renommé : TP04/Scripts/.bash_history -> sio1/TP04/Scripts/.bash_history
renommé : TP04/Scripts/.bashrc -> sio1/TP04/Scripts/.bashrc renommé : TP04/Scripts/.lesshst -> sio1/TP04/Scripts/.lesshst renommé : TP04/Scripts/.profile -> sio1/TP04/Scripts/.profile renommé : TP04/Scripts/.ssh/id_rsa -> sio1/TP04/Scripts/.ssh/id_rsa renommé : TP04/Scripts/.ssh/id_rsa.pub -> sio1/TP04/Scripts/.ssh/id_rsa.pub renommé : TP04/Scripts/.ssh/known_hosts -> sio1/TP04/Scripts/.ssh/known_hosts renommé : TP04/Scripts/.ssh/known_hosts.old -> sio1/TP04/Scripts/.ssh/known_hosts.old renommé : TP04/Scripts/LeScript.sh -> sio1/TP04/Scripts/LeScript.sh renommé : TP04/Scripts/Users.csv -> sio1/TP04/Scripts/Users.csv renommé : TP04/Scripts/createLogins.sh -> sio1/TP04/Scripts/createLogins.sh renommé : TP04/Scripts/createUsers.sh -> sio1/TP04/Scripts/createUsers.sh renommé : TP04/Scripts/logins.csv -> sio1/TP04/Scripts/logins.csv renommé : TP04/Scripts/testlogin.csv -> sio1/TP04/Scripts/testlogin.csv renommé : siotp/sisr1/TP7/scriptsnft/current_ruleset.nft -> sio1/siotp/sisr1/TP7/scriptsnft/current_ruleset.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part1.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part1.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part2.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part2.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part3.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part3.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part4.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part4.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part5.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part5.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part6.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part6.nft renommé : siotp/sisr1/TP7/scriptsnft/fw_part7.nft -> sio1/siotp/sisr1/TP7/scriptsnft/fw_part7.nft renommé : siotp/sisr1/TP7/scriptsnft/old-current_ruleset.nft -> sio1/siotp/sisr1/TP7/scriptsnft/old-current_ruleset.nft renommé : siotp/sisr1/TP7/scriptsnft/refresh_firewall.sh -> sio1/siotp/sisr1/TP7/scriptsnft/refresh_firewall.sh renommé : siotp/sisr1/tp01-02/srv-dhcp/dhcpd.conf -> sio1/siotp/sisr1/tp01-02/srv-dhcp/dhcpd.conf renommé : siotp/sisr1/tp01-02/srv-dhcp/hosts -> sio1/siotp/sisr1/tp01-02/srv-dhcp/hosts renommé : siotp/sisr1/tp01-02/srv-dhcp/interfaces -> sio1/siotp/sisr1/tp01-02/srv-dhcp/interfaces renommé : siotp/sisr1/tp01-02/srv-dhcp/isc-dhcp-server -> sio1/siotp/sisr1/tp01-02/srv-dhcp/isc-dhcp-server renommé : siotp/sisr1/tp01-02/srv-dhcp/nat.sh -> sio1/siotp/sisr1/tp01-02/srv-dhcp/nat.sh renommé : siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan -> sio1/siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan renommé : siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan.rev -> sio1/siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan.rev renommé : siotp/sisr1/tp01-02/srv-dns1/named.conf -> sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf renommé : siotp/sisr1/tp01-02/srv-dns1/named.conf.local -> sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf.local renommé : siotp/sisr1/tp01-02/srv-dns1/named.conf.options -> sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf.options renommé : siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan -> sio1/siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan renommé : siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan.rev -> sio1/siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan.rev renommé : siotp/sisr1/tp01-02/srv-dns2/named.conf.default-zones -> sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.default-zones renommé : siotp/sisr1/tp01-02/srv-dns2/named.conf.local -> sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.local renommé : siotp/sisr1/tp01-02/srv-dns2/named.conf.options -> sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.options renommé : siotp/sisr1/tp03/srv-admin/interfaces -> sio1/siotp/sisr1/tp03/srv-admin/interfaces renommé : siotp/sisr1/tp03/srv-admin/nat.sh -> sio1/siotp/sisr1/tp03/srv-admin/nat.sh renommé : siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan -> sio1/siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan renommé : siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan.rev -> sio1/siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan.rev renommé : siotp/sisr1/tp03/srv-dns2/bind/named.conf.local -> sio1/siotp/sisr1/tp03/srv-dns2/bind/named.conf.local renommé : siotp/sisr1/tp03/srv-dns2/bind/named.conf.options -> sio1/siotp/sisr1/tp03/srv-dns2/bind/named.conf.options renommé : siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan -> sio1/siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan renommé : siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan.rev -> sio1/siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan.rev renommé : siotp/sisr1/tp03/srv-service/bind/named.conf.local -> sio1/siotp/sisr1/tp03/srv-service/bind/named.conf.local renommé : siotp/sisr1/tp03/srv-service/bind/named.conf.options -> sio1/siotp/sisr1/tp03/srv-service/bind/named.conf.options renommé : siotp/sisr1/tp03/srv-service/dhcp/dhcpd.conf -> sio1/siotp/sisr1/tp03/srv-service/dhcp/dhcpd.conf renommé : siotp/sisr1/tp4/Users.csv -> sio1/siotp/sisr1/tp4/Users.csv renommé : siotp/sisr1/tp4/createLogins.sh -> sio1/siotp/sisr1/tp4/createLogins.sh renommé : siotp/sisr1/tp4/logins.csv -> sio1/siotp/sisr1/tp4/logins.csv renommé : squid/conf.d/debian.conf -> sio1/squid/conf.d/debian.conf renommé : squid/errorpage.css -> sio1/squid/errorpage.css renommé : squid/passwords -> sio1/squid/passwords renommé : squid/squid.conf -> sio1/squid/squid.conf renommé : squid/squid.conf.old -> sio1/squid/squid.conf.old renommé : squid/users -> sio1/squid/users
This commit is contained in:
Jarod Pauchet
215
sio1/siotp/sisr1/TP7/scriptsnft/current_ruleset.nft
Normal file
215
sio1/siotp/sisr1/TP7/scriptsnft/current_ruleset.nft
Normal file
@@ -0,0 +1,215 @@
|
||||
# Définition des interfaces avec un nom
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
# Définition de l'IP du serveur web
|
||||
define srv = 172.16.0.1
|
||||
|
||||
# Définition du réseau LAN
|
||||
define lan-ntw = 10.0.0.0/24
|
||||
|
||||
# Définition de l'IP du proxy, du DNS, du port du proxy et du réseau DMZ pour ne pas à tout retaper
|
||||
define proxy = 10.121.38.1
|
||||
define dns = {10.121.38.7 , 10.121.38.8}
|
||||
define proxyport = 8080
|
||||
define dmznet = 172.16.0.1-172.16.0.254
|
||||
|
||||
# Définition des IPs des cartes de la machine firewall
|
||||
define firewall = 192.168.0.120
|
||||
define ipdmz = 172.16.0.254
|
||||
define iplan = 10.0.0.254
|
||||
|
||||
table ip ipfilter{
|
||||
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les réponses ping
|
||||
icmp type echo-reply accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} ip daddr $dmznet accept
|
||||
|
||||
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp dport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||
udp sport 53 iif {$dmzif, $lanif} accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||
ip saddr $proxy tcp dport {80, 443} accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les réponses ping
|
||||
icmp type echo-reply accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN
|
||||
icmp type echo-request iif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS
|
||||
tcp dport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp dport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||
ip saddr $proxy tcp dport {80, 443} accept
|
||||
}
|
||||
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
|
||||
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||
|
||||
#Autorise le port forwarding pour la DMZ pour HTTP/HTTPS
|
||||
tcp dport {80, 443} ip saddr $srv accept
|
||||
|
||||
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||
udp sport 53 iif {$lanif, $dmzif} accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy, depuis le port 8080
|
||||
ip daddr $proxy tcp dport $proxyport accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN
|
||||
icmp type echo-reply oif {$lanif} accept
|
||||
|
||||
#Accepte les requêtes ping
|
||||
icmp type echo-request accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
|
||||
#Autorise les requêtes provenant des ports HTTP/HTTPS
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp sport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
|
||||
#Autorise les requêtes allant vers le proxy avec le port 8080
|
||||
ip daddr $proxy tcp dport $proxyport accept
|
||||
|
||||
#Autorise les requêtes ping venant des cartes LAN, DMZ et la carte en pont du firewall
|
||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||
|
||||
#Autorise les réponses ping si elles viennent de la DMZ à destination du LAN
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes ping venant de la LAN à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
|
||||
#Autorise les requêtes ping ayant le LAN pour origine, à destination de la carte LAN du firewall
|
||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||
|
||||
#Autorise les requêtes FTP
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
|
||||
#Autorise les requêtes ayant pour ports HTTP et HTTPS comme ports de destination et de source
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp sport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain pre_nat {
|
||||
type nat hook prerouting priority filter; policy accept;
|
||||
|
||||
#Autorise les requêtes HTTP vers la carte LAN du firewall
|
||||
tcp dport 80 ip daddr $firewall dnat $srv:80
|
||||
#Même chose mais pour HTTPS
|
||||
tcp dport 443 ip daddr $firewall dnat $srv:443
|
||||
}
|
||||
|
||||
chain post_nat {
|
||||
type nat hook postrouting priority filter; policy accept;
|
||||
|
||||
#Autorise la NAT à destination du firewall si la requête vient du LAN et part vers Internet
|
||||
ip saddr $lan-ntw oif $netif snat $firewall
|
||||
|
||||
#Même chose, mais si la requête provient de la DMZ
|
||||
ip saddr $dmznet oif $netif snat $firewall
|
||||
}
|
||||
}
|
||||
18
sio1/siotp/sisr1/TP7/scriptsnft/fw_part1.nft
Normal file
18
sio1/siotp/sisr1/TP7/scriptsnft/fw_part1.nft
Normal file
@@ -0,0 +1,18 @@
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
|
||||
table ip ipfilter {
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
icmp type echo-request iif { "$netif", "$dmzif" } drop
|
||||
icmp type { echo-reply, echo-request } accept
|
||||
drop
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy accept;
|
||||
icmp type echo-request iif { "$netif", "$dmzif" } drop
|
||||
}
|
||||
}
|
||||
34
sio1/siotp/sisr1/TP7/scriptsnft/fw_part2.nft
Normal file
34
sio1/siotp/sisr1/TP7/scriptsnft/fw_part2.nft
Normal file
@@ -0,0 +1,34 @@
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
|
||||
table ip ipfilter {
|
||||
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
tcp dport 22 accept
|
||||
}
|
||||
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
icmp type echo-request iif { $netif, $dmzif } drop
|
||||
icmp type { echo-reply, echo-request } accept
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
icmp type echo-request iif { $netif, $dmzif } drop
|
||||
tcp dport 22 accept
|
||||
}
|
||||
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
tcp sport 22 accept
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
tcp sport 22 accept
|
||||
}
|
||||
}
|
||||
41
sio1/siotp/sisr1/TP7/scriptsnft/fw_part3.nft
Normal file
41
sio1/siotp/sisr1/TP7/scriptsnft/fw_part3.nft
Normal file
@@ -0,0 +1,41 @@
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
define netip = 192.168.0.140
|
||||
define dmzip = 172.16.0.254
|
||||
define lanip = 10.0.0.254
|
||||
|
||||
table ip ipfilter{
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
icmp type echo-request iif $lanif ip daddr 172.16.0.1-172.16.0.254 accept
|
||||
icmp type echo-request iif $lanif ip daddr $lanip accept
|
||||
icmp type echo-reply accept
|
||||
tcp dport 22 accept
|
||||
}
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
icmp type echo-request iif $lanif accept
|
||||
icmp type echo-reply accept
|
||||
tcp dport 22 accept
|
||||
}
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
icmp type echo-request iif $lanif oif $dmzif accept
|
||||
icmp type echo-reply iif $dmzif oif $lanif accept
|
||||
}
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
icmp type echo-request accept
|
||||
icmp type echo-reply oif $lanif accept
|
||||
tcp sport 22 accept
|
||||
}
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
icmp type echo-request ip saddr {$lanip , $dmzip , $netip } accept
|
||||
icmp type echo-request iif $lanif oif $dmzif accept
|
||||
icmp type echo-reply iif $dmzif oif $lanif accept
|
||||
icmp type echo-reply ip saddr $lanip oif $lanif accept
|
||||
tcp sport 22 accept
|
||||
}
|
||||
}
|
||||
68
sio1/siotp/sisr1/TP7/scriptsnft/fw_part4.nft
Normal file
68
sio1/siotp/sisr1/TP7/scriptsnft/fw_part4.nft
Normal file
@@ -0,0 +1,68 @@
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
define firewall = 192.168.0.140
|
||||
define ipdmz = 172.16.0.254
|
||||
define iplan = 10.0.0.254
|
||||
|
||||
table ip ipfilter{
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
icmp type echo-reply accept
|
||||
ct state established, related accept
|
||||
icmp type echo-request iif {$lanif} ip daddr 172.16.0.1-172.16.0.254 accept
|
||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp dport 22 accept
|
||||
ip saddr 10.121.38.1 tcp dport {80, 443} accept
|
||||
}
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
icmp type echo-reply accept
|
||||
icmp type echo-request iif {$lanif} accept
|
||||
ct state established, related accept
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp dport 22 accept
|
||||
ip saddr 10.121.38.1 tcp dport {80, 443} accept
|
||||
}
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
}
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
ip daddr 10.121.38.7-10.121.38.8 accept
|
||||
ip daddr 10.121.38.1 tcp dport 8080 accept
|
||||
icmp type echo-reply oif {$lanif} accept
|
||||
icmp type echo-request accept
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
tcp sport 22 accept
|
||||
}
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
ip daddr 10.121.38.7-10.121.38.8 accept
|
||||
ip daddr 10.121.38.1 tcp dport 8080 accept
|
||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
tcp sport 22 accept
|
||||
}
|
||||
}
|
||||
94
sio1/siotp/sisr1/TP7/scriptsnft/fw_part5.nft
Normal file
94
sio1/siotp/sisr1/TP7/scriptsnft/fw_part5.nft
Normal file
@@ -0,0 +1,94 @@
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
define firewall = 192.168.0.140
|
||||
define ipdmz = 172.16.0.254
|
||||
define iplan = 10.0.0.254
|
||||
|
||||
define lan-ntw = 10.0.0.0/24
|
||||
|
||||
define dns-server = {10.121.38.7 , 10.121.38.8}
|
||||
|
||||
define proxy-lyc = 10.121.38.1
|
||||
define proxy-port = 8080
|
||||
|
||||
table ip ipfilter{
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
icmp type echo-reply accept
|
||||
ct state established, related accept
|
||||
icmp type echo-request iif {$lanif} ip daddr 172.16.0.1-172.16.0.254 accept
|
||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp dport 22 accept
|
||||
ip saddr $proxy-lyc tcp dport {80, 443} accept
|
||||
ct state {established,related} accept
|
||||
tcp sport {80,443} ip saddr $lan-ntw accept
|
||||
tcp dport {80,443} ip saddr $lan-ntw accept
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
icmp type echo-reply accept
|
||||
icmp type echo-request iif {$lanif} accept
|
||||
ct state established, related accept
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp dport 22 accept
|
||||
ip saddr $proxy-lyc tcp dport {80, 443} accept
|
||||
}
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
ct state {established,related} accept
|
||||
tcp sport {80,443} ip saddr $lan-ntw accept
|
||||
tcp dport {80,443} ip saddr $lan-ntw accept
|
||||
}
|
||||
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
ip daddr $dns-server accept
|
||||
ip daddr $proxy-lyc tcp dport $proxy-port accept
|
||||
icmp type echo-reply oif {$lanif} accept
|
||||
icmp type echo-request accept
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
tcp sport 22 accept
|
||||
}
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
ip daddr $dns-server accept
|
||||
ip daddr $proxy-lyc tcp dport $proxy-port accept
|
||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
tcp sport 22 accept
|
||||
ct state {established,related} accept
|
||||
}
|
||||
}
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority filter; policy accept;
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority filter; policy accept;
|
||||
ip saddr $lan-ntw oif $netif snat $firewall
|
||||
}
|
||||
}
|
||||
200
sio1/siotp/sisr1/TP7/scriptsnft/fw_part6.nft
Normal file
200
sio1/siotp/sisr1/TP7/scriptsnft/fw_part6.nft
Normal file
@@ -0,0 +1,200 @@
|
||||
# Définition des interfaces avec un nom
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
# Définition du réseau LAN
|
||||
define lan-ntw = 10.0.0.0/24
|
||||
|
||||
# Définition de l'IP du proxy, du DNS, du port du proxy et du réseau DMZ pour ne pas à tout retaper
|
||||
define proxy = 10.121.38.1
|
||||
define dns = {10.121.38.7 , 10.121.38.8}
|
||||
define proxyport = 8080
|
||||
define dmznet = 172.16.0.1-172.16.0.254
|
||||
|
||||
# Définition des IPs des cartes de la machine firewall
|
||||
define firewall = 192.168.0.140
|
||||
define ipdmz = 172.16.0.254
|
||||
define iplan = 10.0.0.254
|
||||
|
||||
table ip ipfilter{
|
||||
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les réponses ping
|
||||
icmp type echo-reply accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} ip daddr $dmznet accept
|
||||
|
||||
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp dport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||
udp sport 53 iif {$dmzif, $lanif} accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||
ip saddr $proxy tcp dport {80, 443} accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les réponses ping
|
||||
icmp type echo-reply accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN
|
||||
icmp type echo-request iif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS
|
||||
tcp dport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp dport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||
ip saddr $proxy tcp dport {80, 443} accept
|
||||
}
|
||||
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
|
||||
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||
|
||||
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||
udp sport 53 iif {$lanif, $dmzif} accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy, depuis le port 8080
|
||||
ip daddr $proxy tcp dport $proxyport accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN
|
||||
icmp type echo-reply oif {$lanif} accept
|
||||
|
||||
#Accepte les requêtes ping
|
||||
icmp type echo-request accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
|
||||
#Autorise les requêtes provenant des ports HTTP/HTTPS
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp sport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
|
||||
#Autorise les requêtes allant vers le proxy avec le port 8080
|
||||
ip daddr $proxy tcp dport $proxyport accept
|
||||
|
||||
#Autorise les requêtes ping venant des cartes LAN, DMZ et la carte en pont du firewall
|
||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||
|
||||
#Autorise les réponses ping si elles viennent de la DMZ à destination du LAN
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes ping venant de la LAN à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
|
||||
#Autorise les requêtes ping ayant le LAN pour origine, à destination de la carte LAN du firewall
|
||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||
|
||||
#Autorise les requêtes FTP
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
|
||||
#Autorise les requêtes ayant pour ports HTTP et HTTPS comme ports de destination et de source
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp sport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain pre_nat {
|
||||
type nat hook prerouting priority filter; policy accept;
|
||||
}
|
||||
|
||||
chain post_nat {
|
||||
type nat hook postrouting priority filter; policy accept;
|
||||
ip saddr $lan-ntw oif $netif snat $firewall
|
||||
ip saddr $dmznet oif $netif snat $firewall
|
||||
}
|
||||
}
|
||||
215
sio1/siotp/sisr1/TP7/scriptsnft/fw_part7.nft
Normal file
215
sio1/siotp/sisr1/TP7/scriptsnft/fw_part7.nft
Normal file
@@ -0,0 +1,215 @@
|
||||
# Définition des interfaces avec un nom
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
# Définition de l'IP du serveur web
|
||||
define srv = 172.16.0.1
|
||||
|
||||
# Définition du réseau LAN
|
||||
define lan-ntw = 10.0.0.0/24
|
||||
|
||||
# Définition de l'IP du proxy, du DNS, du port du proxy et du réseau DMZ pour ne pas à tout retaper
|
||||
define proxy = 10.121.38.1
|
||||
define dns = {10.121.38.7 , 10.121.38.8}
|
||||
define proxyport = 8080
|
||||
define dmznet = 172.16.0.1-172.16.0.254
|
||||
|
||||
# Définition des IPs des cartes de la machine firewall
|
||||
define firewall = 192.168.0.140
|
||||
define ipdmz = 172.16.0.254
|
||||
define iplan = 10.0.0.254
|
||||
|
||||
table ip ipfilter{
|
||||
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les réponses ping
|
||||
icmp type echo-reply accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} ip daddr $dmznet accept
|
||||
|
||||
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp dport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||
udp sport 53 iif {$dmzif, $lanif} accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||
ip saddr $proxy tcp dport {80, 443} accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les réponses ping
|
||||
icmp type echo-reply accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN
|
||||
icmp type echo-request iif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS
|
||||
tcp dport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp dport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||
ip saddr $proxy tcp dport {80, 443} accept
|
||||
}
|
||||
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
|
||||
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||
|
||||
#Autorise le port forwarding pour la DMZ pour HTTP/HTTPS
|
||||
tcp dport {80, 443} ip saddr $srv accept
|
||||
|
||||
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||
udp sport 53 iif {$lanif, $dmzif} accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
|
||||
#Autorise les requêtes provenant du proxy, depuis le port 8080
|
||||
ip daddr $proxy tcp dport $proxyport accept
|
||||
|
||||
#Accepte les requêtes de ping si elles viennent du LAN
|
||||
icmp type echo-reply oif {$lanif} accept
|
||||
|
||||
#Accepte les requêtes ping
|
||||
icmp type echo-request accept
|
||||
|
||||
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
|
||||
#Autorise les requêtes provenant des ports HTTP/HTTPS
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp sport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
|
||||
#Permet le passage des réponses aux requêtes acceptées
|
||||
ct state established, related accept
|
||||
|
||||
#Autorise les requêtes qui vont vers le serveur DNS
|
||||
ip daddr $dns accept
|
||||
|
||||
#Autorise les requêtes allant vers le proxy avec le port 8080
|
||||
ip daddr $proxy tcp dport $proxyport accept
|
||||
|
||||
#Autorise les requêtes ping venant des cartes LAN, DMZ et la carte en pont du firewall
|
||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||
|
||||
#Autorise les réponses ping si elles viennent de la DMZ à destination du LAN
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
|
||||
#Autorise les requêtes ping venant de la LAN à destination de la DMZ
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
|
||||
#Autorise les requêtes ping ayant le LAN pour origine, à destination de la carte LAN du firewall
|
||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||
|
||||
#Autorise les requêtes FTP
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
|
||||
#Autorise les requêtes ayant pour ports HTTP et HTTPS comme ports de destination et de source
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
|
||||
#Autorise le SSH
|
||||
tcp sport 22 accept
|
||||
|
||||
#Autorise les requêtes DNS
|
||||
udp sport 53 accept
|
||||
udp dport 53 accept
|
||||
|
||||
#Autorise les requêtes provenant du DNS
|
||||
ip daddr $dns accept
|
||||
}
|
||||
|
||||
chain pre_nat {
|
||||
type nat hook prerouting priority filter; policy accept;
|
||||
|
||||
#Autorise les requêtes HTTP vers la carte LAN du firewall
|
||||
tcp dport 80 ip daddr $firewall dnat $srv:80
|
||||
#Même chose mais pour HTTPS
|
||||
tcp dport 443 ip daddr $firewall dnat $srv:443
|
||||
}
|
||||
|
||||
chain post_nat {
|
||||
type nat hook postrouting priority filter; policy accept;
|
||||
|
||||
#Autorise la NAT à destination du firewall si la requête vient du LAN et part vers Internet
|
||||
ip saddr $lan-ntw oif $netif snat $firewall
|
||||
|
||||
#Même chose, mais si la requête provient de la DMZ
|
||||
ip saddr $dmznet oif $netif snat $firewall
|
||||
}
|
||||
}
|
||||
106
sio1/siotp/sisr1/TP7/scriptsnft/old-current_ruleset.nft
Normal file
106
sio1/siotp/sisr1/TP7/scriptsnft/old-current_ruleset.nft
Normal file
@@ -0,0 +1,106 @@
|
||||
define netif = enp0s3
|
||||
define dmzif = enp0s8
|
||||
define lanif = enp0s9
|
||||
|
||||
define firewall = 192.168.0.140
|
||||
define ipdmz = 172.16.0.254
|
||||
define iplan = 10.0.0.254
|
||||
define ipsrvweb = 172.16.0.1
|
||||
|
||||
define dmznet = 172.16.0.1-172.16.0.254
|
||||
define lan-ntw = 10.0.0.0/24
|
||||
|
||||
define dns-server = {10.121.38.7 , 10.121.38.8}
|
||||
|
||||
define proxy-lyc = 10.121.38.1
|
||||
define proxy-port = 8080
|
||||
|
||||
table ip ipfilter{
|
||||
chain prerouting {
|
||||
type filter hook prerouting priority filter; policy drop;
|
||||
icmp type echo-reply accept
|
||||
ct state established, related accept
|
||||
icmp type echo-request iif {$lanif} ip daddr 172.16.0.1-172.16.0.254 accept
|
||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp dport 22 accept
|
||||
ip saddr $proxy-lyc tcp dport {80, 443} accept
|
||||
ct state {established,related} accept
|
||||
tcp sport {80,443} ip saddr $lan-ntw accept
|
||||
tcp dport {80,443} ip saddr $lan-ntw accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
|
||||
chain system_in {
|
||||
type filter hook input priority filter; policy drop;
|
||||
icmp type echo-reply accept
|
||||
icmp type echo-request iif {$lanif} accept
|
||||
ct state established, related accept
|
||||
tcp dport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp dport 22 accept
|
||||
ip saddr $proxy-lyc tcp dport {80, 443} accept
|
||||
}
|
||||
chain routing {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
ct state {established,related} accept
|
||||
tcp sport {80,443} ip saddr $lan-ntw accept
|
||||
tcp dport {80,443} ip saddr $lan-ntw accept
|
||||
udp dport 53 iif {$lanif, $dmzif} accept
|
||||
# http et https vers srvweb
|
||||
tcp dport {80, 443} ip daddr $ipsrvweb accept
|
||||
}
|
||||
|
||||
chain system_out {
|
||||
type filter hook output priority filter; policy drop;
|
||||
ip daddr $dns-server accept
|
||||
ip daddr $proxy-lyc tcp dport $proxy-port accept
|
||||
icmp type echo-reply oif {$lanif} accept
|
||||
icmp type echo-request accept
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
tcp sport 22 accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
chain postrouting {
|
||||
type filter hook postrouting priority filter; policy drop;
|
||||
ip daddr $dns-server accept
|
||||
ip daddr $proxy-lyc tcp dport $proxy-port accept
|
||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||
tcp dport 20 accept
|
||||
tcp sport 20 accept
|
||||
tcp dport 21 accept
|
||||
tcp sport 21 accept
|
||||
tcp dport {80, 443} accept
|
||||
tcp sport {80, 443} accept
|
||||
tcp sport 22 accept
|
||||
ct state {established,related} accept
|
||||
udp dport 53 accept
|
||||
}
|
||||
}
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority filter; policy accept;
|
||||
# http et https du firewall vers srvweb
|
||||
tcp dport 80 ip daddr $firewall dnat $ipsrvweb:80
|
||||
tcp dport 443 ip daddr $firewall dnat $ipsrvweb:443
|
||||
}
|
||||
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority filter; policy accept;
|
||||
ip saddr $lan-ntw oif $netif snat $firewall
|
||||
ip saddr $dmznet oif $netif snat $firewall
|
||||
}
|
||||
}
|
||||
7
sio1/siotp/sisr1/TP7/scriptsnft/refresh_firewall.sh
Normal file
7
sio1/siotp/sisr1/TP7/scriptsnft/refresh_firewall.sh
Normal file
@@ -0,0 +1,7 @@
|
||||
#!/bin/bash
|
||||
# active le routage entre les interfaces réseau du firewall
|
||||
echo "1" > /proc/sys/net/ipv4/ip_forward
|
||||
#vide les règles actuelles du pare-feu
|
||||
nft flush ruleset
|
||||
#charge les règles du pare-feu présentes dans le fichier
|
||||
nft -f /root/scriptsnft/current_ruleset.nft
|
||||
112
sio1/siotp/sisr1/tp01-02/srv-dhcp/dhcpd.conf
Normal file
112
sio1/siotp/sisr1/tp01-02/srv-dhcp/dhcpd.conf
Normal file
@@ -0,0 +1,112 @@
|
||||
# dhcpd.conf
|
||||
#
|
||||
# Sample configuration file for ISC dhcpd
|
||||
#
|
||||
|
||||
# option definitions common to all supported networks...
|
||||
#option domain-name "example.org";
|
||||
#option domain-name-servers ns1.example.org, ns2.example.org;
|
||||
|
||||
default-lease-time 604800;
|
||||
max-lease-time 604800;
|
||||
|
||||
# The ddns-updates-style parameter controls whether or not the server will
|
||||
# attempt to do a DNS update when a lease is confirmed. We default to the
|
||||
# behavior of the version 2 packages ('none', since DHCP v2 didn't
|
||||
# have support for DDNS.)
|
||||
ddns-update-style none;
|
||||
|
||||
# If this DHCP server is the official DHCP server for the local
|
||||
# network, the authoritative directive should be uncommented.
|
||||
#authoritative;
|
||||
|
||||
# Use this to send dhcp log messages to a different log file (you also
|
||||
# have to hack syslog.conf to complete the redirection).
|
||||
#log-facility local7;
|
||||
|
||||
# No service will be given on this subnet, but declaring it helps the
|
||||
# DHCP server to understand the network topology.
|
||||
|
||||
subnet 192.168.2.0 netmask 255.255.255.0 {
|
||||
range 192.168.2.140 192.168.2.169;
|
||||
}
|
||||
|
||||
host xp-master {
|
||||
hardware ethernet 08:00:27:77:70:0D;
|
||||
fixed-address 192.168.2.222;
|
||||
}
|
||||
# This is a very basic subnet declaration.
|
||||
|
||||
#subnet 10.254.239.0 netmask 255.255.255.224 {
|
||||
# range 10.254.239.10 10.254.239.20;
|
||||
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
|
||||
#}
|
||||
|
||||
# This declaration allows BOOTP clients to get dynamic addresses,
|
||||
# which we don't really recommend.
|
||||
|
||||
#subnet 10.254.239.32 netmask 255.255.255.224 {
|
||||
# range dynamic-bootp 10.254.239.40 10.254.239.60;
|
||||
# option broadcast-address 10.254.239.31;
|
||||
# option routers rtr-239-32-1.example.org;
|
||||
#}
|
||||
|
||||
# A slightly different configuration for an internal subnet.
|
||||
#subnet 10.5.5.0 netmask 255.255.255.224 {
|
||||
# range 10.5.5.26 10.5.5.30;
|
||||
option domain-name-servers 192.168.0.140, 192.168.0.142;
|
||||
# option domain-name "internal.example.org";
|
||||
option routers 192.168.2.1;
|
||||
# option broadcast-address 10.5.5.31;
|
||||
# default-lease-time 600;
|
||||
# max-lease-time 7200;
|
||||
#}
|
||||
|
||||
# Hosts which require special configuration options can be listed in
|
||||
# host statements. If no address is specified, the address will be
|
||||
# allocated dynamically (if possible), but the host-specific information
|
||||
# will still come from the host declaration.
|
||||
|
||||
#host passacaglia {
|
||||
# hardware ethernet 0:0:c0:5d:bd:95;
|
||||
# filename "vmunix.passacaglia";
|
||||
# server-name "toccata.example.com";
|
||||
#}
|
||||
|
||||
# Fixed IP addresses can also be specified for hosts. These addresses
|
||||
# should not also be listed as being available for dynamic assignment.
|
||||
# Hosts for which fixed IP addresses have been specified can boot using
|
||||
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
|
||||
# be booted with DHCP, unless there is an address range on the subnet
|
||||
# to which a BOOTP client is connected which has the dynamic-bootp flag
|
||||
# set.
|
||||
#host fantasia {
|
||||
# hardware ethernet 08:00:07:26:c0:a5;
|
||||
# fixed-address fantasia.example.com;
|
||||
#}
|
||||
|
||||
# You can declare a class of clients and then do address allocation
|
||||
# based on that. The example below shows a case where all clients
|
||||
# in a certain class get addresses on the 10.17.224/24 subnet, and all
|
||||
# other clients get addresses on the 10.0.29/24 subnet.
|
||||
|
||||
#class "foo" {
|
||||
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
|
||||
#}
|
||||
|
||||
#shared-network 224-29 {
|
||||
# subnet 10.17.224.0 netmask 255.255.255.0 {
|
||||
# option routers rtr-224.example.org;
|
||||
# }
|
||||
# subnet 10.0.29.0 netmask 255.255.255.0 {
|
||||
# option routers rtr-29.example.org;
|
||||
# }
|
||||
# pool {
|
||||
# allow members of "foo";
|
||||
# range 10.17.224.10 10.17.224.250;
|
||||
# }
|
||||
# pool {
|
||||
# deny members of "foo";
|
||||
# range 10.0.29.10 10.0.29.230;
|
||||
# }
|
||||
#}
|
||||
8
sio1/siotp/sisr1/tp01-02/srv-dhcp/hosts
Normal file
8
sio1/siotp/sisr1/tp01-02/srv-dhcp/hosts
Normal file
@@ -0,0 +1,8 @@
|
||||
127.0.0.1 localhost
|
||||
127.0.1.1 bookworm-jp.sio.lan bookworm-jp
|
||||
192.168.0.35 bookworm-ge.sio.lan bookworm-ge
|
||||
192.168.0.40 bookworm-jb.sio.lan bookworm-jb
|
||||
# The following lines are desirable for IPv6 capable hosts
|
||||
::1 localhost ip6-localhost ip6-loopback
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
||||
24
sio1/siotp/sisr1/tp01-02/srv-dhcp/interfaces
Normal file
24
sio1/siotp/sisr1/tp01-02/srv-dhcp/interfaces
Normal file
@@ -0,0 +1,24 @@
|
||||
# This file describes the network interfaces available on your system
|
||||
# and how to activate them. For more information, see interfaces(5).
|
||||
|
||||
source /etc/network/interfaces.d/*
|
||||
|
||||
# The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
# Interface fixe
|
||||
auto enp0s3
|
||||
iface enp0s3 inet static
|
||||
address 192.168.0.141/24
|
||||
gateway 192.168.0.1
|
||||
|
||||
|
||||
# The primary network interface
|
||||
#allow-hotplug enp0s3
|
||||
#iface enp0s3 inet dhcp
|
||||
|
||||
# Interface fixe
|
||||
auto enp0s8
|
||||
iface enp0s8 inet static
|
||||
address 192.168.2.1/24
|
||||
18
sio1/siotp/sisr1/tp01-02/srv-dhcp/isc-dhcp-server
Normal file
18
sio1/siotp/sisr1/tp01-02/srv-dhcp/isc-dhcp-server
Normal file
@@ -0,0 +1,18 @@
|
||||
# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
|
||||
|
||||
# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
|
||||
DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
|
||||
#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
|
||||
|
||||
# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
|
||||
DHCPDv4_PID=/var/run/dhcpd.pid
|
||||
#DHCPDv6_PID=/var/run/dhcpd6.pid
|
||||
|
||||
# Additional options to start dhcpd with.
|
||||
# Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
|
||||
#OPTIONS=""
|
||||
|
||||
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
|
||||
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".
|
||||
INTERFACESv4="enp0s8"
|
||||
INTERFACESv6=""
|
||||
6
sio1/siotp/sisr1/tp01-02/srv-dhcp/nat.sh
Executable file
6
sio1/siotp/sisr1/tp01-02/srv-dhcp/nat.sh
Executable file
@@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
sysctl net.ipv4.ip_forward=1
|
||||
nft add table basic_nat_table
|
||||
nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0\; }
|
||||
nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0\; }
|
||||
nft add rule basic_nat_table postrouting masquerade
|
||||
28
sio1/siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan
Normal file
28
sio1/siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan
Normal file
@@ -0,0 +1,28 @@
|
||||
;
|
||||
; BIND data file for local loopback interface
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA dns1.sio1lab.lan. root.sio1lab.lan. (
|
||||
2 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS deb-dns-jp.sio1lab.lan.
|
||||
IN NS deb-dns2-jp.sio1lab.lan.
|
||||
IN A 192.168.0.140
|
||||
IN A 192.168.0.141
|
||||
deb-dns-jp IN A 192.168.0.140
|
||||
deb-dhcp-jp IN A 192.168.0.141
|
||||
deb-dns2-jp IN A 192.168.0.142
|
||||
deb-dns1-ge IN A 192.168.0.121
|
||||
deb-dns2-ge IN A 192.168.0.122
|
||||
deb-dhcp-ge IN A 192.168.0.120
|
||||
|
||||
dhcp IN CNAME deb-dhcp-jp
|
||||
dns1 IN CNAME deb-dns-jp
|
||||
dns2 IN CNAME deb-dns2-jp
|
||||
dhcp2ge IN CNAME deb-dhcp-ge
|
||||
dns3ge IN CNAME deb-dns1-ge
|
||||
dns3ge IN CNAME deb-dns2-ge
|
||||
30
sio1/siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan.rev
Normal file
30
sio1/siotp/sisr1/tp01-02/srv-dns1/db.sio1lab.lan.rev
Normal file
@@ -0,0 +1,30 @@
|
||||
;
|
||||
; BIND data file for local loopback interface
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA dns1.sio1lab.lan. root.sio1lab.lan. (
|
||||
2 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS deb-dns-jp.sio1lab.lan.
|
||||
IN NS deb-dns2-jp.sio1lab.lan.
|
||||
deb-dns-jp IN A 192.168.0.140
|
||||
deb-dhcp-jp IN A 192.168.0.141
|
||||
deb-dns2-jp IN A 192.168.0.142
|
||||
deb-dhcp-ge IN A 192.168.0.120
|
||||
deb-dns1-ge IN A 192.168.0.121
|
||||
deb-dns2-ge IN A 192.168.0.122
|
||||
|
||||
dhcp IN CNAME deb-dhcp-jp
|
||||
dns1 IN CNAME deb-dns-jp
|
||||
dns2 IN CNAME deb-dns2-jp
|
||||
dhcp2ge IN CNAME deb-dhcp-ge
|
||||
dns3ge IN CNAME deb-dns1-ge
|
||||
dns4ge IN CNAME deb-dns2-ge
|
||||
|
||||
|
||||
140 IN PTR deb-dns-jp.sio1lab.lan
|
||||
141 IN PTR deb-dhcp-jp.sio1lab.lan
|
||||
11
sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf
Normal file
11
sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf
Normal file
@@ -0,0 +1,11 @@
|
||||
// This is the primary configuration file for the BIND DNS server named.
|
||||
//
|
||||
// Please read /usr/share/doc/bind9/README.Debian for information on the
|
||||
// structure of BIND configuration files in Debian, *BEFORE* you customize
|
||||
// this configuration file.
|
||||
//
|
||||
// If you are just adding zones, please do that in /etc/bind/named.conf.local
|
||||
|
||||
include "/etc/bind/named.conf.options";
|
||||
include "/etc/bind/named.conf.local";
|
||||
include "/etc/bind/named.conf.default-zones";
|
||||
20
sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf.local
Normal file
20
sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf.local
Normal file
@@ -0,0 +1,20 @@
|
||||
//
|
||||
// Do any local configuration here
|
||||
//
|
||||
|
||||
// Consider adding the 1918 zones here, if they are not used in your
|
||||
// organization
|
||||
//include "/etc/bind/zones.rfc1918";
|
||||
|
||||
// zone directe
|
||||
zone "sio1lab.lan" {
|
||||
type master;
|
||||
file "/etc/bind/db.sio1lab.lan";
|
||||
};
|
||||
|
||||
// zone inverse
|
||||
zone "0.168.192.in-addr.arpa" {
|
||||
type master;
|
||||
notify no;
|
||||
file "/etc/bind/db.sio1lab.lan.rev";
|
||||
};
|
||||
25
sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf.options
Normal file
25
sio1/siotp/sisr1/tp01-02/srv-dns1/named.conf.options
Normal file
@@ -0,0 +1,25 @@
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
forwarders {
|
||||
10.121.38.7;
|
||||
10.121.38.8;
|
||||
};
|
||||
|
||||
//========================================================================
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
dnssec-validation auto;
|
||||
|
||||
listen-on-v6 { any; };
|
||||
};
|
||||
20
sio1/siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan
Normal file
20
sio1/siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan
Normal file
@@ -0,0 +1,20 @@
|
||||
$ORIGIN .
|
||||
$TTL 604800 ; 1 week
|
||||
sio1lab.lan IN SOA dns1.sio1lab.lan. root.sio1lab.lan. (
|
||||
2 ; serial
|
||||
604800 ; refresh (1 week)
|
||||
86400 ; retry (1 day)
|
||||
2419200 ; expire (4 weeks)
|
||||
604800 ; minimum (1 week)
|
||||
)
|
||||
NS deb-dns-jp.sio1lab.lan.
|
||||
NS deb-dns2-jp.sio1lab.lan.
|
||||
A 192.168.0.140
|
||||
A 192.168.0.141
|
||||
$ORIGIN sio1lab.lan.
|
||||
deb-dhcp-jp A 192.168.0.141
|
||||
deb-dns-jp A 192.168.0.140
|
||||
deb-dns2-jp A 192.168.0.142
|
||||
dhcp CNAME deb-dhcp-jp
|
||||
dns1 CNAME deb-dns-jp
|
||||
dns2 CNAME deb-dns2-jp
|
||||
20
sio1/siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan.rev
Normal file
20
sio1/siotp/sisr1/tp01-02/srv-dns2/db.sio1lab.lan.rev
Normal file
@@ -0,0 +1,20 @@
|
||||
$ORIGIN .
|
||||
$TTL 604800 ; 1 week
|
||||
0.168.192.in-addr.arpa IN SOA dns1.sio1lab.lan. root.sio1lab.lan. (
|
||||
2 ; serial
|
||||
604800 ; refresh (1 week)
|
||||
86400 ; retry (1 day)
|
||||
2419200 ; expire (4 weeks)
|
||||
604800 ; minimum (1 week)
|
||||
)
|
||||
NS deb-dns-jp.sio1lab.lan.
|
||||
NS deb-dns2-jp.sio1lab.lan.
|
||||
$ORIGIN 0.168.192.in-addr.arpa.
|
||||
140 PTR deb-dns-jp.sio1lab.lan
|
||||
141 PTR deb-dhcp-jp.sio1lab.lan
|
||||
deb-dhcp-jp A 192.168.0.141
|
||||
deb-dns-jp A 192.168.0.140
|
||||
deb-dns2-jp A 192.168.0.142
|
||||
dhcp CNAME deb-dhcp-jp
|
||||
dns1 CNAME deb-dns-jp
|
||||
dns2 CNAME deb-dns2-jp
|
||||
30
sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.default-zones
Normal file
30
sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.default-zones
Normal file
@@ -0,0 +1,30 @@
|
||||
// prime the server with knowledge of the root servers
|
||||
zone "." {
|
||||
type hint;
|
||||
file "/usr/share/dns/root.hints";
|
||||
};
|
||||
|
||||
// be authoritative for the localhost forward and reverse zones, and for
|
||||
// broadcast zones as per RFC 1912
|
||||
|
||||
zone "localhost" {
|
||||
type master;
|
||||
file "/etc/bind/db.local";
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.127";
|
||||
};
|
||||
|
||||
zone "0.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.0";
|
||||
};
|
||||
|
||||
zone "255.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.255";
|
||||
};
|
||||
|
||||
|
||||
24
sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.local
Normal file
24
sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.local
Normal file
@@ -0,0 +1,24 @@
|
||||
//
|
||||
// Do any local configuration here
|
||||
//
|
||||
|
||||
// Consider adding the 1918 zones here, if they are not used in your
|
||||
// organization
|
||||
//include "/etc/bind/zones.rfc1918";
|
||||
|
||||
// zone directe
|
||||
zone "sio1lab.lan" {
|
||||
type slave;
|
||||
file "/etc/bind/db.sio1lab.lan";
|
||||
masters { 192.168.0.140; };
|
||||
masterfile-format text;
|
||||
};
|
||||
|
||||
// zone inverse
|
||||
zone "0.168.192.in-addr.arpa" {
|
||||
type slave;
|
||||
notify no;
|
||||
file "/etc/bind/db.sio1lab.lan.rev";
|
||||
masters { 192.168.0.140; };
|
||||
masterfile-format text;
|
||||
};
|
||||
24
sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.options
Normal file
24
sio1/siotp/sisr1/tp01-02/srv-dns2/named.conf.options
Normal file
@@ -0,0 +1,24 @@
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
// forwarders {
|
||||
// 0.0.0.0;
|
||||
// };
|
||||
|
||||
//========================================================================
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
dnssec-validation auto;
|
||||
|
||||
listen-on-v6 { any; };
|
||||
};
|
||||
23
sio1/siotp/sisr1/tp03/srv-admin/interfaces
Normal file
23
sio1/siotp/sisr1/tp03/srv-admin/interfaces
Normal file
@@ -0,0 +1,23 @@
|
||||
# This file describes the network interfaces available on your system
|
||||
# and how to activate them. For more information, see interfaces(5).
|
||||
|
||||
source /etc/network/interfaces.d/*
|
||||
|
||||
# The loopback network interface
|
||||
auto lo
|
||||
iface lo inet loopback
|
||||
|
||||
# interface fixe
|
||||
auto enp0s3
|
||||
iface enp0s3 inet static
|
||||
address 192.168.0.140/24
|
||||
gateway 192.168.0.1
|
||||
|
||||
# interface interne fix
|
||||
auto enp0s8
|
||||
iface enp0s8 inet dhcp
|
||||
# address 172.16.0.254/24
|
||||
|
||||
# interface interne dhcp
|
||||
#allow-hotplug enp0s8
|
||||
#iface enp0s8 inet dhcp
|
||||
6
sio1/siotp/sisr1/tp03/srv-admin/nat.sh
Normal file
6
sio1/siotp/sisr1/tp03/srv-admin/nat.sh
Normal file
@@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
sysctl net.ipv4.ip_forward=1
|
||||
nft add table basic_nat_table
|
||||
nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0\; }
|
||||
nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0\; }
|
||||
nft add rule basic_nat_table postrouting masquerade
|
||||
26
sio1/siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan
Normal file
26
sio1/siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan
Normal file
@@ -0,0 +1,26 @@
|
||||
$ORIGIN .
|
||||
$TTL 604800 ; 1 week
|
||||
monlabo.lan IN SOA dns1.monlabo.lan. root.monlabo.lan. (
|
||||
2 ; serial
|
||||
604800 ; refresh (1 week)
|
||||
86400 ; retry (1 day)
|
||||
2419200 ; expire (4 weeks)
|
||||
604800 ; minimum (1 week)
|
||||
)
|
||||
NS srv-dns2.monlabo.lan.
|
||||
NS srv-service.monlabo.lan.
|
||||
A 172.16.0.1
|
||||
$ORIGIN monlabo.lan.
|
||||
dhcp CNAME srv-service
|
||||
dns CNAME srv-service
|
||||
dns1 CNAME srv-service
|
||||
dns2 CNAME srv-dns2
|
||||
router CNAME srv-admin-jp
|
||||
srv-admin-jp A 172.16.0.254
|
||||
srv-dns2 A 172.16.0.2
|
||||
srv-service A 172.16.0.1
|
||||
srvadmin CNAME srv-admin-jp
|
||||
srvdhcp CNAME srv-service
|
||||
srvdns CNAME srv-service
|
||||
srvdns1 CNAME srv-service
|
||||
srvdns2 CNAME srv-dns2
|
||||
18
sio1/siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan.rev
Normal file
18
sio1/siotp/sisr1/tp03/srv-dns2/bind/db.monlabo.lan.rev
Normal file
@@ -0,0 +1,18 @@
|
||||
$ORIGIN .
|
||||
$TTL 604800 ; 1 week
|
||||
0.16.172.in-addr.arpa IN SOA dns1.monlabo.lan. root.monlabo.lan. (
|
||||
2 ; serial
|
||||
604800 ; refresh (1 week)
|
||||
86400 ; retry (1 day)
|
||||
2419200 ; expire (4 weeks)
|
||||
604800 ; minimum (1 week)
|
||||
)
|
||||
NS srv-dns2.monlabo.lan.
|
||||
NS srv-service.monlabo.lan.
|
||||
A 172.16.0.1
|
||||
$ORIGIN 0.16.172.in-addr.arpa.
|
||||
1 PTR srv-service.monlabo.lan
|
||||
2 PTR srv-dns2.monlabo.lan
|
||||
254 PTR srv-admin-jp.monlabo.lan
|
||||
srv-dns2 A 172.16.0.2
|
||||
srv-service A 172.16.0.1
|
||||
24
sio1/siotp/sisr1/tp03/srv-dns2/bind/named.conf.local
Normal file
24
sio1/siotp/sisr1/tp03/srv-dns2/bind/named.conf.local
Normal file
@@ -0,0 +1,24 @@
|
||||
//
|
||||
// Do any local configuration here
|
||||
//
|
||||
|
||||
// Consider adding the 1918 zones here, if they are not used in your
|
||||
// organization
|
||||
//include "/etc/bind/zones.rfc1918";
|
||||
|
||||
// zone directe
|
||||
zone "monlabo.lan" {
|
||||
type slave;
|
||||
file "/etc/bind/db.monlabo.lan";
|
||||
masters { 172.16.0.1; };
|
||||
masterfile-format text;
|
||||
};
|
||||
|
||||
// zone inverse
|
||||
zone "0.16.172.in-addr.arpa" {
|
||||
type slave;
|
||||
notify no;
|
||||
file "/etc/bind/db.monlabo.lan.rev";
|
||||
masters { 172.16.0.1; };
|
||||
masterfile-format text;
|
||||
};
|
||||
25
sio1/siotp/sisr1/tp03/srv-dns2/bind/named.conf.options
Normal file
25
sio1/siotp/sisr1/tp03/srv-dns2/bind/named.conf.options
Normal file
@@ -0,0 +1,25 @@
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
forwarders {
|
||||
10.121.38.7;
|
||||
10.121.38.8;
|
||||
};
|
||||
|
||||
//========================================================================
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
dnssec-validation auto;
|
||||
|
||||
listen-on-v6 { any; };
|
||||
};
|
||||
29
sio1/siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan
Normal file
29
sio1/siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan
Normal file
@@ -0,0 +1,29 @@
|
||||
;
|
||||
; BIND data file for local loopback interface
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA dns1.monlabo.lan. root.monlabo.lan. (
|
||||
2 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS srv-service.monlabo.lan.
|
||||
IN NS srv-dns2.monlabo.lan.
|
||||
IN A 172.16.0.1
|
||||
srv-dns2 IN A 172.16.0.2
|
||||
srv-service IN A 172.16.0.1
|
||||
srv-admin-jp IN A 172.16.0.254
|
||||
|
||||
|
||||
dhcp IN CNAME srv-service
|
||||
srvdns IN CNAME srv-service
|
||||
srvdns1 IN CNAME srv-service
|
||||
srvdhcp IN CNAME srv-service
|
||||
dns IN CNAME srv-service
|
||||
dns1 IN CNAME srv-service
|
||||
dns2 IN CNAME srv-dns2
|
||||
srvdns2 IN CNAME srv-dns2
|
||||
srvadmin IN CNAME srv-admin-jp
|
||||
router IN CNAME srv-admin-jp
|
||||
21
sio1/siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan.rev
Normal file
21
sio1/siotp/sisr1/tp03/srv-service/bind/db.monlabo.lan.rev
Normal file
@@ -0,0 +1,21 @@
|
||||
;
|
||||
; BIND data file for local loopback interface
|
||||
;
|
||||
$TTL 604800
|
||||
@ IN SOA dns1.monlabo.lan. root.monlabo.lan. (
|
||||
2 ; Serial
|
||||
604800 ; Refresh
|
||||
86400 ; Retry
|
||||
2419200 ; Expire
|
||||
604800 ) ; Negative Cache TTL
|
||||
;
|
||||
@ IN NS srv-service.monlabo.lan.
|
||||
IN NS srv-dns2.monlabo.lan.
|
||||
IN A 172.16.0.1
|
||||
srv-dns2 IN A 172.16.0.2
|
||||
srv-service IN A 172.16.0.1
|
||||
;deb-dns2-jp IN A 192.168.0.142
|
||||
|
||||
1 IN PTR srv-service.monlabo.lan
|
||||
254 IN PTR srv-admin-jp.monlabo.lan
|
||||
2 IN PTR srv-dns2.monlabo.lan
|
||||
20
sio1/siotp/sisr1/tp03/srv-service/bind/named.conf.local
Normal file
20
sio1/siotp/sisr1/tp03/srv-service/bind/named.conf.local
Normal file
@@ -0,0 +1,20 @@
|
||||
//
|
||||
// Do any local configuration here
|
||||
//
|
||||
|
||||
// Consider adding the 1918 zones here, if they are not used in your
|
||||
// organization
|
||||
//include "/etc/bind/zones.rfc1918";
|
||||
|
||||
// Zone directe
|
||||
zone "monlabo.lan" {
|
||||
type master;
|
||||
file "/etc/bind/db.monlabo.lan";
|
||||
};
|
||||
|
||||
// Zone inverse
|
||||
zone "0.16.172.in-addr.arpa" {
|
||||
type master;
|
||||
notify no;
|
||||
file "/etc/bind/db.monlabo.lan.rev";
|
||||
};
|
||||
25
sio1/siotp/sisr1/tp03/srv-service/bind/named.conf.options
Normal file
25
sio1/siotp/sisr1/tp03/srv-service/bind/named.conf.options
Normal file
@@ -0,0 +1,25 @@
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
// If there is a firewall between you and nameservers you want
|
||||
// to talk to, you may need to fix the firewall to allow multiple
|
||||
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
||||
|
||||
// If your ISP provided one or more IP addresses for stable
|
||||
// nameservers, you probably want to use them as forwarders.
|
||||
// Uncomment the following block, and insert the addresses replacing
|
||||
// the all-0's placeholder.
|
||||
|
||||
forwarders {
|
||||
10.121.38.7;
|
||||
10.121.38.8;
|
||||
};
|
||||
|
||||
//========================================================================
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
dnssec-validation auto;
|
||||
|
||||
listen-on-v6 { any; };
|
||||
};
|
||||
110
sio1/siotp/sisr1/tp03/srv-service/dhcp/dhcpd.conf
Normal file
110
sio1/siotp/sisr1/tp03/srv-service/dhcp/dhcpd.conf
Normal file
@@ -0,0 +1,110 @@
|
||||
# dhcpd.conf
|
||||
#
|
||||
# Sample configuration file for ISC dhcpd
|
||||
#
|
||||
|
||||
# option definitions common to all supported networks...
|
||||
#option domain-name "example.org";
|
||||
#option domain-name-servers ns1.example.org, ns2.example.org;
|
||||
|
||||
default-lease-time 604800;
|
||||
max-lease-time 604800;
|
||||
|
||||
# The ddns-updates-style parameter controls whether or not the server will
|
||||
# attempt to do a DNS update when a lease is confirmed. We default to the
|
||||
# behavior of the version 2 packages ('none', since DHCP v2 didn't
|
||||
# have support for DDNS.)
|
||||
ddns-update-style none;
|
||||
|
||||
|
||||
subnet 172.16.0.0 netmask 255.255.255.0 {
|
||||
range 172.16.0.100 172.16.0.200;
|
||||
option routers 172.16.0.254;
|
||||
option domain-name-servers 172.16.0.1, 172.16.0.2;
|
||||
option domain-name "monlabo.lan";
|
||||
}
|
||||
|
||||
host srv-admin-jp {
|
||||
hardware ethernet 08:00:27:44:f2:e7;
|
||||
fixed-address 172.16.0.254;
|
||||
}
|
||||
host srv-dns2 {
|
||||
hardware ethernet 08:00:27:2b:f5:4c;
|
||||
fixed-address 172.16.0.2;
|
||||
option domain-name-servers 127.0.0.1;
|
||||
}
|
||||
# This is a very basic subnet declaration.
|
||||
|
||||
#subnet 10.254.239.0 netmask 255.255.255.224 {
|
||||
# range 10.254.239.10 10.254.239.20;
|
||||
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
|
||||
#}
|
||||
|
||||
# This declaration allows BOOTP clients to get dynamic addresses,
|
||||
# which we don't really recommend.
|
||||
|
||||
#subnet 10.254.239.32 netmask 255.255.255.224 {
|
||||
# range dynamic-bootp 10.254.239.40 10.254.239.60;
|
||||
# option broadcast-address 10.254.239.31;
|
||||
# option routers rtr-239-32-1.example.org;
|
||||
#}
|
||||
|
||||
# A slightly different configuration for an internal subnet.
|
||||
#subnet 10.5.5.0 netmask 255.255.255.224 {
|
||||
# range 10.5.5.26 10.5.5.30;
|
||||
# option domain-name-servers ns1.internal.example.org;
|
||||
# option domain-name "internal.example.org";
|
||||
# option routers 10.5.5.1;
|
||||
# option broadcast-address 10.5.5.31;
|
||||
# default-lease-time 600;
|
||||
# max-lease-time 7200;
|
||||
#}
|
||||
|
||||
# Hosts which require special configuration options can be listed in
|
||||
# host statements. If no address is specified, the address will be
|
||||
# allocated dynamically (if possible), but the host-specific information
|
||||
# will still come from the host declaration.
|
||||
|
||||
#host passacaglia {
|
||||
# hardware ethernet 0:0:c0:5d:bd:95;
|
||||
# filename "vmunix.passacaglia";
|
||||
# server-name "toccata.example.com";
|
||||
#}
|
||||
|
||||
# Fixed IP addresses can also be specified for hosts. These addresses
|
||||
# should not also be listed as being available for dynamic assignment.
|
||||
# Hosts for which fixed IP addresses have been specified can boot using
|
||||
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
|
||||
# be booted with DHCP, unless there is an address range on the subnet
|
||||
# to which a BOOTP client is connected which has the dynamic-bootp flag
|
||||
# set.
|
||||
#host fantasia {
|
||||
# hardware ethernet 08:00:07:26:c0:a5;
|
||||
# fixed-address fantasia.example.com;
|
||||
#}
|
||||
|
||||
# You can declare a class of clients and then do address allocation
|
||||
# based on that. The example below shows a case where all clients
|
||||
# in a certain class get addresses on the 10.17.224/24 subnet, and all
|
||||
# other clients get addresses on the 10.0.29/24 subnet.
|
||||
|
||||
#class "foo" {
|
||||
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
|
||||
#}
|
||||
|
||||
#shared-network 224-29 {
|
||||
# subnet 10.17.224.0 netmask 255.255.255.0 {
|
||||
# option routers rtr-224.example.org;
|
||||
# }
|
||||
# subnet 10.0.29.0 netmask 255.255.255.0 {
|
||||
# option routers rtr-29.example.org;
|
||||
# }
|
||||
# pool {
|
||||
# allow members of "foo";
|
||||
# range 10.17.224.10 10.17.224.250;
|
||||
# }
|
||||
# pool {
|
||||
# deny members of "foo";
|
||||
# range 10.0.29.10 10.0.29.230;
|
||||
# }
|
||||
#}
|
||||
30
sio1/siotp/sisr1/tp4/Users.csv
Normal file
30
sio1/siotp/sisr1/tp4/Users.csv
Normal file
@@ -0,0 +1,30 @@
|
||||
Ermengarde,Berthelmot,eberthelmot0@webmd.com,Female,Accountant
|
||||
Kassi,Bunker,kbunker1@xinhuanet.com,Female,Production
|
||||
Moises,McCallum,mmccallum2@i2i.jp,Male,Production
|
||||
Patrizio,Lune,plune3@upenn.edu,Male,Accountant
|
||||
Blanch,Everix,beverix4@php.net,Female,Accountant
|
||||
Stafani,Kibbel,skibbel5@marriott.com,Female,Production
|
||||
Ignacius,Mosdell,imosdell6@cloudflare.com,Male,Management
|
||||
Jeana,Waller-Bridge,jwallerbridge7@mapy.cz,Female,Management
|
||||
Elroy,Dressel,edressel8@opera.com,Male,Production
|
||||
Thea,Strettell,tstrettell9@nature.com,Female,Production
|
||||
Solomon,Insoll,sinsolla@utexas.edu,Male,Accountant
|
||||
Carri,Feedome,cfeedomeb@ask.com,Female,Accountant
|
||||
Padraic,Chetwind,pchetwindc@last.fm,Male,Management
|
||||
Solly,D'Ugo,sdugod@uiuc.edu,Male,Production
|
||||
Konstanze,MacCostigan,kmaccostigane@seattletimes.com,Female,Accountant
|
||||
Roxane,Powlesland,rpowleslandf@pcworld.com,Female,Management
|
||||
Orelle,Kennealy,okennealyg@arstechnica.com,Female,Production
|
||||
Sukey,Soitoux,ssoitouxh@shinystat.com,Female,Production
|
||||
Nelli,Syce,nsycei@blogger.com,Female,Production
|
||||
Clarisse,Shillam,cshillamj@dailymotion.com,Female,Production
|
||||
Carin,Gueny,cguenyk@naver.com,Female,Management
|
||||
Donny,Riepel,driepell@addtoany.com,Male,Production
|
||||
Daniella,Ralfe,dralfem@wunderground.com,Female,Production
|
||||
Lexy,Clynmans,lclynmansn@furl.net,Female,Production
|
||||
Gardiner,Adamthwaite,gadamthwaiteo@spotify.com,Male,Production
|
||||
Woodman,Lippett,wlippettp@purevolume.com,Male,Production
|
||||
Nadya,Munnion,nmunnionq@flavors.me,Female,Production
|
||||
Llewellyn,Habershon,lhabershonr@alibaba.com,Male,Production
|
||||
Isaak,Greatrex,igreatrexs@seesaa.net,Male,Production
|
||||
Darill,Frostdyke,dfrostdyket@cafepress.com,Male,Production
|
||||
|
16
sio1/siotp/sisr1/tp4/createLogins.sh
Normal file
16
sio1/siotp/sisr1/tp4/createLogins.sh
Normal file
@@ -0,0 +1,16 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
rm ./logins.csv
|
||||
while read line
|
||||
do
|
||||
echo $line > ./temp.txt
|
||||
prenom=$(cut -d "," -f 1 ./temp.txt)
|
||||
nom=$(cut -d "," -f 2 ./temp.txt)
|
||||
initial=$(cut -c 1 ./temp.txt)
|
||||
id=$(echo $initial$nom | tr [:upper:] [:lower:])
|
||||
passwd=$(echo $RANDOM | md5sum | head -c 8)
|
||||
|
||||
echo $id","$passwd","$prenom","$nom","$(cut -d "," -f 5 ./temp.txt) >> ./logins.csv
|
||||
|
||||
rm ./temp.txt
|
||||
done < ./Users.csv
|
||||
30
sio1/siotp/sisr1/tp4/logins.csv
Normal file
30
sio1/siotp/sisr1/tp4/logins.csv
Normal file
@@ -0,0 +1,30 @@
|
||||
eberthelmot,59155498,Ermengarde,Berthelmot,Accountant
|
||||
kbunker,b9068820,Kassi,Bunker,Production
|
||||
mmccallum,ee65d788,Moises,McCallum,Production
|
||||
plune,779b128e,Patrizio,Lune,Accountant
|
||||
beverix,40741acd,Blanch,Everix,Accountant
|
||||
skibbel,46353bb2,Stafani,Kibbel,Production
|
||||
imosdell,8ec4cdc3,Ignacius,Mosdell,Management
|
||||
jwaller-bridge,ac7367bb,Jeana,Waller-Bridge,Management
|
||||
edressel,1af39ab6,Elroy,Dressel,Production
|
||||
tstrettell,1f333d96,Thea,Strettell,Production
|
||||
sinsoll,9b14d3c8,Solomon,Insoll,Accountant
|
||||
cfeedome,acc2de2b,Carri,Feedome,Accountant
|
||||
pchetwind,fcf81634,Padraic,Chetwind,Management
|
||||
sd'ugo,a6d1382b,Solly,D'Ugo,Production
|
||||
kmaccostigan,d2531594,Konstanze,MacCostigan,Accountant
|
||||
rpowlesland,b5049d93,Roxane,Powlesland,Management
|
||||
okennealy,c03675ff,Orelle,Kennealy,Production
|
||||
ssoitoux,c4b0dc61,Sukey,Soitoux,Production
|
||||
nsyce,40b513f5,Nelli,Syce,Production
|
||||
cshillam,d963042c,Clarisse,Shillam,Production
|
||||
cgueny,965b0c91,Carin,Gueny,Management
|
||||
driepel,1fcb2d72,Donny,Riepel,Production
|
||||
dralfe,8c506545,Daniella,Ralfe,Production
|
||||
lclynmans,f107ef6e,Lexy,Clynmans,Production
|
||||
gadamthwaite,87b1a7a0,Gardiner,Adamthwaite,Production
|
||||
wlippett,c8829ebf,Woodman,Lippett,Production
|
||||
nmunnion,f874ffce,Nadya,Munnion,Production
|
||||
lhabershon,529dd157,Llewellyn,Habershon,Production
|
||||
igreatrex,70d37da4,Isaak,Greatrex,Production
|
||||
dfrostdyke,83578805,Darill,Frostdyke,Production
|
||||
|
Reference in New Issue
Block a user