From 75126890b390cbabf76c02543323358de8835b40 Mon Sep 17 00:00:00 2001 From: Johan Largy Date: Fri, 3 Feb 2023 09:37:13 +0100 Subject: [PATCH] =?UTF-8?q?incr=C3=A9mentation=20des=20modif?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../files/{ferm2.conf => ferm-vp1.conf} | 13 +++++++----- roles/fw-ferm/files/ferm.conf.r-vp1 | 21 +++++++++++++++---- roles/fw-ferm/files/ferm.conf.r-vp2 | 19 +++++++++++++---- 3 files changed, 40 insertions(+), 13 deletions(-) rename roles/fw-ferm/files/{ferm2.conf => ferm-vp1.conf} (84%) diff --git a/roles/fw-ferm/files/ferm2.conf b/roles/fw-ferm/files/ferm-vp1.conf similarity index 84% rename from roles/fw-ferm/files/ferm2.conf rename to roles/fw-ferm/files/ferm-vp1.conf index bf0cde2..5d5d94f 100644 --- a/roles/fw-ferm/files/ferm2.conf +++ b/roles/fw-ferm/files/ferm-vp1.conf @@ -1,3 +1,5 @@ +# -*- shell-script -*- + @def $DEV_VPN= wg0; table filter { @@ -10,22 +12,23 @@ table filter { # allow local connections interface lo ACCEPT; - + interface $DEV_VPN{ # respond to ping proto icmp icmp-type echo-request ACCEPT; # disallow ssh - proto tcp dport ssh ACCEPT; - + saddr proto tcp dport ssh DROP; + } }#FIN INPUT # outgoing connections are not limited chain OUTPUT { policy ACCEPT; + interface $DEV_VPN{ # allow ssh - proto tcp dport ssh DROP; + daddr proto tcp dport ssh ACCEPT; # respond to ping proto icmp icmp-type echo-request ACCEPT; - + } }#FIN OUTPUT chain FORWARD { diff --git a/roles/fw-ferm/files/ferm.conf.r-vp1 b/roles/fw-ferm/files/ferm.conf.r-vp1 index 0097688..00249d7 100644 --- a/roles/fw-ferm/files/ferm.conf.r-vp1 +++ b/roles/fw-ferm/files/ferm.conf.r-vp1 @@ -4,7 +4,7 @@ @def $DEV_PRIVATE = enp0s8; @def $DEV_WORLD = enp0s9; - +@def $DEV_VPN= wg0; @def $NET_PRIVATE = 172.16.0.0/24; table filter { @@ -33,8 +33,15 @@ table filter { # we provide DNS and SMTP services for the internal net interface $DEV_PRIVATE saddr $NET_PRIVATE { proto (udp tcp) dport domain ACCEPT; - proto udp dport bootps ACCEPT; + proto udp dport bootps ACCEPT; } + interface $DEV_VPN{ + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + # disallow ssh + saddr proto tcp dport ssh DROP; + } + # interface réseau interface $DEV_WORLD { @@ -45,8 +52,14 @@ table filter { }#FIN INPUT # outgoing connections are not limited - chain OUTPUT policy ACCEPT; - + chain OUTPUT {policy ACCEPT; + interface $DEV_VPN{ + # allow ssh + daddr proto tcp dport ssh ACCEPT; + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + } + }#FIN OUTPUT chain FORWARD { policy ACCEPT; diff --git a/roles/fw-ferm/files/ferm.conf.r-vp2 b/roles/fw-ferm/files/ferm.conf.r-vp2 index 1c0c40b..6c4886a 100644 --- a/roles/fw-ferm/files/ferm.conf.r-vp2 +++ b/roles/fw-ferm/files/ferm.conf.r-vp2 @@ -4,7 +4,7 @@ @def $DEV_PRIVATE = enp0s9; @def $DEV_WORLD = enp0s8; - +@def $DEV_VPN= wg0; @def $NET_PRIVATE = 172.16.0.0/24; table filter { @@ -34,7 +34,12 @@ table filter { proto (udp tcp) dport domain ACCEPT; proto udp dport bootps ACCEPT; } - + interface $DEV_VPN{ + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + # disallow ssh + saddr proto tcp dport ssh ACCEPT; + } # interface réseau interface $DEV_WORLD { @@ -44,8 +49,14 @@ table filter { }#FIN INPUT # outgoing connections are not limited - chain OUTPUT policy ACCEPT; - + chain OUTPUT {policy ACCEPT; + interface $DEV_VPN{ + # allow ssh + daddr proto tcp dport ssh DROP; + # respond to ping + proto icmp icmp-type echo-request ACCEPT; + } +} chain FORWARD { policy ACCEPT;