From 9512cd35acdc00c42b0595dd9646c8a4b04a594f Mon Sep 17 00:00:00 2001 From: Hugo Levy-Falk Date: Fri, 20 Dec 2019 19:18:10 +0100 Subject: [PATCH] License --- archi.nft | 15 +++++++++++++++ checkmac.nft | 15 +++++++++++++++ firewall.nft | 15 +++++++++++++++ firewall.py | 1 + global_policy.nft | 14 ++++++++++++++ mac_ip.py | 2 +- main.py | 26 +++++++++++++++++++++----- nat.nft | 25 ++++++++++++++++++++----- nat.py | 2 +- zones/adherent.nft | 15 +++++++++++++++ zones/admin.nft | 15 +++++++++++++++ zones/aloes.nft | 15 +++++++++++++++ zones/dmz.nft | 14 ++++++++++++++ zones/federez.nft | 15 +++++++++++++++ zones/prerezotage.nft | 15 +++++++++++++++ zones/supelec.nft | 15 +++++++++++++++ 16 files changed, 207 insertions(+), 12 deletions(-) diff --git a/archi.nft b/archi.nft index c2f453c..47ef1c2 100644 --- a/archi.nft +++ b/archi.nft @@ -1,3 +1,18 @@ +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + # Variables prpres à l'architecture pour le pare-feu # Interfaces de la machine diff --git a/checkmac.nft b/checkmac.nft index b197d9f..3c0e5a2 100644 --- a/checkmac.nft +++ b/checkmac.nft @@ -1,3 +1,18 @@ +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + # Table checkmac, à bas le spoof d'ips. table inet firewall { diff --git a/firewall.nft b/firewall.nft index d2a4947..4f0d2d7 100755 --- a/firewall.nft +++ b/firewall.nft @@ -1,5 +1,20 @@ #! /usr/sbin/nft -I /usr/local/firewall -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + # Remise à zéro des règles du pare-feu flush ruleset diff --git a/firewall.py b/firewall.py index 97f5c87..42a74ae 100755 --- a/firewall.py +++ b/firewall.py @@ -14,6 +14,7 @@ # along with this program. If not, see . # Copyright © 2017 David Sinquin +# Copyright © 2018-2019 Hugo Levy-Falk """ diff --git a/global_policy.nft b/global_policy.nft index e44de60..1034a6f 100644 --- a/global_policy.nft +++ b/global_policy.nft @@ -1,3 +1,17 @@ +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk table inet firewall { chain global { diff --git a/mac_ip.py b/mac_ip.py index 29f9d2a..3946aa7 100644 --- a/mac_ip.py +++ b/mac_ip.py @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# Copyright © 2019 Hugo Levy-Falk +# Copyright © 2018-2019 Hugo Levy-Falk """ Creates the nat set. diff --git a/main.py b/main.py index fce53a9..b9c844f 100755 --- a/main.py +++ b/main.py @@ -1,4 +1,20 @@ #! /usr/bin/python3 + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + import os import tempfile import logging @@ -58,7 +74,7 @@ def _structure(keep_nat, keep_macip): macip_file.write(nat.encode('utf-8')) CommandExec.run([ - 'nft', + 'nft', '-I', BASE_DIR, '-f', @@ -67,7 +83,7 @@ def _structure(keep_nat, keep_macip): if keep_macip: logging.info("Retreiving the current macip set.") CommandExec.run([ - 'nft', + 'nft', '-I', BASE_DIR, '-f', @@ -79,7 +95,7 @@ def _structure(keep_nat, keep_macip): if keep_nat: logging.info("Retreiving the current NAT table.") CommandExec.run([ - 'nft', + 'nft', '-I', BASE_DIR, '-f', @@ -98,7 +114,7 @@ def cli(ctx, keep_nat, keep_macip): """Re2o firewall manager. Used without command, the firewall manager will load the whole firewall (i.e. the struture, the macip set and the MAC table). By default it erases the current NAT table and macp set. You can choose to keep the current values for these with the flags. - + """ if ctx.invoked_subcommand is None: logger.info("Starting Re2o firewall manager.") @@ -112,7 +128,7 @@ def macip(): """ _mac_ip.update_macip() - + @cli.command() def nat(): """Load the NAT table. diff --git a/nat.nft b/nat.nft index 3a8adfb..82a86fd 100644 --- a/nat.nft +++ b/nat.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table ip nat { set radius_federez { @@ -10,8 +25,8 @@ table ip nat { chain prerouting { type nat hook prerouting priority 0; ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server; - ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius; - ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius; + ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius; + ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius; } @@ -20,8 +35,8 @@ table ip nat { meta oifname != $if_supelec return - ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public - ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public + ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public + ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap { $range_adherent : goto adherent_nat, @@ -30,7 +45,7 @@ table ip nat { $range_aloes : goto aloes_nat, $range_prerezotage : goto prerezotage_nat } - + ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public } diff --git a/nat.py b/nat.py index 3dca8d6..023b10a 100644 --- a/nat.py +++ b/nat.py @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# Copyright © 2019 Hugo Levy-Falk +# Copyright © 2019 Hugo Levy-Falk """ Creates the nat set. diff --git a/zones/adherent.nft b/zones/adherent.nft index ac836bd..f548405 100644 --- a/zones/adherent.nft +++ b/zones/adherent.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table inet firewall { chain to_adherent { diff --git a/zones/admin.nft b/zones/admin.nft index 5ca3852..0989565 100644 --- a/zones/admin.nft +++ b/zones/admin.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table inet firewall { chain to_admin { diff --git a/zones/aloes.nft b/zones/aloes.nft index aa39dca..6b82a72 100644 --- a/zones/aloes.nft +++ b/zones/aloes.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table inet firewall { chain to_aloes { diff --git a/zones/dmz.nft b/zones/dmz.nft index fd2af45..bafed7b 100644 --- a/zones/dmz.nft +++ b/zones/dmz.nft @@ -1,5 +1,19 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk table inet firewall { diff --git a/zones/federez.nft b/zones/federez.nft index b215db8..b3439b7 100644 --- a/zones/federez.nft +++ b/zones/federez.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table inet firewall { chain to_federez { diff --git a/zones/prerezotage.nft b/zones/prerezotage.nft index 36ed4f9..446b67b 100644 --- a/zones/prerezotage.nft +++ b/zones/prerezotage.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table inet firewall { set allowed_daddr_prerezotage { diff --git a/zones/supelec.nft b/zones/supelec.nft index ea0c334..e42c57e 100644 --- a/zones/supelec.nft +++ b/zones/supelec.nft @@ -1,5 +1,20 @@ #! /sbin/nft -f +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Copyright © 2018-2019 Hugo Levy-Falk + table inet firewall { chain to_supelec {