rezometz/firewall
9
0
Fork 0
Code Issues Pull requests 1 Releases Wiki Activity

License

Browse source
This commit is contained in:
Hugo Levy-Falk 2019-12-20 19:18:10 +01:00 committed by root
parent d1f0ef10d8
commit 9512cd35ac
16 changed files with 207 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
archi.nft
View file

@ -1,3 +1,18 @@
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Variables prpres à l'architecture pour le pare-feu # Variables prpres à l'architecture pour le pare-feu
# Interfaces de la machine # Interfaces de la machine

15
checkmac.nft
View file

@ -1,3 +1,18 @@
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Table checkmac, à bas le spoof d'ips. # Table checkmac, à bas le spoof d'ips.
table inet firewall { table inet firewall {

15
firewall.nft
View file

@ -1,5 +1,20 @@
#! /usr/sbin/nft -I /usr/local/firewall -f #! /usr/sbin/nft -I /usr/local/firewall -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
# Remise à zéro des règles du pare-feu # Remise à zéro des règles du pare-feu
flush ruleset flush ruleset

1
firewall.py
View file

@ -14,6 +14,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2017 David Sinquin <david.re2o@sinquin.eu> # Copyright © 2017 David Sinquin <david.re2o@sinquin.eu>
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
""" """

14
global_policy.nft
View file

@ -1,3 +1,17 @@
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
chain global { chain global {

2
mac_ip.py
View file

@ -13,7 +13,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2019 Hugo Levy-Falk <me@klafyvel.me> # Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
""" """
Creates the nat set. Creates the nat set.

26
main.py
View file

@ -1,4 +1,20 @@
#! /usr/bin/python3 #! /usr/bin/python3
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
import os import os
import tempfile import tempfile
import logging import logging
@ -58,7 +74,7 @@ def _structure(keep_nat, keep_macip):
macip_file.write(nat.encode('utf-8')) macip_file.write(nat.encode('utf-8'))
CommandExec.run([ CommandExec.run([
'nft', 'nft',
'-I', '-I',
BASE_DIR, BASE_DIR,
'-f', '-f',
@ -67,7 +83,7 @@ def _structure(keep_nat, keep_macip):
if keep_macip: if keep_macip:
logging.info("Retreiving the current macip set.") logging.info("Retreiving the current macip set.")
CommandExec.run([ CommandExec.run([
'nft', 'nft',
'-I', '-I',
BASE_DIR, BASE_DIR,
'-f', '-f',
@ -79,7 +95,7 @@ def _structure(keep_nat, keep_macip):
if keep_nat: if keep_nat:
logging.info("Retreiving the current NAT table.") logging.info("Retreiving the current NAT table.")
CommandExec.run([ CommandExec.run([
'nft', 'nft',
'-I', '-I',
BASE_DIR, BASE_DIR,
'-f', '-f',
@ -98,7 +114,7 @@ def cli(ctx, keep_nat, keep_macip):
"""Re2o firewall manager. """Re2o firewall manager.
Used without command, the firewall manager will load the whole firewall (i.e. the struture, the macip set and the MAC table). By default it erases the current NAT table and macp set. You can choose to keep the current values for these with the flags. Used without command, the firewall manager will load the whole firewall (i.e. the struture, the macip set and the MAC table). By default it erases the current NAT table and macp set. You can choose to keep the current values for these with the flags.
""" """
if ctx.invoked_subcommand is None: if ctx.invoked_subcommand is None:
logger.info("Starting Re2o firewall manager.") logger.info("Starting Re2o firewall manager.")
@ -112,7 +128,7 @@ def macip():
""" """
_mac_ip.update_macip() _mac_ip.update_macip()
@cli.command() @cli.command()
def nat(): def nat():
"""Load the NAT table. """Load the NAT table.

25
nat.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table ip nat { table ip nat {
set radius_federez { set radius_federez {
@ -10,8 +25,8 @@ table ip nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority 0; type nat hook prerouting priority 0;
ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server; ip saddr $range_prerezotage ip daddr != { $intranet, $comnpay, $website } tcp dport {http,https} dnat $bounce_server;
ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius; ip saddr @radius_federez ip daddr $ip_self_public tcp dport { 636, 389 } dnat $ip_radius;
ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius; ip saddr @radius_federez ip daddr $ip_self_public udp dport { 636, 1812 } dnat $ip_radius;
} }
@ -20,8 +35,8 @@ table ip nat {
meta oifname != $if_supelec return meta oifname != $if_supelec return
ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public ip saddr $ip_radius ip daddr @radius_federez tcp dport { 636, 389} snat to $ip_self_public
ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public ip saddr $ip_radius ip daddr @radius_federez udp dport { 636, 1812 } snat to $ip_self_public
ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap { ip daddr != {10.0.0.0/8, $range_public} ip saddr vmap {
$range_adherent : goto adherent_nat, $range_adherent : goto adherent_nat,
@ -30,7 +45,7 @@ table ip nat {
$range_aloes : goto aloes_nat, $range_aloes : goto aloes_nat,
$range_prerezotage : goto prerezotage_nat $range_prerezotage : goto prerezotage_nat
} }
ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public ip daddr != {10.0.0.0/8, $range_public} ip saddr != $range_public snat to $ip_self_public
} }

2
nat.py
View file

@ -13,7 +13,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2019 Hugo Levy-Falk <me@klafyvel.me> # Copyright © 2019 Hugo Levy-Falk <hugo@klafyvel.me>
""" """
Creates the nat set. Creates the nat set.

15
zones/adherent.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
chain to_adherent { chain to_adherent {

15
zones/admin.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
chain to_admin { chain to_admin {

15
zones/aloes.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
chain to_aloes { chain to_aloes {

14
zones/dmz.nft
View file

@ -1,5 +1,19 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {

15
zones/federez.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
chain to_federez { chain to_federez {

15
zones/prerezotage.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
set allowed_daddr_prerezotage { set allowed_daddr_prerezotage {

15
zones/supelec.nft
View file

@ -1,5 +1,20 @@
#! /sbin/nft -f #! /sbin/nft -f
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Copyright © 2018-2019 Hugo Levy-Falk <hugo@klafyvel.me>
table inet firewall { table inet firewall {
chain to_supelec { chain to_supelec {