depot du TP6

sisr1/Bts-blanc/creatGroups.sh

@@ -0,0 +1,18 @@
+groupadd TeamLead
+mkdir /home/planning
+chgrp TeamLead /home/planning
+chmod 774 /home/planning
+
+fichier=Users.csv
+
+while read ligne # définit la varaible "ligne" comme contenue de la ligne du fichier en cours de lecture
+do
+    metier=$(echo $ligne | cut -d "," -f5) #A chhaque utilisateur itération, stocker le métier
+    echo $metier
+    if [[ $(grep $metier /etc/group) == "" ]] ; then
+        groupadd $metier
+        mkdir /home/$metier
+        chgrp $metier /home/$metier
+        chmod 770 /home/$metier
+    fi
+done < $fichier

sisr1/Bts-blanc/createUsers.sh

@@ -0,0 +1,25 @@
+file=./login.csv
+file1=./Users.csv
+while read ligne
+do 
+    username=$(echo $ligne | cut -d ";" -f1)
+    useradd -m -s "/bin/bash" $username
+    roup=$(echo $ligne | cut -d ";" -f5)
+    usermod -aG $group $username
+    password=$(echo $ligne | cut -d ";" -f2)
+    echo $username:$password | chpasswd
+    chown $username:$username /home/$username
+done <$file
+while read ligne
+do
+    last_name=$(echo $ligne | cut -d "," -f2) # récupération du nom a chaque ligne
+    first_name=$(echo $ligne | cut -d "," -f1) # récupération du prénom a chaque ligne
+    login=$(echo $first_name | cut -c1)$last_name # creation d'un login
+    login=$(echo $login | tr [:upper:] [:lower:]) #passage de toute les lettre du nom et prenom en minuscule
+    login=$(echo $login | tr -dc [:alnum:]) #Prise en compte des caractere uniquement alphabéticonumérique
+    group=$(echo $ligne | cut -d "," -f6)
+    getent group $group
+    if [[ $group == "TeamLead" ]] ; then
+        usermod –aG $group $login
+    fi
+done < $file1

sisr1/README.md

@@ -15,4 +15,10 @@ Travaux pratiques de première année : option SISR
   * Construction d'un reséaux interne virtuelle
   * Configuration de serveurs DNS Primaires et secondaires
   * automatisation du lacement du script NAT
-  * Configuration du service DHCP pour utiliser ces DNS 
+  * Configuration du service DHCP pour utiliser ces DNS 
+
+  **- Tp04-bases-d'administration**
+
+  **- TP05-proxy**
+
+  **- Tp06-Firewall**

sisr1/TP04-Bases-d'administration/README.md

@@ -0,0 +1 @@
+# Droit d'acces appliquée au dossier

sisr1/TP04-Bases-d'administration/createGroups.sh

@@ -1,31 +1,12 @@
 #!/bin/bash
 
-file='./Users.csv'
+fichier=Users.csv
 
-while read ligne
+while read ligne # définit la varaible "ligne" comme contenue de la ligne du fichier en cours de lecture
 do
-    # A chaque itération, stocker le métier dans $metier
+    metier=$(echo $ligne | cut -d "," -f5) #A chhaque utilisateur itération, stocker le métier
-    metier=$(echo $ligne | cut -d "," -f5)
+    echo $metier
-
+    if [[ $(grep $metier /etc/group) == "" ]] ; then
-    # On regarde si les group existe
+        groupadd $metier
-    # tail /etc/group
-
-    # Vérification de la présence du groupe Accountant -> ajout de la fonction "Accountant" à $groups
-    if [[ $(echo $ligne | grep "Accountant") == "" ]] ; then
-        groupadd accountant
     fi
-
+done < $fichier
-    # Vérification de la présence du groupe Management -> ajout de la fonction "Management" à $groups
-    if [[ $(echo $ligne | grep "Management") == "" ]] ; then
-        groupadd management
-    fi
-
-    # Vérification de la présence du groupe Production -> ajout de la fonction "Production" à $groups
-    if [[ $(echo $ligne | grep "Production") == "" ]] ; then
-        groupadd production
-    fi
-
-    # On regarde si les groups ont été créé
-    # tail /etc/group
-    # echo $metier
-done < $file

sisr1/TP04-Bases-d'administration/createUsers.sh

@@ -13,8 +13,8 @@ do
     
     echo $username:$password | chpasswd
 
-    chown $username:$username /hom/$username
+    chown $username:$username /home/$username
 
-done <$fichier
+done <$file
 
 

sisr1/TP04-Bases-d'administration/deployUsers.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+ip=$1
+user=root
+workdir=/$user/deploy
+
+ssh $user@$ip "mkdir $workdir" 2> /dev/null
+
+#copie des  scripts et fichier
+scp createGroups.sh $user@$ip:$workdir
+scp createUsers.sh $user@$ip:$workdir
+scp login.csv $user@$ip:$workdir
+scp Users.csv $user@$ip:$workdir
+
+#execution des scripts
+ssh $user@$ip "cd $workdir ; bash createGroups.sh ; bash createUsers.sh"
+
+ssh $user@$ip "rm -R $workdir" #suppression

sisr1/TP04-Bases-d'administration/gitpush.sh

@@ -13,4 +13,4 @@ git add .
 git commit -m "$message"
 
 # Push  vers le dépot
-git push -u https://redouane.assani@gitea.lyc-lecastel.fr/redouane.assani/siotp.git
+git push https://redouane.assani@gitea.lyc-lecastel.fr/redouane.assani/siotp.git

sisr1/TP05-installation-proxy/gitpush.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ -z "$1" ] ; then
+    read -p "Erreur: Ecrivez un message " $message
+else 
+    message=$1
+fi
+
+# Ajout des fichiers modifiers
+git add .
+
+# Commit avec le message
+git commit -m "$message"
+
+# Push  vers le dépot
+git push https://redouane.assani@gitea.lyc-lecastel.fr/redouane.assani/siotp.git

sisr1/TP05-installation-proxy/nat/dnsfwd.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+echo "1" > /proc/sys/net/ipv4/ip_forward
+nft add table dnsfwd
+nft add chain dnsfwd prerouting {type nat hook prerouting priority 0 \; }
+nft add chain dnsfwd postrouting {type nat hook postrouting priority 0 \; }
+nft add rule dnsfwd postrouting tcp dport 53 masquerade
+nft add rule dnsfwd postrouting udp dport 53 masquerade
+nft add rule dnsfwd prerouting tcp dport 53 masquerade
+nft add rule dnsfwd prerouting udp dport 53 masquerade
+nft add rule dnsfwd prerouting ct state established,related accept
+nft add rule dnsfwd postrouting ct state established,related accept

sisr1/TP05-installation-proxy/squid/majservice.sh

@@ -0,0 +1,16 @@
+#Script destiné a être paramétré et exécuté depuis un repertoire de votre depots git
+#contenant un fichier de coinfiguration d'un service
+filename=squid.conf # nom du fichier config
+filepath=/etc/squid # emplacement systeme du fichier config
+servicename=squid.service #nom du service 
+
+git pull # mise a jour du fichier de config du dépôt
+
+sudo cp $filepath/$filename $filepath/$filename.old
+#sauvegarde fichier précédente
+
+sudo cp ./$filename $filepath/$filename
+#copie du fichier de config mis a jour a son emplacement
+
+sudo systemctl restart $servicename
+#redemarage du service associé

sisr1/Tp06-Firewall/current_ruleset.nft

@@ -0,0 +1,120 @@
+define netif = enp0s3
+define lanif = enp0s8
+define dmzif = enp0s9
+ 
+define netip = 192.168.0.120
+define lanip = 172.16.0.254
+define dmzip = 172.17.0.254
+ 
+define lan-ntw = 172.16.0.1-172.16.0.254
+define dmz-ntw = 172.17.0.1-172.17.0.254
+ 
+define internal-dns-ip = 172.16.0.1
+define dns-forwarder-ip = 10.121.38.7
+ 
+table ip ipfilter{
+ 
+	#Chaines de filtrage
+ 
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+			#Communicationaccept déjà établies
+		ct state established,related accept
+			#SSH
+		tcp dport 22 accept
+			#Requêtes HTTP/HTTPS depuis LAN
+		tcp dport {80,443} iif $lanif accept
+		# Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+
+		# Requêtes DNS depuis la DMZ
+		ip saddr $dmzip ip daddr $internal-dns-ip accept
+		# Allow outgoing DNS requests from DMZ
+		ip saddr $dmzip udp dport 53 accept
+
+			#Pings
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply iif {$lanif, $dmzif} accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp dport 22 accept
+			#Pings
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#Requêtes HTTP/HTTPS depuis LAN
+		tcp dport {80,443} iif $lanif accept
+			#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+		# Requêtes DNS depuis la DMZ
+		ip saddr $dmzip ip daddr $internal-dns-ip accept
+		# Allow outgoing DNS requests from DMZ
+		ip saddr $dmzip udp dport 53 accept
+			#Pings
+		icmp type echo-request iif $lanif oif $dmzif accept
+		icmp type echo-reply iif $dmzif oif $lanif accept
+        }
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp sport 22 accept
+			#Proxy lycée
+		tcp dport 8080 accept
+			#DNS
+		udp dport 53 accept
+			#HTTP/HTTPS
+		tcp dport {80,443} accept
+			#FTP
+		tcp dport {20,21} accept
+			#Pings
+		icmp type echo-request accept
+		icmp type echo-reply oif $lanif accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp sport 22 accept
+			#Proxy lycée
+		tcp dport 8080 accept
+			#DNS
+		udp dport 53 accept
+			#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+			#HTTP/HTTPS 
+		tcp dport {80,443} accept
+			#FTP
+		tcp dport {20,21} accept
+		# Requêtes DNS depuis la DMZ
+		ip saddr $dmzip ip daddr $internal-dns-ip accept
+		# Allow outgoing DNS requests from DMZ
+		ip saddr $dmzip udp dport 53 accept
+			#Pings
+		icmp type echo-request oif {$lanif, $dmzif} accept
+		icmp type echo-reply oif $lanif accept
+        }
+ 
+	#Chaines pour la NAT
+ 
+	chain nat_prerouting {
+		type nat hook prerouting priority filter; policy accept;
+	}
+ 
+	chain nat_postrouting {
+		type nat hook postrouting priority filter; policy accept;
+				#Masquage des IP de la LAN sortant sur Internet
+			ip saddr $lan-ntw oif $netif snat $netip
+	}
+ 
+}

sisr1/Tp06-Firewall/fw_part1.nft

@@ -0,0 +1,13 @@
+table ip ipfilter {
+        chain routing {
+                type filter hook forward priority filter; policy accept;
+                icmp type echo-request iif { "enp0s3", "enp0s9" } drop
+                icmp type { echo-reply, echo-request } accept
+                drop
+        }
+ 
+        chain system_in {
+                type filter hook input priority filter; policy accept;
+                icmp type echo-request iif { "enp0s3", "enp0s9" } drop
+        }
+}

sisr1/Tp06-Firewall/fw_part2.nft

@@ -0,0 +1,25 @@
+define netif = enp0s3
+define dmzif = enp0s9
+define lanif = enp0s8
+
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+		tcp dport 22 accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+		tcp dport 22 accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+        }
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+		tcp sport 22 accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+		tcp sport 22 accept
+        }
+}

sisr1/Tp06-Firewall/fw_part3.nft

@@ -0,0 +1,42 @@
+define netif = enp0s3
+define lanif = enp0s8
+define dmzif = enp0s9
+
+define netip = 192.168.0.140 (ou 120, ou 160)
+define lanip = 172.16.0.254
+define dmzip = 172.17.0.254
+
+define lan-ntw = 172.16.0.1-172.16.0.254
+define dmz-ntw = 172.17.0.1-172.17.0.254
+ 
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+		tcp dport 22 accept
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply iif {$lanif, $dmzif} accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+		tcp dport 22 accept
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+		icmp type echo-request iif $lanif oif $dmzif accept
+		icmp type echo-reply iif $dmzif oif $lanif accept
+        }
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+		tcp sport 22 accept
+		icmp type echo-request accept
+		icmp type echo-reply oif $lanif accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+		tcp sport 22 accept
+		icmp type echo-request oif {$lanif, $dmzif} accept
+		icmp type echo-reply oif $lanif accept
+        }
+}

sisr1/Tp06-Firewall/fw_part4.nft

@@ -0,0 +1,70 @@
+define netif = enp0s3
+define lanif = enp0s8
+define dmzif = enp0s9
+
+define netip = 192.168.0.120
+define lanip = 172.16.0.254
+define dmzip = 172.17.0.254
+
+define lan-ntw = 172.16.0.1-172.16.0.254
+define dmz-ntw = 172.17.0.1-172.17.0.254
+ 
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+		tcp dport 22 accept
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply iif {$lanif, $dmzif} accept
+		ct state established,related accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+		tcp dport 22 accept
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply accept
+		ct state established,related accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+		icmp type echo-request iif $lanif oif $dmzif accept
+		icmp type echo-reply iif $dmzif oif $lanif accept
+        }
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+		ct state established,related accept
+		# SSH
+		tcp sport 22 accept
+
+		icmp type echo-request accept
+		icmp type echo-reply oif $lanif accept
+
+		#Proxy lycée
+
+		tcp dport 8080 accept
+		
+		# Requêtes DNS sortantes (UDP et TCP)
+		udp dport 53 accept
+		tcp dport 53 accept
+
+		# Requêtes HTTP/HTTPS/FTP sortantes
+		tcp dport {80, 443, 20, 21} accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+		ct state established,related accept
+		# SSH
+		tcp sport 22 accept
+
+		tcp dport 8080 accept
+		
+		icmp type echo-request oif {$lanif, $dmzif} accept
+		icmp type echo-reply oif $lanif accept
+
+		# Requêtes DNS sortantes (UDP et TCP)
+		udp dport 53 accept
+		tcp dport 53 accept
+
+		# Requêtes HTTP/HTTPS/FTP sortantes
+		tcp dport {80, 443, 20, 21} accept
+        }
+}

sisr1/Tp06-Firewall/fw_part5.nft

@@ -0,0 +1,106 @@
+define netif = enp0s3
+define lanif = enp0s8
+define dmzif = enp0s9
+ 
+define netip = 192.168.0.120
+define lanip = 172.16.0.254
+define dmzip = 172.17.0.254
+ 
+define lan-ntw = 172.16.0.1-172.16.0.254
+define dmz-ntw = 172.17.0.1-172.17.0.254
+ 
+define internal-dns-ip = 172.16.0.1
+define dns-forwarder-ip = 10.121.38.7
+ 
+table ip ipfilter{
+ 
+	#Chaines de filtrage
+ 
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+			#Communicationaccept déjà établies
+		ct state established,related accept
+			#SSH
+		tcp dport 22 accept
+			#Requêtes HTTP/HTTPS depuis LAN
+		tcp dport {80,443} iif $lanif accept
+			#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+			#Pings
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply iif {$lanif, $dmzif} accept
+        }
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp dport 22 accept
+			#Pings
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply accept
+        }
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#Requêtes HTTP/HTTPS depuis LAN
+		tcp dport {80,443} iif $lanif accept
+			#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+			#Pings
+		icmp type echo-request iif $lanif oif $dmzif accept
+		icmp type echo-reply iif $dmzif oif $lanif accept
+        }
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp sport 22 accept
+			#Proxy lycée
+		tcp dport 8080 accept
+			#DNS
+		udp dport 53 accept
+			#HTTP/HTTPS
+		tcp dport {80,443} accept
+			#FTP
+		tcp dport {20,21} accept
+			#Pings
+		icmp type echo-request accept
+		icmp type echo-reply oif $lanif accept
+        }
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp sport 22 accept
+			#Proxy lycée
+		tcp dport 8080 accept
+			#DNS
+		udp dport 53 accept
+			#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+			#HTTP/HTTPS 
+		tcp dport {80,443} accept
+			#FTP
+		tcp dport {20,21} accept
+			#Pings
+		icmp type echo-request oif {$lanif, $dmzif} accept
+		icmp type echo-reply oif $lanif accept
+        }
+ 
+	#Chaines pour la NAT
+ 
+	chain nat_prerouting {
+		type nat hook prerouting priority filter; policy accept;
+	}
+ 
+	chain nat_postrouting {
+		type nat hook postrouting priority filter; policy accept;
+				#Masquage des IP de la LAN sortant sur Internet
+			ip saddr $lan-ntw oif $netif snat $netip
+	}
+ 
+}

sisr1/Tp06-Firewall/test_firewall.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+ipfirewall=192.168.0.120
+dir=/root/firewall
+ruleset=current_ruleset.nft
+
+scp $ruleset root@$ipfirewall:$dir/$ruleset
+ssh root@$ipfirewall "bash $dir/refresh_firewall.sh"