anthony.arnoux/gsb2023
1
0
Fork 0
forked from gadmin/gsb2023
Code Pull Requests Activity

Premier commit

Browse Source
This commit is contained in:
“Albert
2023-01-05 11:44:26 +01:00
parent d46e9954ca
commit fb19dc24e5
554 changed files with 46045 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
roles/r-ext/files/ferm.conf Normal file
View File

@@ -0,0 +1,113 @@
# -*- shell-script -*-
#
# Configuration file for ferm(1).
#
@def $DEV_ADM = enp0s3;
@def $DEV_DMZ = enp0s8;
@def $DEV_WORLD = enp0s9;
@def $DEV_VPN = enp0s10;
@def $DEV_LINK = enp0s16;
@def $NET_ADM = 192.168.99.0/24;
@def $NET_DMZ = 192.168.100.0/24;
@def $NET_WORLD = 192.168.0.0/24;
@def $NET_LINKV = 192.168.1.0/30;
@def $NET_LINK = 192.168.200.0/24;
# mon ip static
#@def $HOST_STATIC =
@include '/root/tools/ansible/gsb2022/roles/r-ext/files/mkferm |';
#@def $HOST_PASSERELLEDMZ = 172.16.0.1;
@def &FORWARD_TCP($proto, $port, $dest) = {
table filter chain FORWARD interface $DEV_WORLD outerface $DEV_DMZ daddr $dest proto $proto dport $port ACCEPT;
table nat chain PREROUTING interface $DEV_WORLD daddr $HOST_STATIC proto $proto dport $port DNAT to $dest;
}
#@def &FORWARD($proto, $port, $dest) = {
# table filter chain FORWARD interface $DEV_DMZ outerface $DEV_PRIVATE daddr $dest proto $proto dport $port ACCEPT;
# table nat chain PREROUTING interface $DEV_DMZ daddr $HOST_PASSERELLEDMZ proto $proto dport $port DNAT to $dest;
#}
#&FORWARD(tcp, 3306, 10.0.0.2);
#&FORWARD_TCP(tcp, http, 192.168.100.254);
#&FORWARD_TCP(tcp, smtp, 192.168.1.3);
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow IPsec
interface ($DEV_LINK) {
proto udp dport 500 ACCEPT;
proto (esp ah) ACCEPT;
}
# allow SSH connections
interface ($DEV_ADM) {
proto tcp dport ssh ACCEPT;
}
# we provide DNS for the internal net
interface ($DEV_WORLD $DEV_DMZ) {
proto (udp tcp) dport domain ACCEPT;
proto (tcp) dport http ACCEPT;
}
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# the DMZ may only access the internet
interface ($DEV_DMZ $DEV_LINK) {
outerface $DEV_WORLD ACCEPT;
# report failure gracefully
REJECT reject-with icmp-net-prohibited;
}
interface ($DEV_WORLD) {
proto tcp dport http outerface $DEV_DMZ ACCEPT;
# report failure gracefully
REJECT reject-with icmp-net-prohibited;
}
}
}
table nat {
chain POSTROUTING {
# masquerade private IP addresses
saddr ($NET_LINK) outerface $DEV_WORLD SNAT to $HOST_STATIC;
}
}
# IPv6:
#domain ip6 {
# table filter {
# chain INPUT {
# policy ACCEPT;
# # ...
# }
# # ...
# }
#}

3
roles/r-ext/files/ipFerm.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
ip a show dev enp0s9|grep "inet "|cut -d/ -f1 | cut -dt -f2

7
roles/r-ext/files/mkferm Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
#IPADD=$(root/ipFerm.sh| tr -d '\n')
#MSG="@def $HOST_STATIC = $
echo -n -E "@def \$HOST_STATIC ="
/root/tools/ansible/gsb2022/roles/r-ext/files/ipFerm.sh |tr -d '\n'
echo ";"

4
roles/r-ext/files/nat.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp0s9 -j MASQUERADE

3
roles/r-ext/files/routagenat Executable file
View File

@@ -0,0 +1,3 @@
#!/usr/bin/perl
qx(route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.200.253);

60
roles/r-ext/files/sysctl.conf Normal file
View File

@@ -0,0 +1,60 @@
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#