Compare commits
17 Commits
dc8c0ec55e
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 363e22a082 | |||
| 2481e8eb05 | |||
| 3744a89ca1 | |||
| 8cf2911080 | |||
| cafa3a4993 | |||
| 6e552e557d | |||
|
d2d9597799 | ||
|
|
2dc20510ea | ||
| b1223552d6 | |||
|
|
805e8038dc | ||
|
|
08e746f1d8 | ||
| 213390a105 | |||
| 13c908ddfd | |||
| 7408f2afd4 | |||
| 43bdebdec9 | |||
| 0aeb37aa85 | |||
| 01c02cebba |
18
sisr1/Bts-blanc/creatGroups.sh
Normal file
18
sisr1/Bts-blanc/creatGroups.sh
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
groupadd TeamLead
|
||||||
|
mkdir /home/planning
|
||||||
|
chgrp TeamLead /home/planning
|
||||||
|
chmod 774 /home/planning
|
||||||
|
|
||||||
|
fichier=Users.csv
|
||||||
|
|
||||||
|
while read ligne # définit la varaible "ligne" comme contenue de la ligne du fichier en cours de lecture
|
||||||
|
do
|
||||||
|
metier=$(echo $ligne | cut -d "," -f5) #A chhaque utilisateur itération, stocker le métier
|
||||||
|
echo $metier
|
||||||
|
if [[ $(grep $metier /etc/group) == "" ]] ; then
|
||||||
|
groupadd $metier
|
||||||
|
mkdir /home/$metier
|
||||||
|
chgrp $metier /home/$metier
|
||||||
|
chmod 770 /home/$metier
|
||||||
|
fi
|
||||||
|
done < $fichier
|
||||||
25
sisr1/Bts-blanc/createUsers.sh
Normal file
25
sisr1/Bts-blanc/createUsers.sh
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
file=./login.csv
|
||||||
|
file1=./Users.csv
|
||||||
|
while read ligne
|
||||||
|
do
|
||||||
|
username=$(echo $ligne | cut -d ";" -f1)
|
||||||
|
useradd -m -s "/bin/bash" $username
|
||||||
|
roup=$(echo $ligne | cut -d ";" -f5)
|
||||||
|
usermod -aG $group $username
|
||||||
|
password=$(echo $ligne | cut -d ";" -f2)
|
||||||
|
echo $username:$password | chpasswd
|
||||||
|
chown $username:$username /home/$username
|
||||||
|
done <$file
|
||||||
|
while read ligne
|
||||||
|
do
|
||||||
|
last_name=$(echo $ligne | cut -d "," -f2) # récupération du nom a chaque ligne
|
||||||
|
first_name=$(echo $ligne | cut -d "," -f1) # récupération du prénom a chaque ligne
|
||||||
|
login=$(echo $first_name | cut -c1)$last_name # creation d'un login
|
||||||
|
login=$(echo $login | tr [:upper:] [:lower:]) #passage de toute les lettre du nom et prenom en minuscule
|
||||||
|
login=$(echo $login | tr -dc [:alnum:]) #Prise en compte des caractere uniquement alphabéticonumérique
|
||||||
|
group=$(echo $ligne | cut -d "," -f6)
|
||||||
|
getent group $group
|
||||||
|
if [[ $group == "TeamLead" ]] ; then
|
||||||
|
usermod –aG $group $login
|
||||||
|
fi
|
||||||
|
done < $file1
|
||||||
@@ -16,3 +16,9 @@ Travaux pratiques de première année : option SISR
|
|||||||
* Configuration de serveurs DNS Primaires et secondaires
|
* Configuration de serveurs DNS Primaires et secondaires
|
||||||
* automatisation du lacement du script NAT
|
* automatisation du lacement du script NAT
|
||||||
* Configuration du service DHCP pour utiliser ces DNS
|
* Configuration du service DHCP pour utiliser ces DNS
|
||||||
|
|
||||||
|
**- Tp04-bases-d'administration**
|
||||||
|
|
||||||
|
**- TP05-proxy**
|
||||||
|
|
||||||
|
**- Tp06-Firewall**
|
||||||
1
sisr1/TP04-Bases-d'administration/README.md
Normal file
1
sisr1/TP04-Bases-d'administration/README.md
Normal file
@@ -0,0 +1 @@
|
|||||||
|
# Droit d'acces appliquée au dossier
|
||||||
@@ -1,31 +1,12 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
file='./Users.csv'
|
fichier=Users.csv
|
||||||
|
|
||||||
while read ligne
|
while read ligne # définit la varaible "ligne" comme contenue de la ligne du fichier en cours de lecture
|
||||||
do
|
do
|
||||||
# A chaque itération, stocker le métier dans $metier
|
metier=$(echo $ligne | cut -d "," -f5) #A chhaque utilisateur itération, stocker le métier
|
||||||
metier=$(echo $ligne | cut -d "," -f5)
|
echo $metier
|
||||||
|
if [[ $(grep $metier /etc/group) == "" ]] ; then
|
||||||
# On regarde si les group existe
|
groupadd $metier
|
||||||
# tail /etc/group
|
|
||||||
|
|
||||||
# Vérification de la présence du groupe Accountant -> ajout de la fonction "Accountant" à $groups
|
|
||||||
if [[ $(echo $ligne | grep "Accountant") == "" ]] ; then
|
|
||||||
groupadd accountant
|
|
||||||
fi
|
fi
|
||||||
|
done < $fichier
|
||||||
# Vérification de la présence du groupe Management -> ajout de la fonction "Management" à $groups
|
|
||||||
if [[ $(echo $ligne | grep "Management") == "" ]] ; then
|
|
||||||
groupadd management
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Vérification de la présence du groupe Production -> ajout de la fonction "Production" à $groups
|
|
||||||
if [[ $(echo $ligne | grep "Production") == "" ]] ; then
|
|
||||||
groupadd production
|
|
||||||
fi
|
|
||||||
|
|
||||||
# On regarde si les groups ont été créé
|
|
||||||
# tail /etc/group
|
|
||||||
# echo $metier
|
|
||||||
done < $file
|
|
||||||
@@ -1,30 +1,24 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
fichier=Users.csv
|
||||||
|
fichier_a_ecrire=./login.csv
|
||||||
|
rm $fichier_a_ecrire 2> /dev/null
|
||||||
|
touch $fichier_a_ecrire
|
||||||
|
|
||||||
# Fichier d'entrée contenant les informations des utilisateurs
|
while read ligne
|
||||||
input_file="users.csv"
|
do
|
||||||
# Fichier de sortie contenant les logins générés
|
aecrie=""
|
||||||
output_file="logins.csv"
|
last_name=$(echo $ligne | cut -d "," -f2) # récupération du nom a chaque ligne
|
||||||
|
first_name=$(echo $ligne | cut -d "," -f1) # récupération du prénom a chaque ligne
|
||||||
|
group=$(echo $ligne | cut -d "," -f5) # recupération du groupe a chaque ligne
|
||||||
|
login=$(echo $first_name | cut -c1)$last_name # creation d'un login
|
||||||
|
login=$(echo $login | tr [:upper:] [:lower:]) #passage de toute les lettre du nom et prenom en minuscule
|
||||||
|
login=$(echo $login | tr -dc [:alnum:]) #Prise en compte des caractere uniquement alphabéticonumérique
|
||||||
|
password=$(echo $RANDOM | md5sum | head -c8) #creation d'un mot de passe
|
||||||
|
|
||||||
# Fonction pour générer un mot de passe aléatoire
|
aecrie="$login;$password;$first_name;$last_name;$group"
|
||||||
generate_password() {
|
|
||||||
# Générer un mot de passe aléatoire de 8 caractères alphanumériques
|
|
||||||
# Utilise /dev/urandom et tr pour choisir uniquement des caractères alphanumériques
|
|
||||||
< /dev/urandom tr -dc 'A-Za-z0-9' | head -c 8
|
|
||||||
}
|
|
||||||
|
|
||||||
# Créer un fichier de sortie et ajouter l'en-tête
|
echo $aecrie >> $fichier_a_ecrire
|
||||||
echo "Nom d'utilisateur,Prénom,Nom,Mot de passe,Groupe" > "$output_file"
|
|
||||||
|
|
||||||
# Lire le fichier d'entrée ligne par ligne
|
done < $fichier
|
||||||
while IFS=' ' read -r firstname lastname group; do
|
|
||||||
# Générer le nom d'utilisateur en prenant l'initiale du prénom et le nom, tout en minuscules
|
|
||||||
username="${firstname:0:1}${lastname}"
|
|
||||||
|
|
||||||
# Générer un mot de passe aléatoire
|
echo "le fichier login.csv a bien été créer"
|
||||||
password=$(generate_password)
|
|
||||||
|
|
||||||
# Ajouter la ligne au fichier de sortie
|
|
||||||
echo "$username,$firstname,$lastname,$password,$group" >> "$output_file"
|
|
||||||
done < "$input_file"
|
|
||||||
|
|
||||||
echo "Fichier logins.csv généré avec succès."
|
|
||||||
20
sisr1/TP04-Bases-d'administration/createUsers.sh
Normal file
20
sisr1/TP04-Bases-d'administration/createUsers.sh
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
file=./login.csv
|
||||||
|
|
||||||
|
|
||||||
|
while read ligne
|
||||||
|
do
|
||||||
|
username=$(echo $ligne | cut -d ";" -f1)
|
||||||
|
useradd -m -s "/bin/bash" $username
|
||||||
|
|
||||||
|
group=$(echo $ligne | cut -d ";" -f5)
|
||||||
|
usermod -aG $group $username
|
||||||
|
|
||||||
|
password=$(echo $ligne | cut -d ";" -f2)
|
||||||
|
|
||||||
|
echo $username:$password | chpasswd
|
||||||
|
|
||||||
|
chown $username:$username /home/$username
|
||||||
|
|
||||||
|
done <$file
|
||||||
|
|
||||||
|
|
||||||
18
sisr1/TP04-Bases-d'administration/deployUsers.sh
Normal file
18
sisr1/TP04-Bases-d'administration/deployUsers.sh
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ip=$1
|
||||||
|
user=root
|
||||||
|
workdir=/$user/deploy
|
||||||
|
|
||||||
|
ssh $user@$ip "mkdir $workdir" 2> /dev/null
|
||||||
|
|
||||||
|
#copie des scripts et fichier
|
||||||
|
scp createGroups.sh $user@$ip:$workdir
|
||||||
|
scp createUsers.sh $user@$ip:$workdir
|
||||||
|
scp login.csv $user@$ip:$workdir
|
||||||
|
scp Users.csv $user@$ip:$workdir
|
||||||
|
|
||||||
|
#execution des scripts
|
||||||
|
ssh $user@$ip "cd $workdir ; bash createGroups.sh ; bash createUsers.sh"
|
||||||
|
|
||||||
|
ssh $user@$ip "rm -R $workdir" #suppression
|
||||||
@@ -13,4 +13,4 @@ git add .
|
|||||||
git commit -m "$message"
|
git commit -m "$message"
|
||||||
|
|
||||||
# Push vers le dépot
|
# Push vers le dépot
|
||||||
git push -u https://jeremy.thomas@gitea.lyc-lecastel.fr/redouane.assani/siotp.git
|
git push https://redouane.assani@gitea.lyc-lecastel.fr/redouane.assani/siotp.git
|
||||||
30
sisr1/TP04-Bases-d'administration/login.csv
Normal file
30
sisr1/TP04-Bases-d'administration/login.csv
Normal file
@@ -0,0 +1,30 @@
|
|||||||
|
eberthelmot;b67e86f8;Ermengarde;Berthelmot;Accountant
|
||||||
|
kbunker;c96ce0e8;Kassi;Bunker;Production
|
||||||
|
mmccallum;8d3df113;Moises;McCallum;Production
|
||||||
|
plune;719198af;Patrizio;Lune;Accountant
|
||||||
|
beverix;c914708a;Blanch;Everix;Accountant
|
||||||
|
skibbel;5eab5ab7;Stafani;Kibbel;Production
|
||||||
|
imosdell;f6c73e14;Ignacius;Mosdell;Management
|
||||||
|
jwallerbridge;aeca1ecf;Jeana;Waller-Bridge;Management
|
||||||
|
edressel;5679fb79;Elroy;Dressel;Production
|
||||||
|
tstrettell;0b218424;Thea;Strettell;Production
|
||||||
|
sinsoll;02b743ca;Solomon;Insoll;Accountant
|
||||||
|
cfeedome;32405639;Carri;Feedome;Accountant
|
||||||
|
pchetwind;a75beebe;Padraic;Chetwind;Management
|
||||||
|
sdugo;4b4f98e3;Solly;D'Ugo;Production
|
||||||
|
kmaccostigan;0db1473c;Konstanze;MacCostigan;Accountant
|
||||||
|
rpowlesland;c0e9b6c6;Roxane;Powlesland;Management
|
||||||
|
okennealy;155f3674;Orelle;Kennealy;Production
|
||||||
|
ssoitoux;323f6ff8;Sukey;Soitoux;Production
|
||||||
|
nsyce;82c0f357;Nelli;Syce;Production
|
||||||
|
cshillam;0575710e;Clarisse;Shillam;Production
|
||||||
|
cgueny;fad38e18;Carin;Gueny;Management
|
||||||
|
driepel;c7482c14;Donny;Riepel;Production
|
||||||
|
dralfe;a053e245;Daniella;Ralfe;Production
|
||||||
|
lclynmans;5865f85c;Lexy;Clynmans;Production
|
||||||
|
gadamthwaite;5d8660f7;Gardiner;Adamthwaite;Production
|
||||||
|
wlippett;7d65808a;Woodman;Lippett;Production
|
||||||
|
nmunnion;d353774c;Nadya;Munnion;Production
|
||||||
|
lhabershon;1594623a;Llewellyn;Habershon;Production
|
||||||
|
igreatrex;f6ed5356;Isaak;Greatrex;Production
|
||||||
|
dfrostdyke;d8eb0743;Darill;Frostdyke;Production
|
||||||
|
16
sisr1/TP05-installation-proxy/gitpush.sh
Normal file
16
sisr1/TP05-installation-proxy/gitpush.sh
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ -z "$1" ] ; then
|
||||||
|
read -p "Erreur: Ecrivez un message " $message
|
||||||
|
else
|
||||||
|
message=$1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ajout des fichiers modifiers
|
||||||
|
git add .
|
||||||
|
|
||||||
|
# Commit avec le message
|
||||||
|
git commit -m "$message"
|
||||||
|
|
||||||
|
# Push vers le dépot
|
||||||
|
git push https://redouane.assani@gitea.lyc-lecastel.fr/redouane.assani/siotp.git
|
||||||
11
sisr1/TP05-installation-proxy/nat/dnsfwd.sh
Normal file
11
sisr1/TP05-installation-proxy/nat/dnsfwd.sh
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
echo "1" > /proc/sys/net/ipv4/ip_forward
|
||||||
|
nft add table dnsfwd
|
||||||
|
nft add chain dnsfwd prerouting {type nat hook prerouting priority 0 \; }
|
||||||
|
nft add chain dnsfwd postrouting {type nat hook postrouting priority 0 \; }
|
||||||
|
nft add rule dnsfwd postrouting tcp dport 53 masquerade
|
||||||
|
nft add rule dnsfwd postrouting udp dport 53 masquerade
|
||||||
|
nft add rule dnsfwd prerouting tcp dport 53 masquerade
|
||||||
|
nft add rule dnsfwd prerouting udp dport 53 masquerade
|
||||||
|
nft add rule dnsfwd prerouting ct state established,related accept
|
||||||
|
nft add rule dnsfwd postrouting ct state established,related accept
|
||||||
16
sisr1/TP05-installation-proxy/squid/majservice.sh
Normal file
16
sisr1/TP05-installation-proxy/squid/majservice.sh
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
#Script destiné a être paramétré et exécuté depuis un repertoire de votre depots git
|
||||||
|
#contenant un fichier de coinfiguration d'un service
|
||||||
|
filename=squid.conf # nom du fichier config
|
||||||
|
filepath=/etc/squid # emplacement systeme du fichier config
|
||||||
|
servicename=squid.service #nom du service
|
||||||
|
|
||||||
|
git pull # mise a jour du fichier de config du dépôt
|
||||||
|
|
||||||
|
sudo cp $filepath/$filename $filepath/$filename.old
|
||||||
|
#sauvegarde fichier précédente
|
||||||
|
|
||||||
|
sudo cp ./$filename $filepath/$filename
|
||||||
|
#copie du fichier de config mis a jour a son emplacement
|
||||||
|
|
||||||
|
sudo systemctl restart $servicename
|
||||||
|
#redemarage du service associé
|
||||||
9160
sisr1/TP05-installation-proxy/squid/squid.conf
Normal file
9160
sisr1/TP05-installation-proxy/squid/squid.conf
Normal file
File diff suppressed because it is too large
Load Diff
120
sisr1/Tp06-Firewall/current_ruleset.nft
Normal file
120
sisr1/Tp06-Firewall/current_ruleset.nft
Normal file
@@ -0,0 +1,120 @@
|
|||||||
|
define netif = enp0s3
|
||||||
|
define lanif = enp0s8
|
||||||
|
define dmzif = enp0s9
|
||||||
|
|
||||||
|
define netip = 192.168.0.120
|
||||||
|
define lanip = 172.16.0.254
|
||||||
|
define dmzip = 172.17.0.254
|
||||||
|
|
||||||
|
define lan-ntw = 172.16.0.1-172.16.0.254
|
||||||
|
define dmz-ntw = 172.17.0.1-172.17.0.254
|
||||||
|
|
||||||
|
define internal-dns-ip = 172.16.0.1
|
||||||
|
define dns-forwarder-ip = 10.121.38.7
|
||||||
|
|
||||||
|
table ip ipfilter{
|
||||||
|
|
||||||
|
#Chaines de filtrage
|
||||||
|
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority filter; policy drop;
|
||||||
|
#Communicationaccept déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp dport 22 accept
|
||||||
|
#Requêtes HTTP/HTTPS depuis LAN
|
||||||
|
tcp dport {80,443} iif $lanif accept
|
||||||
|
# Requêtes externe du serveur DNS
|
||||||
|
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
|
||||||
|
|
||||||
|
# Requêtes DNS depuis la DMZ
|
||||||
|
ip saddr $dmzip ip daddr $internal-dns-ip accept
|
||||||
|
# Allow outgoing DNS requests from DMZ
|
||||||
|
ip saddr $dmzip udp dport 53 accept
|
||||||
|
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply iif {$lanif, $dmzif} accept
|
||||||
|
}
|
||||||
|
chain system_in {
|
||||||
|
type filter hook input priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp dport 22 accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply accept
|
||||||
|
}
|
||||||
|
chain routing {
|
||||||
|
type filter hook forward priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#Requêtes HTTP/HTTPS depuis LAN
|
||||||
|
tcp dport {80,443} iif $lanif accept
|
||||||
|
#Requêtes externe du serveur DNS
|
||||||
|
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
|
||||||
|
# Requêtes DNS depuis la DMZ
|
||||||
|
ip saddr $dmzip ip daddr $internal-dns-ip accept
|
||||||
|
# Allow outgoing DNS requests from DMZ
|
||||||
|
ip saddr $dmzip udp dport 53 accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request iif $lanif oif $dmzif accept
|
||||||
|
icmp type echo-reply iif $dmzif oif $lanif accept
|
||||||
|
}
|
||||||
|
chain system_out {
|
||||||
|
type filter hook output priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp sport 22 accept
|
||||||
|
#Proxy lycée
|
||||||
|
tcp dport 8080 accept
|
||||||
|
#DNS
|
||||||
|
udp dport 53 accept
|
||||||
|
#HTTP/HTTPS
|
||||||
|
tcp dport {80,443} accept
|
||||||
|
#FTP
|
||||||
|
tcp dport {20,21} accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
}
|
||||||
|
chain postrouting {
|
||||||
|
type filter hook postrouting priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp sport 22 accept
|
||||||
|
#Proxy lycée
|
||||||
|
tcp dport 8080 accept
|
||||||
|
#DNS
|
||||||
|
udp dport 53 accept
|
||||||
|
#Requêtes externe du serveur DNS
|
||||||
|
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
|
||||||
|
#HTTP/HTTPS
|
||||||
|
tcp dport {80,443} accept
|
||||||
|
#FTP
|
||||||
|
tcp dport {20,21} accept
|
||||||
|
# Requêtes DNS depuis la DMZ
|
||||||
|
ip saddr $dmzip ip daddr $internal-dns-ip accept
|
||||||
|
# Allow outgoing DNS requests from DMZ
|
||||||
|
ip saddr $dmzip udp dport 53 accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request oif {$lanif, $dmzif} accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
}
|
||||||
|
|
||||||
|
#Chaines pour la NAT
|
||||||
|
|
||||||
|
chain nat_prerouting {
|
||||||
|
type nat hook prerouting priority filter; policy accept;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain nat_postrouting {
|
||||||
|
type nat hook postrouting priority filter; policy accept;
|
||||||
|
#Masquage des IP de la LAN sortant sur Internet
|
||||||
|
ip saddr $lan-ntw oif $netif snat $netip
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
13
sisr1/Tp06-Firewall/fw_part1.nft
Normal file
13
sisr1/Tp06-Firewall/fw_part1.nft
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
table ip ipfilter {
|
||||||
|
chain routing {
|
||||||
|
type filter hook forward priority filter; policy accept;
|
||||||
|
icmp type echo-request iif { "enp0s3", "enp0s9" } drop
|
||||||
|
icmp type { echo-reply, echo-request } accept
|
||||||
|
drop
|
||||||
|
}
|
||||||
|
|
||||||
|
chain system_in {
|
||||||
|
type filter hook input priority filter; policy accept;
|
||||||
|
icmp type echo-request iif { "enp0s3", "enp0s9" } drop
|
||||||
|
}
|
||||||
|
}
|
||||||
25
sisr1/Tp06-Firewall/fw_part2.nft
Normal file
25
sisr1/Tp06-Firewall/fw_part2.nft
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
define netif = enp0s3
|
||||||
|
define dmzif = enp0s9
|
||||||
|
define lanif = enp0s8
|
||||||
|
|
||||||
|
table ip ipfilter{
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority filter; policy drop;
|
||||||
|
tcp dport 22 accept
|
||||||
|
}
|
||||||
|
chain system_in {
|
||||||
|
type filter hook input priority filter; policy drop;
|
||||||
|
tcp dport 22 accept
|
||||||
|
}
|
||||||
|
chain routing {
|
||||||
|
type filter hook forward priority filter; policy drop;
|
||||||
|
}
|
||||||
|
chain system_out {
|
||||||
|
type filter hook output priority filter; policy drop;
|
||||||
|
tcp sport 22 accept
|
||||||
|
}
|
||||||
|
chain postrouting {
|
||||||
|
type filter hook postrouting priority filter; policy drop;
|
||||||
|
tcp sport 22 accept
|
||||||
|
}
|
||||||
|
}
|
||||||
42
sisr1/Tp06-Firewall/fw_part3.nft
Normal file
42
sisr1/Tp06-Firewall/fw_part3.nft
Normal file
@@ -0,0 +1,42 @@
|
|||||||
|
define netif = enp0s3
|
||||||
|
define lanif = enp0s8
|
||||||
|
define dmzif = enp0s9
|
||||||
|
|
||||||
|
define netip = 192.168.0.140 (ou 120, ou 160)
|
||||||
|
define lanip = 172.16.0.254
|
||||||
|
define dmzip = 172.17.0.254
|
||||||
|
|
||||||
|
define lan-ntw = 172.16.0.1-172.16.0.254
|
||||||
|
define dmz-ntw = 172.17.0.1-172.17.0.254
|
||||||
|
|
||||||
|
table ip ipfilter{
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority filter; policy drop;
|
||||||
|
tcp dport 22 accept
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply iif {$lanif, $dmzif} accept
|
||||||
|
}
|
||||||
|
chain system_in {
|
||||||
|
type filter hook input priority filter; policy drop;
|
||||||
|
tcp dport 22 accept
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply accept
|
||||||
|
}
|
||||||
|
chain routing {
|
||||||
|
type filter hook forward priority filter; policy drop;
|
||||||
|
icmp type echo-request iif $lanif oif $dmzif accept
|
||||||
|
icmp type echo-reply iif $dmzif oif $lanif accept
|
||||||
|
}
|
||||||
|
chain system_out {
|
||||||
|
type filter hook output priority filter; policy drop;
|
||||||
|
tcp sport 22 accept
|
||||||
|
icmp type echo-request accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
}
|
||||||
|
chain postrouting {
|
||||||
|
type filter hook postrouting priority filter; policy drop;
|
||||||
|
tcp sport 22 accept
|
||||||
|
icmp type echo-request oif {$lanif, $dmzif} accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
}
|
||||||
|
}
|
||||||
70
sisr1/Tp06-Firewall/fw_part4.nft
Normal file
70
sisr1/Tp06-Firewall/fw_part4.nft
Normal file
@@ -0,0 +1,70 @@
|
|||||||
|
define netif = enp0s3
|
||||||
|
define lanif = enp0s8
|
||||||
|
define dmzif = enp0s9
|
||||||
|
|
||||||
|
define netip = 192.168.0.120
|
||||||
|
define lanip = 172.16.0.254
|
||||||
|
define dmzip = 172.17.0.254
|
||||||
|
|
||||||
|
define lan-ntw = 172.16.0.1-172.16.0.254
|
||||||
|
define dmz-ntw = 172.17.0.1-172.17.0.254
|
||||||
|
|
||||||
|
table ip ipfilter{
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority filter; policy drop;
|
||||||
|
tcp dport 22 accept
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply iif {$lanif, $dmzif} accept
|
||||||
|
ct state established,related accept
|
||||||
|
}
|
||||||
|
chain system_in {
|
||||||
|
type filter hook input priority filter; policy drop;
|
||||||
|
tcp dport 22 accept
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply accept
|
||||||
|
ct state established,related accept
|
||||||
|
}
|
||||||
|
chain routing {
|
||||||
|
type filter hook forward priority filter; policy drop;
|
||||||
|
icmp type echo-request iif $lanif oif $dmzif accept
|
||||||
|
icmp type echo-reply iif $dmzif oif $lanif accept
|
||||||
|
}
|
||||||
|
chain system_out {
|
||||||
|
type filter hook output priority filter; policy drop;
|
||||||
|
ct state established,related accept
|
||||||
|
# SSH
|
||||||
|
tcp sport 22 accept
|
||||||
|
|
||||||
|
icmp type echo-request accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
|
||||||
|
#Proxy lycée
|
||||||
|
|
||||||
|
tcp dport 8080 accept
|
||||||
|
|
||||||
|
# Requêtes DNS sortantes (UDP et TCP)
|
||||||
|
udp dport 53 accept
|
||||||
|
tcp dport 53 accept
|
||||||
|
|
||||||
|
# Requêtes HTTP/HTTPS/FTP sortantes
|
||||||
|
tcp dport {80, 443, 20, 21} accept
|
||||||
|
}
|
||||||
|
chain postrouting {
|
||||||
|
type filter hook postrouting priority filter; policy drop;
|
||||||
|
ct state established,related accept
|
||||||
|
# SSH
|
||||||
|
tcp sport 22 accept
|
||||||
|
|
||||||
|
tcp dport 8080 accept
|
||||||
|
|
||||||
|
icmp type echo-request oif {$lanif, $dmzif} accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
|
||||||
|
# Requêtes DNS sortantes (UDP et TCP)
|
||||||
|
udp dport 53 accept
|
||||||
|
tcp dport 53 accept
|
||||||
|
|
||||||
|
# Requêtes HTTP/HTTPS/FTP sortantes
|
||||||
|
tcp dport {80, 443, 20, 21} accept
|
||||||
|
}
|
||||||
|
}
|
||||||
106
sisr1/Tp06-Firewall/fw_part5.nft
Normal file
106
sisr1/Tp06-Firewall/fw_part5.nft
Normal file
@@ -0,0 +1,106 @@
|
|||||||
|
define netif = enp0s3
|
||||||
|
define lanif = enp0s8
|
||||||
|
define dmzif = enp0s9
|
||||||
|
|
||||||
|
define netip = 192.168.0.120
|
||||||
|
define lanip = 172.16.0.254
|
||||||
|
define dmzip = 172.17.0.254
|
||||||
|
|
||||||
|
define lan-ntw = 172.16.0.1-172.16.0.254
|
||||||
|
define dmz-ntw = 172.17.0.1-172.17.0.254
|
||||||
|
|
||||||
|
define internal-dns-ip = 172.16.0.1
|
||||||
|
define dns-forwarder-ip = 10.121.38.7
|
||||||
|
|
||||||
|
table ip ipfilter{
|
||||||
|
|
||||||
|
#Chaines de filtrage
|
||||||
|
|
||||||
|
chain prerouting {
|
||||||
|
type filter hook prerouting priority filter; policy drop;
|
||||||
|
#Communicationaccept déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp dport 22 accept
|
||||||
|
#Requêtes HTTP/HTTPS depuis LAN
|
||||||
|
tcp dport {80,443} iif $lanif accept
|
||||||
|
#Requêtes externe du serveur DNS
|
||||||
|
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply iif {$lanif, $dmzif} accept
|
||||||
|
}
|
||||||
|
chain system_in {
|
||||||
|
type filter hook input priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp dport 22 accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request iif $lanif accept
|
||||||
|
icmp type echo-reply accept
|
||||||
|
}
|
||||||
|
chain routing {
|
||||||
|
type filter hook forward priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#Requêtes HTTP/HTTPS depuis LAN
|
||||||
|
tcp dport {80,443} iif $lanif accept
|
||||||
|
#Requêtes externe du serveur DNS
|
||||||
|
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request iif $lanif oif $dmzif accept
|
||||||
|
icmp type echo-reply iif $dmzif oif $lanif accept
|
||||||
|
}
|
||||||
|
chain system_out {
|
||||||
|
type filter hook output priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp sport 22 accept
|
||||||
|
#Proxy lycée
|
||||||
|
tcp dport 8080 accept
|
||||||
|
#DNS
|
||||||
|
udp dport 53 accept
|
||||||
|
#HTTP/HTTPS
|
||||||
|
tcp dport {80,443} accept
|
||||||
|
#FTP
|
||||||
|
tcp dport {20,21} accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
}
|
||||||
|
chain postrouting {
|
||||||
|
type filter hook postrouting priority filter; policy drop;
|
||||||
|
#Communication déjà établies
|
||||||
|
ct state established,related accept
|
||||||
|
#SSH
|
||||||
|
tcp sport 22 accept
|
||||||
|
#Proxy lycée
|
||||||
|
tcp dport 8080 accept
|
||||||
|
#DNS
|
||||||
|
udp dport 53 accept
|
||||||
|
#Requêtes externe du serveur DNS
|
||||||
|
ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
|
||||||
|
#HTTP/HTTPS
|
||||||
|
tcp dport {80,443} accept
|
||||||
|
#FTP
|
||||||
|
tcp dport {20,21} accept
|
||||||
|
#Pings
|
||||||
|
icmp type echo-request oif {$lanif, $dmzif} accept
|
||||||
|
icmp type echo-reply oif $lanif accept
|
||||||
|
}
|
||||||
|
|
||||||
|
#Chaines pour la NAT
|
||||||
|
|
||||||
|
chain nat_prerouting {
|
||||||
|
type nat hook prerouting priority filter; policy accept;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain nat_postrouting {
|
||||||
|
type nat hook postrouting priority filter; policy accept;
|
||||||
|
#Masquage des IP de la LAN sortant sur Internet
|
||||||
|
ip saddr $lan-ntw oif $netif snat $netip
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
7
sisr1/Tp06-Firewall/test_firewall.sh
Normal file
7
sisr1/Tp06-Firewall/test_firewall.sh
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
ipfirewall=192.168.0.120
|
||||||
|
dir=/root/firewall
|
||||||
|
ruleset=current_ruleset.nft
|
||||||
|
|
||||||
|
scp $ruleset root@$ipfirewall:$dir/$ruleset
|
||||||
|
ssh root@$ipfirewall "bash $dir/refresh_firewall.sh"
|
||||||
Reference in New Issue
Block a user