tp06_firewall

sisr1/tp02-dns/dhcp/dhcpd.conf

@@ -0,0 +1,109 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+option domain-name "example.org";
+option domain-name-servers ns1.example.org, ns2.example.org;
+
+default-lease-time 3600;
+max-lease-time 604800;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+subnet 192.168.2.0 netmask 255.255.255.0 {
+  range 192.168.2.10 192.168.2.110;
+  option routers 192.168.2.1;
+  option domain-name-servers 192.168.0.161;
+  option domain-name "sio-tc.lan";
+}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.example.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+host XP {
+  hardware ethernet 08:00:27:77:70:0D;
+  fixed-address 192.168.2.150;
+}
+
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

sisr1/tp02-dns/dns1/db.sio-tc.lan

@@ -0,0 +1,22 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	dns1-tc.sio-tc.lan.	root.dns1-tc.sio-tc.lan. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+
+
+@	IN	NS	dns1-tc.sio-tc.lan.
+@	IN	A	127.0.0.1
+dns2-tc.sio-tc.lan.	IN	A	192.168.0.162
+dns1-tc.sio-tc.lan. IN	A	192.168.0.161
+deb-dhcp-tc	IN	A	192.168.0.160
+;@	IN	AAAA	::1
+dhcp    CNAME    deb-dhcp-tc
+dns1    CNAME    dns1-tc
+dns2	CNAME	dns2-tc

sisr1/tp02-dns/dns1/db.sio-tc.lan.rev

@@ -0,0 +1,22 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@       IN      SOA     dns1-tc.sio-tc.lan.     root.dns1-tc.sio-tc.lan. (
+                              2         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+
+
+@       IN      NS      dns1-tc.sio-tc.lan.
+;@       IN      A       127.0.0.1
+;@      IN      AAAA    ::1
+162	IN	PTR	dns2-tc.sio-tc.lan.
+161  IN      PTR     dns1-tc.sio-tc.lan.
+160	IN	PTR	deb-dhcp-tc.sio.lan.
+dhcp	CNAME	 deb-dhcp-tc.sio-tc.lan
+dns1	CNAME	dns1-tc
+dns2	CNAME	dns2-tc

sisr1/tp02-dns/dns1/named.conf.local

@@ -0,0 +1,22 @@
+//
+// Do any local configuration here
+//
+
+	// zone directe
+        zone "sio-tc.lan" {
+             type master;
+             file "/etc/bind/db.sio-tc.lan";
+        };
+
+	// zone inverse 
+	zone "0.168.192.in-addr.arpa" {
+	     type master;
+             notify no;
+             file "/etc/bind/db.sio-tc.lan.rev";
+	};
+
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

sisr1/tp02-dns/dns1/resolv.conf

@@ -0,0 +1,4 @@
+domain sio-tc.lan
+search sio-tc.lan
+nameserver 127.0.0.1
+nameserver 10.121.38.7

sisr1/tp03-reseau-prive/dns2/interfaces

@@ -0,0 +1,16 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+#allow-hotplug enp0s3
+iface enp0s3 inet dhcp
+auto enp0s3
+#iface enp0s3 inet static
+#	address 172.16.0.200/24
+#	gateway 172.16.0.201

sisr1/tp03-reseau-prive/dns2/named.conf.local

@@ -0,0 +1,24 @@
+//
+// Do any local configuration here
+//
+
+	// zone directe
+        zone "monlabo.lan" {
+             type slave;
+		file "/etc/bind/db.monlabo.lan";	
+             masters { 172.16.0.2; };
+             masterfile-format text;
+        };
+
+	// zone inverse 
+	zone "0.16.172.in-addr.arpa" {
+	     type slave;
+		file "/etc/bind/db.monlabo.lan.rev";
+             notify no;
+             masters { 172.16.0.2; };
+	};
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

sisr1/tp03-reseau-prive/interfaces

@@ -0,0 +1,22 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+#allow-hotplug enp0s3
+#iface enp0s3 inet dhcp
+
+#Premiere interface adresse statique
+auto enp0s3
+iface enp0s3 inet static 
+	address 192.168.0.160/24
+	gateway 192.168.0.1
+
+#Deuxieme interface adresse statique 
+auto enp0s8
+iface enp0s8 inet dhcp

sisr1/tp03-reseau-prive/nat/README.md

@@ -0,0 +1,6 @@
+  * **nat.sh** : script activant la NAT dynamique sans filtrage
+    * A placer à /root/nat.sh
+    * Rendre exécutable : <code>chmod +x /root/nat.sh</code>
+  * **nat.service** : service lançant le script au démarrage
+    * A placer à /etc/systemd/system/nat.service
+    * Activer le service : <code>systemctl enable nat.service</code>

sisr1/tp03-reseau-prive/nat/nat.service

@@ -0,0 +1,13 @@
+[Unit]
+ 
+Description=execute /root/nat.sh
+ 
+After=default.target
+ 
+[Service]
+ 
+ExecStart=bash /root/nat.sh
+ 
+[Install]
+ 
+WantedBy=default.target

sisr1/tp03-reseau-prive/nat/nat.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "1" > /proc/sys/net/ipv4/ip_forward
+nft add table basic_nat_table
+nft add chain basic_nat_table prerouting {type nat hook prerouting priority 0 \; }
+nft add chain basic_nat_table postrouting {type nat hook postrouting priority 0 \; }
+nft add rule basic_nat_table postrouting masquerade

sisr1/tp03-reseau-prive/srv-admin/interfaces

@@ -0,0 +1,22 @@
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# The primary network interface
+#allow-hotplug enp0s3
+#iface enp0s3 inet dhcp
+
+#Premiere interface adresse statique
+auto enp0s3
+iface enp0s3 inet static 
+	address 192.168.0.160/24
+	gateway 192.168.0.1
+
+#Deuxieme interface adresse statique 
+auto enp0s8
+iface enp0s8 inet dhcp

sisr1/tp03-reseau-prive/srv-service/db.monlabo.lan

@@ -0,0 +1,28 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	srv-service.monlabo.lan. root.srv-service.monlabo.lan. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+
+		NS	srv-service.monlabo.lan.
+		NS	srv-dns2.monlabo.lan.
+srv-dns2.monlabo.lan.		IN	A	172.16.0.3
+srv-service.monlabo.lan.	IN	A	172.16.0.2
+srv-admin-tc.monlabo.lan.	IN	A	172.16.0.1
+
+srvdns		CNAME	srv-service.monlabo.lan.
+srvdns1		CNAME   srv-service.monlabo.lan.
+dns		CNAME   srv-service.monlabo.lan.
+dns1		CNAME   srv-service.monlabo.lan.
+srvdhcp		CNAME   srv-service.monlabo.lan.
+dhcp		CNAME   srv-service.monlabo.lan.
+srvadmin        CNAME   srv-admin-tc.monlabo.lan.
+routeur         CNAME   srv-admin-tc.monlabo.lan.
+gateway         CNAME   srv-admin-tc.monlabo.lan.
+dns2		CNAME	srv-dns2.monlabo.lan.
+srvdn2		CNAME	srv-dns2.monlabo.lan.

sisr1/tp03-reseau-prive/srv-service/db.monlabo.lan.rev

@@ -0,0 +1,20 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	srv-service.monlabo.lan. root.srv-service.monlabo.lan. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+
+		NS	srv-service.monlabo.lan.
+		NS	srv-dns2.monlabo.lan.
+srv-service.monlabo.lan.	IN	A	172.16.0.2
+srv-dns2.monlabo.lan.		IN	A	172.16.0.3
+1	IN	PTR	srv-admin-tc.monlabo.lan.
+2	IN	PTR	srv-service.monlabo.lan.
+3	IN	PTR	srv-dns2.monlabo.lan.
+
+

sisr1/tp03-reseau-prive/srv-service/dhcpd.conf

@@ -0,0 +1,113 @@
+# dhcpd.conf
+#
+# Sample configuration file for ISC dhcpd
+#
+
+# option definitions common to all supported networks...
+option domain-name "example.org";
+option domain-name-servers ns1.example.org, ns2.example.org;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+#authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+#log-facility local7;
+
+# No service will be given on this subnet, but declaring it helps the 
+# DHCP server to understand the network topology.
+
+#subnet 10.152.187.0 netmask 255.255.255.0 {
+#}
+
+# This is a very basic subnet declaration.
+
+subnet 172.16.0.0 netmask 255.255.255.0 {
+  range 172.16.0.10 172.16.0.110;
+  option routers 172.16.0.1;
+  option domain-name-servers 172.16.0.2, 172.16.0.3;
+  option domain-name "monlabo.lan";  
+}
+
+# This declaration allows BOOTP clients to get dynamic addresses,
+# which we don't really recommend.
+
+#subnet 10.254.239.32 netmask 255.255.255.224 {
+#  range dynamic-bootp 10.254.239.40 10.254.239.60;
+#  option broadcast-address 10.254.239.31;
+#  option routers rtr-239-32-1.example.org;
+#}
+
+# A slightly different configuration for an internal subnet.
+#subnet 10.5.5.0 netmask 255.255.255.224 {
+#  range 10.5.5.26 10.5.5.30;
+#  option domain-name-servers ns1.internal.example.org;
+#  option domain-name "internal.example.org";
+#  option routers 10.5.5.1;
+#  option broadcast-address 10.5.5.31;
+#  default-lease-time 600;
+#  max-lease-time 7200;
+#}
+
+# Hosts which require special configuration options can be listed in
+# host statements.   If no address is specified, the address will be
+# allocated dynamically (if possible), but the host-specific information
+# will still come from the host declaration.
+
+#host passacaglia {
+#  hardware ethernet 0:0:c0:5d:bd:95;
+#  filename "vmunix.passacaglia";
+#  server-name "toccata.example.com";
+#}
+
+# Fixed IP addresses can also be specified for hosts.   These addresses
+# should not also be listed as being available for dynamic assignment.
+# Hosts for which fixed IP addresses have been specified can boot using
+# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
+# be booted with DHCP, unless there is an address range on the subnet
+# to which a BOOTP client is connected which has the dynamic-bootp flag
+# set.
+host srv-admin-tc {
+  hardware ethernet 08:00:27:6c:09:4d;
+  fixed-address 172.16.0.1;
+}
+
+host srv-dns2 {
+  hardware ethernet 08:00:27:29:d5:fa;
+  fixed-address 172.16.0.3;
+}
+# You can declare a class of clients and then do address allocation
+# based on that.   The example below shows a case where all clients
+# in a certain class get addresses on the 10.17.224/24 subnet, and all
+# other clients get addresses on the 10.0.29/24 subnet.
+
+#class "foo" {
+#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
+#}
+
+#shared-network 224-29 {
+#  subnet 10.17.224.0 netmask 255.255.255.0 {
+#    option routers rtr-224.example.org;
+#  }
+#  subnet 10.0.29.0 netmask 255.255.255.0 {
+#    option routers rtr-29.example.org;
+#  }
+#  pool {
+#    allow members of "foo";
+#    range 10.17.224.10 10.17.224.250;
+#  }
+#  pool {
+#    deny members of "foo";
+#    range 10.0.29.10 10.0.29.230;
+#  }
+#}

sisr1/tp03-reseau-prive/srv-service/isc-dhcp-server

@@ -0,0 +1,18 @@
+# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)
+
+# Path to dhcpd's config file (default: /etc/dhcp/dhcpd.conf).
+#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf
+#DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf
+
+# Path to dhcpd's PID file (default: /var/run/dhcpd.pid).
+#DHCPDv4_PID=/var/run/dhcpd.pid
+#DHCPDv6_PID=/var/run/dhcpd6.pid
+
+# Additional options to start dhcpd with.
+#	Don't use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead
+#OPTIONS=""
+
+# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
+#	Separate multiple interfaces with spaces, e.g. "eth0 eth1".
+INTERFACESv4="enp0s3"
+INTERFACESv6=""

sisr1/tp03-reseau-prive/srv-service/named.conf.local

@@ -0,0 +1,21 @@
+//
+// Do any local configuration here
+//
+
+	// zone directe
+	zone "monlabo.lan" {
+	type master;
+	file "/etc/bind/db.monlabo.lan";
+	};
+
+	// zone inverse 
+	zone "0.16.172.in-addr.arpa" {
+	     type master;
+             notify no;
+             file "/etc/bind/db.monlabo.lan.rev";
+	};
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+

sisr1/tp03-reseau-prive/srv-service/named.conf.options

@@ -0,0 +1,24 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	 forwarders {
+		10.121.38.7; //DNS du lycée
+	 };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-validation auto;
+
+	listen-on-v6 { any; };
+};

sisr1/tp04_scripts_admin/Users.csv

@@ -0,0 +1,30 @@
+Ermengarde,Berthelmot,eberthelmot0@webmd.com,Female,Accountant,
+Kassi,Bunker,kbunker1@xinhuanet.com,Female,Production,
+Moises,McCallum,mmccallum2@i2i.jp,Male,Production,
+Patrizio,Lune,plune3@upenn.edu,Male,Accountant,
+Blanch,Everix,beverix4@php.net,Female,Accountant,
+Stafani,Kibbel,skibbel5@marriott.com,Female,Production,
+Ignacius,Mosdell,imosdell6@cloudflare.com,Male,Management,
+Jeana,Waller-Bridge,jwallerbridge7@mapy.cz,Female,Management,
+Elroy,Dressel,edressel8@opera.com,Male,Production,
+Thea,Strettell,tstrettell9@nature.com,Female,Production,
+Solomon,Insoll,sinsolla@utexas.edu,Male,Accountant,
+Carri,Feedome,cfeedomeb@ask.com,Female,Accountant,
+Padraic,Chetwind,pchetwindc@last.fm,Male,Management,
+Solly,D'Ugo,sdugod@uiuc.edu,Male,Production,
+Konstanze,MacCostigan,kmaccostigane@seattletimes.com,Female,Accountant,
+Roxane,Powlesland,rpowleslandf@pcworld.com,Female,Management,
+Orelle,Kennealy,okennealyg@arstechnica.com,Female,Production,
+Sukey,Soitoux,ssoitouxh@shinystat.com,Female,Production,
+Nelli,Syce,nsycei@blogger.com,Female,Production,
+Clarisse,Shillam,cshillamj@dailymotion.com,Female,Production,
+Carin,Gueny,cguenyk@naver.com,Female,Management,
+Donny,Riepel,driepell@addtoany.com,Male,Production,
+Daniella,Ralfe,dralfem@wunderground.com,Female,Production,
+Lexy,Clynmans,lclynmansn@furl.net,Female,Production,
+Gardiner,Adamthwaite,gadamthwaiteo@spotify.com,Male,Production,
+Woodman,Lippett,wlippettp@purevolume.com,Male,Production,
+Nadya,Munnion,nmunnionq@flavors.me,Female,Production,
+Llewellyn,Habershon,lhabershonr@alibaba.com,Male,Production,
+Isaak,Greatrex,igreatrexs@seesaa.net,Male,Production,
+Darill,Frostdyke,dfrostdyket@cafepress.com,Male,Production,

sisr1/tp04_scripts_admin/createGroups.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+fichier=./Users.csv
+
+while read ligne    #lis tous les lignes
+do
+
+    #A chaque alitéartion, stocker le métier dans $metier    
+    metier=$(echo $ligne | cut -d "," -f5)
+    echo $metier
+    if [[ $(grep $metier /etc/group) == "" ]] ; then
+      groupadd $metier
+    fi
+
+
+done < $fichier

sisr1/tp04_scripts_admin/createLogins.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+fichier=./Users.csv
+
+fichier_a_ecrire=./logins.csv
+    #Suppression puis création du fichier
+rm $fichier_a_ecrire 2> /dev/null   #le 2> envoie en cas de message d'erreur, celui ci dans la poubelle  
+touch $fichier_a_ecrire
+
+while read ligne    #lis tous les lignes
+do
+
+aecrire=""
+
+first_name=$(echo $ligne | cut -d "," -f1)      #récupération du prénom dans Users.csv
+
+last_name=$(echo $ligne | cut -d "," -f2)       #récupération du nom de famille dans Users.csv
+
+group=$(echo $ligne | cut -d "," -f5)           #récupération du groupe dans Users.csv
+
+login=$(echo $first_name | cut -c1)$last_name   #prendre la 1ere lettre du prénom suivi du nom de famille complet
+login=$(echo $login | tr [:upper:] [:lower:])   #mettre tout en minuscule
+login=$(echo $login | tr -dc [:alnum:])         #retrait de tout caractère spéciaux pouvant poser problème
+
+passwd=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 8;echo)   #genere mdp de 8 caractère aléatoire
+
+aecrire="$login,$passwd,$first_name,$last_name,$group"      #contenu dans l'ordre du fichier finale
+
+echo $aecrire >> $fichier_a_ecrire
+
+done < $fichier

sisr1/tp04_scripts_admin/createUsers.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+fichier=./logins.csv
+
+while read ligne    #lis tous les lignes
+do
+    #Créer l'utilisateur avec un répertoire personnel et le shell /bin/bash
+    username=$(echo $ligne | cut -d "," -f1) 
+    useradd -m -s "/bin/bash" $username
+    
+    #Définir le groupe de l'utilisateur
+    group=$(echo $ligne | cut -d "," -f5)
+    usermod -aG $group $username
+
+    #Définir le mot de passe de l'utilisateur
+    passwd=$(echo $ligne | cut -d "," -f2)
+    echo $username:$passwd | chpasswd
+    
+    
+    #Modifier les droits sur le répertoire personnel pour l'utilisateur
+    chown $username:$username /home/$username
+    
+
+done < $fichier

sisr1/tp04_scripts_admin/deployUsers.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+ip=$1   #IP de machine cible passé en paramètre
+user=root
+workdir=/root/deploy_test   #répertoire déploiement
+
+ssh root@$ip "mkdir $workdir" 2> /dev/null #création du répertoire de copie
+
+#copie des scripts et fichiers
+scp createGroups.sh $user@$ip:$workdir
+scp createUsers.sh $user@$ip:$workdir
+scp logins.csv $user@$ip:$workdir
+scp Users.csv $user@$ip:$workdir
+
+
+#execution des scripts
+ssh $user@$ip "cd $workdir ; bash createGroups.sh ; bash createUsers.sh"
+
+ssh $user@$ip "rm -R $workdir" #supression des répertoire et scripts

sisr1/tp04_scripts_admin/gitpush.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+message=$1
+git add .
+git commit -m "$message"
+git push -u https://timeo.collado@gitea.lyc-lecastel.fr/timeo.collado/siotp.git

sisr1/tp04_scripts_admin/logins.csv

@@ -0,0 +1,30 @@
+eberthelmot,bcxD15Rq,Ermengarde,Berthelmot,Accountant
+kbunker,wOsxMhVd,Kassi,Bunker,Production
+mmccallum,jVdrGCaE,Moises,McCallum,Production
+plune,yN9rio6I,Patrizio,Lune,Accountant
+beverix,HOiCFer2,Blanch,Everix,Accountant
+skibbel,pnSyWC0Z,Stafani,Kibbel,Production
+imosdell,YDoQ1mwf,Ignacius,Mosdell,Management
+jwallerbridge,XSy4UdLc,Jeana,Waller-Bridge,Management
+edressel,1dlVKJJp,Elroy,Dressel,Production
+tstrettell,hh6ejsux,Thea,Strettell,Production
+sinsoll,PECtHtTW,Solomon,Insoll,Accountant
+cfeedome,usRCf2Ef,Carri,Feedome,Accountant
+pchetwind,9aUarusW,Padraic,Chetwind,Management
+sdugo,e3hVqroi,Solly,D'Ugo,Production
+kmaccostigan,mxiDaIJO,Konstanze,MacCostigan,Accountant
+rpowlesland,5tDc3O5l,Roxane,Powlesland,Management
+okennealy,wYq4hsC5,Orelle,Kennealy,Production
+ssoitoux,6Re48Sg5,Sukey,Soitoux,Production
+nsyce,HYsJDTmU,Nelli,Syce,Production
+cshillam,qtOOEKIh,Clarisse,Shillam,Production
+cgueny,GXhM4sex,Carin,Gueny,Management
+driepel,CWYBzej5,Donny,Riepel,Production
+dralfe,XiD1vmU5,Daniella,Ralfe,Production
+lclynmans,qQpxiR3U,Lexy,Clynmans,Production
+gadamthwaite,pvYF1kuI,Gardiner,Adamthwaite,Production
+wlippett,lepMQT3e,Woodman,Lippett,Production
+nmunnion,BNjXy4od,Nadya,Munnion,Production
+lhabershon,bu7JLdp3,Llewellyn,Habershon,Production
+igreatrex,GUGJ27nw,Isaak,Greatrex,Production
+dfrostdyke,oAlWKd4Z,Darill,Frostdyke,Production

sisr1/tp05-squid/majservice.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#script destiné à être paramétré et exécuté depuis un répertoire de votre dépôt Git
+#contenant un fichier de configuration d'un service
+
+filename=squid.conf #nom du fichier de config
+filepath=/etc/squid #emplacement système du fichier de config
+servicename=squid.service   #nom du service (A MODIFIER AU BESOIN)
+
+sudo git pull    #mise à jour du fichier de config du dépôt
+
+sudo cp $filepath/$filename $filepath/$filename.old  #sauvegarde fichier précédent
+
+sudo cp ./$filename $filepath/$filename #copie du ficgier de config mise à jour à son emplacement
+
+sudo systemctl restart $servicename  #restart du service associé

sisr1/tp06_firewall/current_ruleset.nft

@@ -0,0 +1,89 @@
+define netif = enp0s3
+define lanif = enp0s8
+define dmzif = enp0s9
+
+define netip = 192.168.0.160
+define dmzip = 172.17.0.254
+define lanip = 172.16.0.254
+
+define lan-ntw = 172.16.0.1-172.16.0.254
+define dmz-ntw = 172.17.0.1-172.17.0.254
+
+define internal-dns-ip = 172.16.0.2
+define dns-forwarder-ip = 10.121.38.7
+
+table ip ipfilter{
+	chain prerouting {
+                type filter hook prerouting priority filter; policy drop;
+				ct state established,related accept
+					#SSH
+		tcp dport 22 accept
+					#Requêtes HTTP/HTTPS depuis LAN
+		tcp dport {80,443} iif $lanif accept
+					#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+					#Pings
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply iif {$lanif, $dmzif} accept
+        }
+
+	chain system_in {
+                type filter hook input priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#SSH
+		tcp dport 22 accept
+			#Pings
+		icmp type echo-request iif $lanif accept
+		icmp type echo-reply accept
+        }
+
+ 	chain routing {
+                type filter hook forward priority filter; policy drop;
+			#Communication déjà établies
+		ct state established,related accept
+			#Requêtes HTTP/HTTPS depuis LAN
+		tcp dport {80,443} iif $lanif accept
+					#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+					#Pings
+		icmp type echo-request iif $lanif oif $dmzif accept
+		icmp type echo-reply iif $dmzif oif $lanif accept
+        }
+
+ 	chain system_out {
+                type filter hook output priority filter; policy drop;
+				ct state established,related accept
+		tcp dport 8080 accept		#Proxy du lycee
+		tcp sport 22 accept 		#SSH
+		tcp dport {20,21} accept	#FTP
+		udp dport 53 accept			#DNS
+		tcp dport {80,443} accept	#HTTP,HTTPS
+		icmp type echo-request accept
+		icmp type echo-request oif $lanif accept
+        }
+
+	chain postrouting {
+                type filter hook postrouting priority filter; policy drop;
+				ct state established,related accept
+		tcp dport 8080 accept		#Proxy du lycee
+		tcp sport 22 accept 		#SSH
+		tcp dport {20,21} accept	#FTP
+		udp dport 53 accept			#DNS
+		tcp dport {80, 443} accept	#HTTP,HTTPS
+		icmp type echo-request oif {$lanif, $dmzif} accept
+		icmp type echo-reply oif $lanif accept
+					#Requêtes externe du serveur DNS
+		ip saddr $internal-dns-ip ip daddr $dns-forwarder-ip accept
+        }
+		
+	chain nat_prerouting {
+				type nat hook prerouting priority filter; policy accept
+	}
+
+	chain nat_postrouting {
+		type nat hook postrouting priority filter; policy accept;
+				#Masquage des IP de la LAN sortant sur Internet
+			ip saddr $lan-ntw oif $netif snat $netip
+	}
+}

sisr1/tp06_firewall/test_firewall.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+ipfirewall=192.168.0.160
+dir=/root/firewall
+ruleset=current_ruleset.nft
+
+scp $ruleset root@$ipfirewall:$dir/$ruleset
+scp current_ruleset.nft root@$ipfirewall:/root/firewall/current_ruleset.nft
+ssh root@$ipfirewall "bash $dir//refresh_firewall.sh"