
+		elements = { 193.48.225.248, 193.48.225.204, 193.48.225.213, 193.48.225.29 }
 	}
 
 	set www {
 		type ipv4_addr
 		flags interval
-		elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.203, 193.48.225.208 }
+		elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247, 193.48.225.200, 193.48.225.3, 193.48.225.32, 193.48.225.34, 193.48.225.225, 193.48.225.25, 193.48.225.36, 193.48.225.42, 193.48.225.60, 193.48.225.61, 193.48.225.62, 193.48.225.63, 193.48.225.45, 193.48.225.20}
 	}
 
 	set irc {
@@ -44,13 +44,13 @@ table inet firewall {
 	set smtp {
 		type ipv4_addr
 		flags interval
-		elements = { 193.48.225.249, 193.48.225.245, 193.48.225.200 , 193.48.225.207}
+		elements = { 193.48.225.207, 193.48.225.37 }
 	}
 
 	set letsencrypt {
 		type ipv4_addr
 		flags interval
-		elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
+		elements = {193.48.225.246, 193.48.225.248, 193.48.225.249, 193.48.225.20}
 	}
 
 	set federez {
@@ -108,8 +108,26 @@ table inet firewall {
 
         }
 
+	set wireguard {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.209 }
+	}
+
+	set radius {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.20 }
+	}
+
+        set dns_recursif {
+                type ipv4_addr
+                flags interval
+                elements = { 193.48.225.30 }
+        }
+
 	chain to_dmz {
-		ip saddr 10.7.0.0/16 accept
+		ip saddr 10.70.0.0/16 accept
 
 		ip daddr @smtp tcp dport { 22, 25, 80, 443, 143, 993, 587} accept
 		ip daddr @dns tcp dport { 22, 53 } accept
@@ -125,15 +143,19 @@ table inet firewall {
 		ip daddr @video tcp dport { 37700, 6754 } accept
 		ip daddr @video udp dport { 37800 } accept
 		ip daddr @video tcp dport { 5678 } accept
+		ip daddr @wireguard udp dport { 51820 } accept
 		ip saddr $monitoring udp dport { 161 } accept
-
+		
 		ip daddr @minecraft tcp dport { 22, 25565 } accept
 		ip daddr @minecraft udp dport { 22, 25565 } accept
                 ip daddr @latoilescoute udp dport { 22, 161, 16384-32768 } accept
 		ip daddr @latoilescoute tcp dport { 22 } accept
 		ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
 		ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
-
+		
+		ip daddr @radius udp dport { 1812, 1814 } accept
+		ip daddr @dns_recursif udp dport { 53, 853, 443 } accept
+		ip daddr @dns_recursif tcp dport { 53, 853, 443 } accept
 		drop
 	}