| re2oapi@b12df74fe7 | ||
| zones | ||
| .gitignore | ||
| .gitmodules | ||
| archi.nft | ||
| checkmac.nft | ||
| config.ini.example | ||
| firewall.nft | ||
| firewall.py | ||
| firewall.service | ||
| global_policy.nft | ||
| mac_ip.py | ||
| main.py | ||
| nat.nft | ||
| nat.py | ||
| re2o.conf | ||
| README.md | ||
| roulette.nft | ||
| roulette.py | ||
Re2o firewall with nftables
This script creates a firewall from Re2o information using nftables.
What it does :
- Fetch mac-ip table from re2o and filter traffic from the adherent NAT with it;
- Create a NAT table for FedeRez and Adherent, and NAT the admin and prerezotage VLANs properly.
What it does not do (yet) :
- Fetch opened ports on Re2o and filter traffic with these infos.
Install :
cd /usr/local/
git clone --recursive https://gitlab.rezometz.org/klafyvel/firewall.git
apt install python3 python3-click python3-iso8601
cp config.ini.example config.ini
vim config.ini
chmod +x main.py
cp firewall.service /etc/systemd/system/
systemctl start firewall.service
echo "* * * * * root /usr/bin/python3 main.py macip 2>&1 | /usr/bin/logger -t firewall" >> /etc/cron.d/firewall
Usage :
Usage: main.py [OPTIONS] COMMAND [ARGS]...
Re2o firewall manager.
Used without command, the firewall manager will load the whole firewall
(i.e. the struture, the macip set and the MAC table). By default it erases
the current NAT table and macp set. You can choose to keep the current
values for these with the flags.
Options:
--keep-nat / --dont-keep-nat Should I keep the current NAT table ?
--keep-macip / --dont-keep-macip
Should I keep the current macip set ?
--help Show this message and exit.
Commands:
macip Load the macip set.
nat Load the NAT table.
Dependencies :
- re2oapi
- python3-click