gsb/gsb2024
3
3
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases 3 Wiki Activity

Premier commit

Browse Source
This commit is contained in:
phil
2023-12-18 23:20:30 +01:00
parent ec25c6dba9
commit 62ef5fa4e9
577 changed files with 46490 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
roles/fw-ferm/README.md Normal file
View File

@@ -0,0 +1,23 @@
# [Ferm](http://ferm.foo-projects.org/)
Modifier l'execution d'iptables [plus d'info ici](https://wiki.debian.org/iptables)
```shell
update-alternatives --set iptables /usr/sbin/iptables-legacy
```
Pour tester utiliser [Nmap](https://nmap.org/man/fr/man-briefoptions.html)
### r-vp1
```shell
sudo nmap -p51820 192.168.0.51
```
### r-vp2
```shell
sudo nmap -p51820 192.168.0.52
```
### Sortie :
```
`PORT STATE SERVICE
51820/tcp filtered unknown`
```
Faire des ping!

69
roles/fw-ferm/files/ferm.conf.r-vp1 Normal file
View File

@@ -0,0 +1,69 @@
# -*- shell-script -*-
#
# Ferm script r-vp1
@def $DEV_PRIVATE = enp0s8;
@def $DEV_WORLD = enp0s9;
@def $DEV_WORLD = enp0s9;
@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;
table filter {
chain (INPUT OUTPUT){
# allow VPN
proto udp dport 51820 ACCEPT;
}
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto udp dport bootps ACCEPT;
}
# the rest is dropped by the above policy
}#FIN INPUT
# outgoing connections are not limited
chain OUTPUT {
policy ACCEPT;
}#FIN OUTPUT
chain FORWARD {
policy ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
interface $DEV_VPN daddr $NET_PRIVATE {
proto tcp dport ssh DROP;
}
# the rest is dropped by the above policy
}
}

68
roles/fw-ferm/files/ferm.conf.r-vp2 Normal file
View File

@@ -0,0 +1,68 @@
# -*- shell-script -*-
#
# Ferm script r-vp2
@def $DEV_PRIVATE = enp0s9;
@def $DEV_WORLD = enp0s8;
@def $DEV_VPN= wg0;
@def $NET_PRIVATE = 172.16.0.0/24;
table filter {
chain (INPUT OUTPUT){
# allow VPN
proto udp dport 51820 ACCEPT;
}
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local connections
interface lo ACCEPT;
# respond to ping
proto icmp icmp-type echo-request ACCEPT;
# allow SSH connections from the private network and from some
# well-known internet hosts
saddr ($NET_PRIVATE) proto tcp dport ssh ACCEPT;
# we provide DNS and SMTP services for the internal net
interface $DEV_PRIVATE saddr $NET_PRIVATE {
proto (udp tcp) dport domain ACCEPT;
proto udp dport bootps ACCEPT;
}
# interface réseau
interface $DEV_WORLD {
}
# the rest is dropped by the above policy
}#FIN INPUT
# outgoing connections are not limited
chain OUTPUT {
policy ACCEPT;
}
chain FORWARD {
policy ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# connections from the internal net to the internet or to other
# internal nets are allowed
interface $DEV_PRIVATE ACCEPT;
interface $DEV_VPN daddr $NET_PRIVATE {
proto tcp dport ssh DROP;
}
# the rest is dropped by the above policy
}
}

15
roles/fw-ferm/tasks/main.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: installation de ferm
apt:
name: ferm
state: present
- name: copie du ferm.conf
copy:
src: ferm.conf.{{ ansible_hostname }}
dest: /etc/ferm/ferm.conf
- name: redemarage service ferm
ansible.builtin.service:
name: ferm.service
state: restarted