forked from gadmin/gsb2023
Premier commit
This commit is contained in:
“Albert
113
roles/r-ext/files/ferm.conf
Normal file
113
roles/r-ext/files/ferm.conf
Normal file
@@ -0,0 +1,113 @@
|
||||
# -*- shell-script -*-
|
||||
#
|
||||
# Configuration file for ferm(1).
|
||||
#
|
||||
|
||||
@def $DEV_ADM = enp0s3;
|
||||
@def $DEV_DMZ = enp0s8;
|
||||
@def $DEV_WORLD = enp0s9;
|
||||
@def $DEV_VPN = enp0s10;
|
||||
@def $DEV_LINK = enp0s16;
|
||||
|
||||
@def $NET_ADM = 192.168.99.0/24;
|
||||
@def $NET_DMZ = 192.168.100.0/24;
|
||||
@def $NET_WORLD = 192.168.0.0/24;
|
||||
@def $NET_LINKV = 192.168.1.0/30;
|
||||
@def $NET_LINK = 192.168.200.0/24;
|
||||
|
||||
# mon ip static
|
||||
#@def $HOST_STATIC =
|
||||
@include '/root/tools/ansible/gsb2022/roles/r-ext/files/mkferm |';
|
||||
#@def $HOST_PASSERELLEDMZ = 172.16.0.1;
|
||||
|
||||
@def &FORWARD_TCP($proto, $port, $dest) = {
|
||||
table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT;
|
||||
table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest;
|
||||
}
|
||||
#@def &FORWARD($proto, $port, $dest) = {
|
||||
# table filter chain FORWARD interface $DEV_DMZ outerface $DEV_PRIVATE daddr $dest proto $proto dport $port ACCEPT;
|
||||
# table nat chain PREROUTING interface $DEV_DMZ daddr $HOST_PASSERELLEDMZ proto $proto dport $port DNAT to $dest;
|
||||
#}
|
||||
|
||||
#&FORWARD(tcp, 3306, 10.0.0.2);
|
||||
#&FORWARD_TCP(tcp, http, 192.168.100.254);
|
||||
#&FORWARD_TCP(tcp, smtp, 192.168.1.3);
|
||||
|
||||
table filter {
|
||||
chain INPUT {
|
||||
policy DROP;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# allow local packet
|
||||
interface lo ACCEPT;
|
||||
|
||||
# respond to ping
|
||||
proto icmp ACCEPT;
|
||||
|
||||
# allow IPsec
|
||||
interface ($DEV_LINK) {
|
||||
proto udp dport 500 ACCEPT;
|
||||
proto (esp ah) ACCEPT;
|
||||
}
|
||||
# allow SSH connections
|
||||
interface ($DEV_ADM) {
|
||||
proto tcp dport ssh ACCEPT;
|
||||
}
|
||||
# we provide DNS for the internal net
|
||||
interface ($DEV_WORLD $DEV_DMZ) {
|
||||
proto (udp tcp) dport domain ACCEPT;
|
||||
proto (tcp) dport http ACCEPT;
|
||||
}
|
||||
|
||||
}
|
||||
chain OUTPUT {
|
||||
policy ACCEPT;
|
||||
|
||||
# connection tracking
|
||||
#mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
}
|
||||
chain FORWARD {
|
||||
policy DROP;
|
||||
|
||||
# connection tracking
|
||||
mod state state INVALID DROP;
|
||||
mod state state (ESTABLISHED RELATED) ACCEPT;
|
||||
|
||||
# the DMZ may only access the internet
|
||||
interface ($DEV_DMZ $DEV_LINK) {
|
||||
outerface $DEV_WORLD ACCEPT;
|
||||
# report failure gracefully
|
||||
REJECT reject-with icmp-net-prohibited;
|
||||
}
|
||||
|
||||
interface ($DEV_WORLD) {
|
||||
proto tcp dport http outerface $DEV_DMZ ACCEPT;
|
||||
# report failure gracefully
|
||||
REJECT reject-with icmp-net-prohibited;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
table nat {
|
||||
chain POSTROUTING {
|
||||
# masquerade private IP addresses
|
||||
saddr ($NET_LINK) outerface $DEV_WORLD SNAT to $HOST_STATIC;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
# IPv6:
|
||||
#domain ip6 {
|
||||
# table filter {
|
||||
# chain INPUT {
|
||||
# policy ACCEPT;
|
||||
# # ...
|
||||
# }
|
||||
# # ...
|
||||
# }
|
||||
#}
|
||||
3
roles/r-ext/files/ipFerm.sh
Executable file
3
roles/r-ext/files/ipFerm.sh
Executable file
@@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
ip a show dev enp0s9|grep "inet "|cut -d/ -f1 | cut -dt -f2
|
||||
7
roles/r-ext/files/mkferm
Executable file
7
roles/r-ext/files/mkferm
Executable file
@@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
#IPADD=$(root/ipFerm.sh| tr -d '\n')
|
||||
#MSG="@def $HOST_STATIC = $
|
||||
echo -n -E "@def \$HOST_STATIC ="
|
||||
/root/tools/ansible/gsb2022/roles/r-ext/files/ipFerm.sh |tr -d '\n'
|
||||
echo ";"
|
||||
|
||||
4
roles/r-ext/files/nat.sh
Executable file
4
roles/r-ext/files/nat.sh
Executable file
@@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
echo "1" > /proc/sys/net/ipv4/ip_forward
|
||||
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
|
||||
iptables -t nat -A POSTROUTING -o enp0s9 -j MASQUERADE
|
||||
3
roles/r-ext/files/routagenat
Executable file
3
roles/r-ext/files/routagenat
Executable file
@@ -0,0 +1,3 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
qx(route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.200.253);
|
||||
60
roles/r-ext/files/sysctl.conf
Normal file
60
roles/r-ext/files/sysctl.conf
Normal file
@@ -0,0 +1,60 @@
|
||||
#
|
||||
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||
# See /etc/sysctl.d/ for additonal system variables
|
||||
# See sysctl.conf (5) for information.
|
||||
#
|
||||
|
||||
#kernel.domainname = example.com
|
||||
|
||||
# Uncomment the following to stop low-level messages on console
|
||||
#kernel.printk = 3 4 1 3
|
||||
|
||||
##############################################################3
|
||||
# Functions previously found in netbase
|
||||
#
|
||||
|
||||
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||
# Turn on Source Address Verification in all interfaces to
|
||||
# prevent some spoofing attacks
|
||||
#net.ipv4.conf.default.rp_filter=1
|
||||
#net.ipv4.conf.all.rp_filter=1
|
||||
|
||||
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||
# See http://lwn.net/Articles/277146/
|
||||
# Note: This may impact IPv6 TCP sessions too
|
||||
#net.ipv4.tcp_syncookies=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv4
|
||||
net.ipv4.ip_forward=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv6
|
||||
# Enabling this option disables Stateless Address Autoconfiguration
|
||||
# based on Router Advertisements for this host
|
||||
#net.ipv6.conf.all.forwarding=1
|
||||
|
||||
|
||||
###################################################################
|
||||
# Additional settings - these settings can improve the network
|
||||
# security of the host and prevent against some network attacks
|
||||
# including spoofing attacks and man in the middle attacks through
|
||||
# redirection. Some network environments, however, require that these
|
||||
# settings are disabled so review and enable them as needed.
|
||||
#
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
#net.ipv4.conf.all.accept_redirects = 0
|
||||
#net.ipv6.conf.all.accept_redirects = 0
|
||||
# _or_
|
||||
# Accept ICMP redirects only for gateways listed in our default
|
||||
# gateway list (enabled by default)
|
||||
# net.ipv4.conf.all.secure_redirects = 1
|
||||
#
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
#net.ipv4.conf.all.send_redirects = 0
|
||||
#
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
#net.ipv4.conf.all.accept_source_route = 0
|
||||
#net.ipv6.conf.all.accept_source_route = 0
|
||||
#
|
||||
# Log Martian Packets
|
||||
#net.ipv4.conf.all.log_martians = 1
|
||||
#
|
||||
24
roles/r-ext/tasks/main.yml
Normal file
24
roles/r-ext/tasks/main.yml
Normal file
@@ -0,0 +1,24 @@
|
||||
---
|
||||
|
||||
- name: Copie du fichier sysctl.conf
|
||||
copy:
|
||||
src: sysctl.conf
|
||||
dest: /etc/
|
||||
|
||||
- name: copier le script de routage
|
||||
copy:
|
||||
src: nat.sh
|
||||
dest: /root/
|
||||
mode: '0755'
|
||||
|
||||
- name: installer ferm
|
||||
apt:
|
||||
name: ferm
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: copier le fichier ferm.conf
|
||||
copy:
|
||||
src: ferm.conf
|
||||
dest: /etc/ferm/
|
||||
|
||||
Reference in New Issue
Block a user