forked from guillaume.emorine/siotp
Modifié : sisr1/tp07/files_firewall/current_ruleset_partie_6.nft
This commit is contained in:
guillaume.emorine
parent
16d4e5f813
commit
ef87bc36bb
@ -1,14 +1,18 @@
|
|||||||
|
# Définition des interfaces avec un nom
|
||||||
define netif = enp0s3
|
define netif = enp0s3
|
||||||
define dmzif = enp0s8
|
define dmzif = enp0s8
|
||||||
define lanif = enp0s9
|
define lanif = enp0s9
|
||||||
|
|
||||||
|
# Définition du réseau LAN
|
||||||
define lan-ntw = 10.0.0.0/24
|
define lan-ntw = 10.0.0.0/24
|
||||||
|
|
||||||
|
# Définition de l'IP du proxy, du DNS, du port du proxy et du réseau DMZ pour ne pas à tout retaper
|
||||||
define proxy = 10.121.38.1
|
define proxy = 10.121.38.1
|
||||||
define dns = {10.121.38.7 , 10.121.38.8}
|
define dns = {10.121.38.7 , 10.121.38.8}
|
||||||
define proxyport = 8080
|
define proxyport = 8080
|
||||||
define dmznet = 172.16.0.1-172.16.0.254
|
define dmznet = 172.16.0.1-172.16.0.254
|
||||||
|
|
||||||
|
# Définition des IPs des cartes de la machine firewall
|
||||||
define firewall = 192.168.0.120
|
define firewall = 192.168.0.120
|
||||||
define ipdmz = 172.16.0.254
|
define ipdmz = 172.16.0.254
|
||||||
define iplan = 10.0.0.254
|
define iplan = 10.0.0.254
|
||||||
@ -17,82 +21,170 @@ table ip ipfilter{
|
|||||||
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type filter hook prerouting priority filter; policy drop;
|
type filter hook prerouting priority filter; policy drop;
|
||||||
|
|
||||||
|
#Permet le passage des réponses aux requêtes acceptées
|
||||||
ct state established, related accept
|
ct state established, related accept
|
||||||
|
|
||||||
|
#Accepte les réponses ping
|
||||||
icmp type echo-reply accept
|
icmp type echo-reply accept
|
||||||
|
|
||||||
|
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||||
icmp type echo-request iif {$lanif} ip daddr $dmznet accept
|
icmp type echo-request iif {$lanif} ip daddr $dmznet accept
|
||||||
|
|
||||||
|
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||||
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
||||||
tcp dport 20 accept
|
|
||||||
|
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||||
|
tcp dport 20 accept
|
||||||
tcp dport 21 accept
|
tcp dport 21 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||||
|
|
||||||
|
#Autorise le SSH
|
||||||
tcp dport 22 accept
|
tcp dport 22 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||||
udp sport 53 iif {$dmzif, $lanif} accept
|
udp sport 53 iif {$dmzif, $lanif} accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||||
ip saddr $proxy tcp dport {80, 443} accept
|
ip saddr $proxy tcp dport {80, 443} accept
|
||||||
|
|
||||||
|
#Autorise les requêtes qui vont vers le serveur DNS
|
||||||
ip daddr $dns accept
|
ip daddr $dns accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain system_in {
|
chain system_in {
|
||||||
type filter hook input priority filter; policy drop;
|
type filter hook input priority filter; policy drop;
|
||||||
|
|
||||||
|
#Permet le passage des réponses aux requêtes acceptées
|
||||||
ct state established, related accept
|
ct state established, related accept
|
||||||
|
|
||||||
|
#Accepte les réponses ping
|
||||||
icmp type echo-reply accept
|
icmp type echo-reply accept
|
||||||
|
|
||||||
|
#Accepte les requêtes de ping si elles viennent du LAN
|
||||||
icmp type echo-request iif {$lanif} accept
|
icmp type echo-request iif {$lanif} accept
|
||||||
|
|
||||||
|
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||||
tcp dport 20 accept
|
tcp dport 20 accept
|
||||||
tcp dport 21 accept
|
tcp dport 21 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes HTTP/HTTPS
|
||||||
tcp dport {80, 443} accept
|
tcp dport {80, 443} accept
|
||||||
|
|
||||||
|
#Autorise le SSH
|
||||||
tcp dport 22 accept
|
tcp dport 22 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes DNS
|
||||||
udp sport 53 accept
|
udp sport 53 accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes provenant du proxy avec ports HTTP/HTTPS
|
||||||
ip saddr $proxy tcp dport {80, 443} accept
|
ip saddr $proxy tcp dport {80, 443} accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain routing {
|
chain routing {
|
||||||
type filter hook forward priority filter; policy drop;
|
type filter hook forward priority filter; policy drop;
|
||||||
|
|
||||||
|
#Permet le passage des réponses aux requêtes acceptées
|
||||||
ct state established, related accept
|
ct state established, related accept
|
||||||
|
|
||||||
|
#Accepte les requêtes de ping si elles viennent du LAN, à destination de la DMZ
|
||||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||||
|
|
||||||
|
#Même chose que plus haut, mais à destination de l'IP de la carte LAN du firewall
|
||||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||||
|
|
||||||
|
#Autorise les requêtes HTTP/HTTPS venant de la LAN
|
||||||
tcp dport {80, 443} ip saddr $lan-ntw accept
|
tcp dport {80, 443} ip saddr $lan-ntw accept
|
||||||
tcp sport {80, 443} ip saddr $lan-ntw accept
|
tcp sport {80, 443} ip saddr $lan-ntw accept
|
||||||
|
|
||||||
|
#Autorise les requêtes DNS depuis la DMZ et le LAN
|
||||||
udp sport 53 iif {$lanif, $dmzif} accept
|
udp sport 53 iif {$lanif, $dmzif} accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes qui vont vers le serveur DNS
|
||||||
ip daddr $dns accept
|
ip daddr $dns accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain system_out {
|
chain system_out {
|
||||||
type filter hook output priority filter; policy drop;
|
type filter hook output priority filter; policy drop;
|
||||||
|
|
||||||
|
#Autorise les requêtes qui vont vers le serveur DNS
|
||||||
ip daddr $dns accept
|
ip daddr $dns accept
|
||||||
|
|
||||||
|
#Autorise les requêtes provenant du proxy, depuis le port 8080
|
||||||
ip daddr $proxy tcp dport $proxyport accept
|
ip daddr $proxy tcp dport $proxyport accept
|
||||||
|
|
||||||
|
#Accepte les requêtes de ping si elles viennent du LAN
|
||||||
icmp type echo-reply oif {$lanif} accept
|
icmp type echo-reply oif {$lanif} accept
|
||||||
|
|
||||||
|
#Accepte les requêtes ping
|
||||||
icmp type echo-request accept
|
icmp type echo-request accept
|
||||||
|
|
||||||
|
#Autorise les requêtes ayant pour port de destination les ports FTP
|
||||||
tcp dport 20 accept
|
tcp dport 20 accept
|
||||||
tcp sport 20 accept
|
tcp sport 20 accept
|
||||||
tcp dport 21 accept
|
tcp dport 21 accept
|
||||||
tcp sport 21 accept
|
tcp sport 21 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes provenant des ports HTTP/HTTPS
|
||||||
tcp dport {80, 443} accept
|
tcp dport {80, 443} accept
|
||||||
tcp sport {80, 443} accept
|
tcp sport {80, 443} accept
|
||||||
|
|
||||||
|
#Autorise le SSH
|
||||||
tcp sport 22 accept
|
tcp sport 22 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes DNS
|
||||||
udp sport 53 accept
|
udp sport 53 accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type filter hook postrouting priority filter; policy drop;
|
type filter hook postrouting priority filter; policy drop;
|
||||||
|
|
||||||
|
#Permet le passage des réponses aux requêtes acceptées
|
||||||
ct state established, related accept
|
ct state established, related accept
|
||||||
|
|
||||||
|
#Autorise les requêtes qui vont vers le serveur DNS
|
||||||
ip daddr $dns accept
|
ip daddr $dns accept
|
||||||
|
|
||||||
|
#Autorise les requêtes allant vers le proxy avec le port 8080
|
||||||
ip daddr $proxy tcp dport $proxyport accept
|
ip daddr $proxy tcp dport $proxyport accept
|
||||||
|
|
||||||
|
#Autorise les requêtes ping venant des cartes LAN, DMZ et la carte en pont du firewall
|
||||||
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
||||||
|
|
||||||
|
#Autorise les réponses ping si elles viennent de la DMZ à destination du LAN
|
||||||
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
||||||
|
|
||||||
|
#Autorise les requêtes ping venant de la LAN à destination de la DMZ
|
||||||
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
||||||
|
|
||||||
|
#Autorise les requêtes ping ayant le LAN pour origine, à destination de la carte LAN du firewall
|
||||||
icmp type echo-request ip saddr $iplan oif $lanif accept
|
icmp type echo-request ip saddr $iplan oif $lanif accept
|
||||||
|
|
||||||
|
#Autorise les requêtes FTP
|
||||||
tcp dport 20 accept
|
tcp dport 20 accept
|
||||||
tcp sport 20 accept
|
tcp sport 20 accept
|
||||||
tcp dport 21 accept
|
tcp dport 21 accept
|
||||||
tcp sport 21 accept
|
tcp sport 21 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes ayant pour ports HTTP et HTTPS comme ports de destination et de source
|
||||||
tcp dport {80, 443} accept
|
tcp dport {80, 443} accept
|
||||||
tcp sport {80, 443} accept
|
tcp sport {80, 443} accept
|
||||||
|
|
||||||
|
#Autorise le SSH
|
||||||
tcp sport 22 accept
|
tcp sport 22 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes DNS
|
||||||
udp sport 53 accept
|
udp sport 53 accept
|
||||||
udp dport 53 accept
|
udp dport 53 accept
|
||||||
|
|
||||||
|
#Autorise les requêtes provenant du DNS
|
||||||
ip daddr $dns accept
|
ip daddr $dns accept
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user