diff --git a/scriptsnft/current_ruleset.nft b/scriptsnft/current_ruleset.nft deleted file mode 100644 index f88dcdc..0000000 --- a/scriptsnft/current_ruleset.nft +++ /dev/null @@ -1,68 +0,0 @@ -define netif = enp0s3 -define dmzif = enp0s8 -define lanif = enp0s9 - -define firewall = 192.168.0.140 -define ipdmz = 172.16.0.254 -define iplan = 10.0.0.254 - -table ip ipfilter{ - chain prerouting { - type filter hook prerouting priority filter; policy drop; - icmp type echo-reply accept - ct state established, related accept - icmp type echo-request iif {$lanif} ip daddr 172.16.0.1-172.16.0.254 accept - icmp type echo-request iif {$lanif} ip daddr {$iplan} accept - tcp dport 20 accept - tcp dport 21 accept - tcp dport {80, 443} accept - tcp dport 22 accept - ip saddr 10.121.38.1 tcp dport {80, 443} accept - } - chain system_in { - type filter hook input priority filter; policy drop; - icmp type echo-reply accept - icmp type echo-request iif {$lanif} accept - ct state established, related accept - tcp dport 20 accept - tcp dport 21 accept - tcp dport {80, 443} accept - tcp dport 22 accept - ip saddr 10.121.38.1 tcp dport {80, 443} accept - } - chain routing { - type filter hook forward priority filter; policy drop; - icmp type echo-request iif {$lanif} oif {$dmzif} accept - icmp type echo-reply iif {$dmzif} oif {$lanif} accept - } - chain system_out { - type filter hook output priority filter; policy drop; - ip daddr 10.121.38.7-10.121.38.8 accept - ip daddr 10.121.38.1 tcp dport 8080 accept - icmp type echo-reply oif {$lanif} accept - icmp type echo-request accept - tcp dport 20 accept - tcp sport 20 accept - tcp dport 21 accept - tcp sport 21 accept - tcp dport {80, 443} accept - tcp sport {80, 443} accept - tcp sport 22 accept - } - chain postrouting { - type filter hook postrouting priority filter; policy drop; - ip daddr 10.121.38.7-10.121.38.8 accept - ip daddr 10.121.38.1 tcp dport 8080 accept - icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept - icmp type echo-reply iif {$dmzif} oif {$lanif} accept - icmp type echo-request iif {$lanif} oif {$dmzif} accept - icmp type echo-request ip saddr $iplan oif $lanif accept - tcp dport 20 accept - tcp sport 20 accept - tcp dport 21 accept - tcp sport 21 accept - tcp dport {80, 443} accept - tcp sport {80, 443} accept - tcp sport 22 accept - } -} diff --git a/scriptsnft/fw_part1.nft b/scriptsnft/fw_part1.nft deleted file mode 100644 index 5302461..0000000 --- a/scriptsnft/fw_part1.nft +++ /dev/null @@ -1,18 +0,0 @@ -define netif = enp0s3 -define dmzif = enp0s8 -define lanif = enp0s9 - - -table ip ipfilter { - chain routing { - type filter hook forward priority filter; policy accept; - icmp type echo-request iif { "$netif", "$dmzif" } drop - icmp type { echo-reply, echo-request } accept - drop - } - - chain system_in { - type filter hook input priority filter; policy accept; - icmp type echo-request iif { "$netif", "$dmzif" } drop - } -} diff --git a/scriptsnft/fw_part2.nft b/scriptsnft/fw_part2.nft deleted file mode 100644 index adf0209..0000000 --- a/scriptsnft/fw_part2.nft +++ /dev/null @@ -1,34 +0,0 @@ -define netif = enp0s3 -define dmzif = enp0s8 -define lanif = enp0s9 - - -table ip ipfilter { - - chain prerouting { - type filter hook prerouting priority filter; policy drop; - tcp dport 22 accept - } - - chain routing { - type filter hook forward priority filter; policy drop; - icmp type echo-request iif { $netif, $dmzif } drop - icmp type { echo-reply, echo-request } accept - } - - chain system_in { - type filter hook input priority filter; policy drop; - icmp type echo-request iif { $netif, $dmzif } drop - tcp dport 22 accept - } - - chain system_out { - type filter hook output priority filter; policy drop; - tcp sport 22 accept - } - - chain postrouting { - type filter hook postrouting priority filter; policy drop; - tcp sport 22 accept - } -} diff --git a/scriptsnft/fw_part3.nft b/scriptsnft/fw_part3.nft deleted file mode 100644 index ed18634..0000000 --- a/scriptsnft/fw_part3.nft +++ /dev/null @@ -1,41 +0,0 @@ -define netif = enp0s3 -define dmzif = enp0s8 -define lanif = enp0s9 -define netip = 192.168.0.140 -define dmzip = 172.16.0.254 -define lanip = 10.0.0.254 - -table ip ipfilter{ - chain prerouting { - type filter hook prerouting priority filter; policy drop; - icmp type echo-request iif $lanif ip daddr 172.16.0.1-172.16.0.254 accept - icmp type echo-request iif $lanif ip daddr $lanip accept - icmp type echo-reply accept - tcp dport 22 accept - } - chain system_in { - type filter hook input priority filter; policy drop; - icmp type echo-request iif $lanif accept - icmp type echo-reply accept - tcp dport 22 accept - } - chain routing { - type filter hook forward priority filter; policy drop; - icmp type echo-request iif $lanif oif $dmzif accept - icmp type echo-reply iif $dmzif oif $lanif accept - } - chain system_out { - type filter hook output priority filter; policy drop; - icmp type echo-request accept - icmp type echo-reply oif $lanif accept - tcp sport 22 accept - } - chain postrouting { - type filter hook postrouting priority filter; policy drop; - icmp type echo-request ip saddr {$lanip , $dmzip , $netip } accept - icmp type echo-request iif $lanif oif $dmzif accept - icmp type echo-reply iif $dmzif oif $lanif accept - icmp type echo-reply ip saddr $lanip oif $lanif accept - tcp sport 22 accept - } -} diff --git a/scriptsnft/refresh_firewall.sh b/scriptsnft/refresh_firewall.sh deleted file mode 100644 index 070243f..0000000 --- a/scriptsnft/refresh_firewall.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -# active le routage entre les interfaces réseau du firewall -echo "1" > /proc/sys/net/ipv4/ip_forward -#vide les règles actuelles du pare-feu -nft flush ruleset -#charge les règles du pare-feu présentes dans le fichier -nft -f /root/scriptsnft/current_ruleset.nft diff --git a/scriptsnft/fw_part4.nft b/siotp/sisr1/TP7/scriptsnft/fw_part4.nft similarity index 100% rename from scriptsnft/fw_part4.nft rename to siotp/sisr1/TP7/scriptsnft/fw_part4.nft