incrémentation des modif

2023-02-03 09:37:13 +01:00 · 2023-02-03 09:37:13 +01:00 · 75126890b3
commit 75126890b3
parent 851543db0a
3 changed files with 40 additions and 13 deletions
--- a/roles/fw-ferm/files/ferm-vp1.conf
+++ b/roles/fw-ferm/files/ferm-vp1.conf
@ -1,3 +1,5 @@
+# -*- shell-script -*-
+
@def $DEV_VPN= wg0;

 table filter {
@ -10,22 +12,23 @@ table filter {

        # allow local connections
        interface lo ACCEPT;
-
+        interface $DEV_VPN{
        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;
        # disallow ssh
-        proto tcp dport ssh ACCEPT;
-  
+        saddr proto tcp dport ssh DROP;
+        }
    }#FIN INPUT

    # outgoing connections are not limited
    chain OUTPUT {
        policy ACCEPT;
+        interface $DEV_VPN{
        # allow ssh
-        proto tcp dport ssh DROP; 
+        daddr proto tcp dport ssh ACCEPT;
        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;
-
+        }
     }#FIN OUTPUT

    chain FORWARD {
--- a/roles/fw-ferm/files/ferm.conf.r-vp1
+++ b/roles/fw-ferm/files/ferm.conf.r-vp1
@ -4,7 +4,7 @@

@def $DEV_PRIVATE = enp0s8;
@def $DEV_WORLD = enp0s9;
-
+@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;

 table filter {
@ -33,8 +33,15 @@ table filter {
        # we provide DNS and SMTP services for the internal net
        interface $DEV_PRIVATE saddr $NET_PRIVATE {
            proto (udp tcp) dport domain ACCEPT;
-            proto udp dport bootps ACCEPT;            
+            proto udp dport bootps ACCEPT; 
        }
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh DROP;
+        }           
+        

        # interface réseau 
        interface $DEV_WORLD {
@ -45,8 +52,14 @@ table filter {
    }#FIN INPUT

    # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
-
+    chain OUTPUT {policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh ACCEPT;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+     }#FIN OUTPUT
    chain FORWARD {
        policy ACCEPT;

--- a/roles/fw-ferm/files/ferm.conf.r-vp2
+++ b/roles/fw-ferm/files/ferm.conf.r-vp2
@ -4,7 +4,7 @@

@def $DEV_PRIVATE = enp0s9;
@def $DEV_WORLD = enp0s8;
-
+@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;

 table filter {
@ -34,7 +34,12 @@ table filter {
            proto (udp tcp) dport domain ACCEPT;
            proto udp dport bootps ACCEPT;
        }
-
+        interface $DEV_VPN{
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        # disallow ssh
+        saddr proto tcp dport ssh ACCEPT;
+        }
        # interface réseau
        interface $DEV_WORLD {

@ -44,8 +49,14 @@ table filter {
    }#FIN INPUT

    # outgoing connections are not limited
-    chain OUTPUT policy ACCEPT;
-
+    chain OUTPUT {policy ACCEPT;
+        interface $DEV_VPN{
+        # allow ssh
+        daddr proto tcp dport ssh DROP;
+        # respond to ping
+        proto icmp icmp-type echo-request ACCEPT;
+        }
+}
    chain FORWARD {
        policy ACCEPT;