Nouveau fichier : sisr1/tp07/files_firewall/current_ruleset_partie_5.nft

2024-04-04 14:57:58 +02:00 · 2024-04-04 14:57:58 +02:00 · d11c83d26c
commit d11c83d26c
parent 9e390644e7
1 changed files with 76 additions and 0 deletions
--- a/sisr1/tp07/files_firewall/current_ruleset_partie_5.nft
+++ b/sisr1/tp07/files_firewall/current_ruleset_partie_5.nft
@ -0,0 +1,76 @@
+table ip ipfilter {
+	chain prerouting {
+		type filter hook prerouting priority filter; policy drop;
+		icmp type echo-reply accept
+		ct state established,related accept
+		icmp type echo-request iif "enp0s9" ip daddr 172.16.0.1-172.16.0.254 accept
+		icmp type echo-request iif "enp0s9" ip daddr 10.0.0.254 accept
+		tcp dport 20 accept
+		tcp dport 21 accept
+		tcp dport { 80, 443 } accept
+		tcp dport 22 accept
+		ip saddr 10.121.38.1 tcp dport { 80, 443 } accept
+	}
+
+	chain system_in {
+		type filter hook input priority filter; policy drop;
+		icmp type echo-reply accept
+		icmp type echo-request iif "enp0s9" accept
+		ct state established,related accept
+		tcp dport 20 accept
+		tcp dport 21 accept
+		tcp dport { 80, 443 } accept
+		tcp dport 22 accept
+		ip saddr 10.121.38.1 tcp dport { 80, 443 } accept
+	}
+
+	chain routing {
+		type filter hook forward priority filter; policy drop;
+		icmp type echo-request iif "enp0s9" oif "enp0s8" accept
+		icmp type echo-reply iif "enp0s8" oif "enp0s9" accept
+	}
+
+	chain system_out {
+		type filter hook output priority filter; policy drop;
+		ip daddr { 10.121.38.7, 10.121.38.8 } accept
+		ip daddr 10.121.38.1 tcp dport 8080 accept
+		icmp type echo-reply oif "enp0s9" accept
+		icmp type echo-request accept
+		tcp dport 20 accept
+		tcp sport 20 accept
+		tcp dport 21 accept
+		tcp sport 21 accept
+		tcp dport { 80, 443 } accept
+		tcp sport { 80, 443 } accept
+		tcp sport 22 accept
+	}
+
+	chain postrouting {
+		type filter hook postrouting priority filter; policy drop;
+		ip daddr { 10.121.38.7, 10.121.38.8 } accept
+		ip daddr 10.121.38.1 tcp dport 8080 accept
+		icmp type echo-request ip saddr { 10.0.0.254, 172.16.0.254, 192.168.0.120 } accept
+		icmp type echo-reply iif "enp0s8" oif "enp0s9" accept
+		icmp type echo-request iif "enp0s9" oif "enp0s8" accept
+		icmp type echo-request ip saddr 10.0.0.254 oif "enp0s9" accept
+		tcp dport 20 accept
+		tcp sport 20 accept
+		tcp dport 21 accept
+		tcp sport 21 accept
+		tcp dport { 80, 443 } accept
+		tcp sport { 80, 443 } accept
+		tcp sport 22 accept
+	}
+
+	chain nat_prerouting {
+		type nat hook prerouting priority filter; policy drop;
+		tcp dport { 80, 443 } accept
+		tcp dport 22 accept
+	}
+	chain nat_postrouting {
+		type nat hook postrouting priority filter; policy drop;
+		tcp dport { 80, 443 } accept
+		tcp sport { 80, 443 } accept
+		tcp sport 22 accept
+	}
+}