forked from guillaume.emorine/siotp
guillaume.emorine
5374bb2491
Changement de la mise en forme, sera supprimé si le téléchargement du fichier ruine la mise en forme originale du code.
94 lines
2.8 KiB
Plaintext
94 lines
2.8 KiB
Plaintext
define netif = enp0s3
|
|
define dmzif = enp0s8
|
|
define lanif = enp0s9
|
|
|
|
define lan-ntw = 10.0.0.0/24
|
|
|
|
define proxy = 10.121.38.1
|
|
define dns = {10.121.38.7 , 10.121.38.8}
|
|
define proxyport = 8080
|
|
define dmznet = 172.16.0.1-172.16.0.254
|
|
|
|
define firewall = 192.168.0.120
|
|
define ipdmz = 172.16.0.254
|
|
define iplan = 10.0.0.254
|
|
|
|
table ip ipfilter{
|
|
chain prerouting {
|
|
type filter hook prerouting priority filter; policy drop;
|
|
ct state established, related accept
|
|
icmp type echo-reply accept
|
|
icmp type echo-request iif {$lanif} ip daddr $dmznet accept
|
|
icmp type echo-request iif {$lanif} ip daddr {$iplan} accept
|
|
tcp dport 20 accept
|
|
tcp dport 21 accept
|
|
tcp dport {80, 443} ip saddr $lan-ntw accept
|
|
tcp sport {80, 443} ip saddr $lan-ntw accept
|
|
tcp dport 22 accept
|
|
ip saddr $proxy tcp dport {80, 443} accept
|
|
}
|
|
|
|
chain system_in {
|
|
type filter hook input priority filter; policy drop;
|
|
ct state established, related accept
|
|
icmp type echo-reply accept
|
|
icmp type echo-request iif {$lanif} accept
|
|
tcp dport 20 accept
|
|
tcp dport 21 accept
|
|
tcp dport {80, 443} accept
|
|
tcp dport 22 accept
|
|
ip saddr $proxy tcp dport {80, 443} accept
|
|
}
|
|
|
|
chain routing {
|
|
type filter hook forward priority filter; policy drop;
|
|
ct state established, related accept
|
|
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
|
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
|
tcp dport {80, 443} ip saddr $lan-ntw accept
|
|
tcp sport {80, 443} ip saddr $lan-ntw accept
|
|
}
|
|
|
|
chain system_out {
|
|
type filter hook output priority filter; policy drop;
|
|
ip daddr $dns accept
|
|
ip daddr $proxy tcp dport $proxyport accept
|
|
icmp type echo-reply oif {$lanif} accept
|
|
icmp type echo-request accept
|
|
tcp dport 20 accept
|
|
tcp sport 20 accept
|
|
tcp dport 21 accept
|
|
tcp sport 21 accept
|
|
tcp dport {80, 443} accept
|
|
tcp sport {80, 443} accept
|
|
tcp sport 22 accept
|
|
}
|
|
|
|
chain postrouting {
|
|
type filter hook postrouting priority filter; policy drop;
|
|
ct state established, related accept
|
|
ip daddr $dns accept
|
|
ip daddr $proxy tcp dport $proxyport accept
|
|
icmp type echo-request ip saddr {$iplan, $ipdmz, $firewall} accept
|
|
icmp type echo-reply iif {$dmzif} oif {$lanif} accept
|
|
icmp type echo-request iif {$lanif} oif {$dmzif} accept
|
|
icmp type echo-request ip saddr $iplan oif $lanif accept
|
|
tcp dport 20 accept
|
|
tcp sport 20 accept
|
|
tcp dport 21 accept
|
|
tcp sport 21 accept
|
|
tcp dport {80, 443} accept
|
|
tcp sport {80, 443} accept
|
|
tcp sport 22 accept
|
|
}
|
|
|
|
chain pre_nat {
|
|
type nat hook prerouting priority filter; policy accept;
|
|
}
|
|
|
|
chain post_nat {
|
|
type nat hook postrouting priority filter; policy accept;
|
|
ip saddr $lan-ntw oif $netif snat $firewall
|
|
}
|
|
}
|