nathan.genret/firewall
1
0
Fork 0
forked from guillaume.emorine/siotp
Code Pull Requests Activity

Modifié : sisr1/tp07/files_firewall/current_ruleset_partie_4.nft

Browse Source 
Modifié :         sisr1/tp07/files_firewall/current_ruleset_partie_5.nft
This commit is contained in:
guillaume.emorine 2024-04-08 09:30:01 +02:00
parent d11c83d26c
commit a500d08cef
2 changed files with 75 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sisr1/tp07/files_firewall/current_ruleset_partie_4.nft
View File

@ -2,8 +2,10 @@ define netif = enp0s3
define dmzif = enp0s8 define dmzif = enp0s8
define lanif = enp0s9 define lanif = enp0s9
define lan-ntw = 10.0.0.0/24
define proxy = 10.121.38.1 define proxy = 10.121.38.1
defiine dns = {10.121.38.7 , 10.121.38.8} define dns = {10.121.38.7 , 10.121.38.8}
define proxyport = 8080 define proxyport = 8080
define dmznet = 172.16.0.1-172.16.0.254 define dmznet = 172.16.0.1-172.16.0.254

131
sisr1/tp07/files_firewall/current_ruleset_partie_5.nft
View File

@ -1,76 +1,89 @@
table ip ipfilter { define netif = enp0s3
define dmzif = enp0s8
define lanif = enp0s9
define lan-ntw = 10.0.0.0/24
define proxy = 10.121.38.1
define dns = {10.121.38.7 , 10.121.38.8}
define proxyport = 8080
define dmznet = 172.16.0.1-172.16.0.254
define firewall = 192.168.0.120
define ipdmz = 172.16.0.254
define iplan = 10.0.0.254
table ip ipfilter{
chain prerouting { chain prerouting {
type filter hook prerouting priority filter; policy drop; type filter hook prerouting priority filter; policy drop;
ct state established, related accept
icmp type echo-reply accept icmp type echo-reply accept
ct state established,related accept icmp type echo-request iif {$lanif} ip daddr $dmznet accept
icmp type echo-request iif "enp0s9" ip daddr 172.16.0.1-172.16.0.254 accept icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
icmp type echo-request iif "enp0s9" ip daddr 10.0.0.254 accept tcp dport 20 accept
tcp dport 20 accept tcp dport 21 accept
tcp dport 21 accept tcp dport {80, 443} ip saddr $lan-ntw accept
tcp dport { 80, 443 } accept tcp sport {80, 443} ip saddr $lan-ntw accept
tcp dport 22 accept tcp dport 22 accept
ip saddr 10.121.38.1 tcp dport { 80, 443 } accept ip saddr $proxy tcp dport {80, 443} accept
} }
chain system_in { chain system_in {
type filter hook input priority filter; policy drop; type filter hook input priority filter; policy drop;
ct state established, related accept
icmp type echo-reply accept icmp type echo-reply accept
icmp type echo-request iif "enp0s9" accept icmp type echo-request iif {$lanif} accept
ct state established,related accept tcp dport 20 accept
tcp dport 20 accept tcp dport 21 accept
tcp dport 21 accept tcp dport {80, 443} accept
tcp dport { 80, 443 } accept tcp dport 22 accept
tcp dport 22 accept ip saddr $proxy tcp dport {80, 443} accept
ip saddr 10.121.38.1 tcp dport { 80, 443 } accept }
chain routing {
type filter hook forward priority filter; policy drop;
ct state established, related accept
icmp type echo-request iif {$lanif} oif {$dmzif} accept
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
tcp dport {80, 443} ip saddr $lan-ntw accept
tcp sport {80, 443} ip saddr $lan-ntw accept
} }
chain system_out {
chain routing { type filter hook output priority filter; policy drop;
type filter hook forward priority filter; policy drop; ip daddr $dns accept
icmp type echo-request iif "enp0s9" oif "enp0s8" accept ip daddr $proxy tcp dport $proxyport accept
icmp type echo-reply iif "enp0s8" oif "enp0s9" accept icmp type echo-reply oif {$lanif} accept
}
chain system_out {
type filter hook output priority filter; policy drop;
ip daddr { 10.121.38.7, 10.121.38.8 } accept
ip daddr 10.121.38.1 tcp dport 8080 accept
icmp type echo-reply oif "enp0s9" accept
icmp type echo-request accept icmp type echo-request accept
tcp dport 20 accept tcp dport 20 accept
tcp sport 20 accept tcp sport 20 accept
tcp dport 21 accept tcp dport 21 accept
tcp sport 21 accept tcp sport 21 accept
tcp dport { 80, 443 } accept tcp dport {80, 443} accept
tcp sport { 80, 443 } accept tcp sport {80, 443} accept
tcp sport 22 accept tcp sport 22 accept
} }
chain postrouting { chain postrouting {
type filter hook postrouting priority filter; policy drop; type filter hook postrouting priority filter; policy drop;
ip daddr { 10.121.38.7, 10.121.38.8 } accept ct state established, related accept
ip daddr 10.121.38.1 tcp dport 8080 accept ip daddr $dns accept
icmp type echo-request ip saddr { 10.0.0.254, 172.16.0.254, 192.168.0.120 } accept ip daddr $proxy tcp dport $proxyport accept
icmp type echo-reply iif "enp0s8" oif "enp0s9" accept icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
icmp type echo-request iif "enp0s9" oif "enp0s8" accept icmp type echo-reply iif {$dmzif} oif {$lanif} accept
icmp type echo-request ip saddr 10.0.0.254 oif "enp0s9" accept icmp type echo-request iif {$lanif} oif {$dmzif} accept
tcp dport 20 accept icmp type echo-request ip saddr $iplan oif $lanif accept
tcp sport 20 accept tcp dport 20 accept
tcp dport 21 accept tcp sport 20 accept
tcp sport 21 accept tcp dport 21 accept
tcp dport { 80, 443 } accept tcp sport 21 accept
tcp sport { 80, 443 } accept tcp dport {80, 443} accept
tcp sport {80, 443} accept
tcp sport 22 accept tcp sport 22 accept
} }
chain nat_prerouting { chain pre_nat {
type nat hook prerouting priority filter; policy drop; type nat hook prerouting priority filter; policy accept;
tcp dport { 80, 443 } accept
tcp dport 22 accept
} }
chain nat_postrouting {
type nat hook postrouting priority filter; policy drop; chain post_nat {
tcp dport { 80, 443 } accept type nat hook postrouting priority filter; policy accept;
tcp sport { 80, 443 } accept ip saddr $lan-ntw oif $netif snat $firewall
tcp sport 22 accept
} }
} }