You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
137 lines
2.7 KiB
137 lines
2.7 KiB
#!/usr/bin/env bash
|
|
|
|
set -eu
|
|
|
|
DESC="Test de la configuration de base du TP DMZ."
|
|
|
|
SYSTEMS="bigboss lambda nomade societe tiny web"
|
|
|
|
config() {
|
|
IP_SOCIETE_PUBLIC=$($VDN_PATH/bin/vdn-infos societe PUBLIC_IP)
|
|
vdn-ssh -t root@societe "
|
|
# net.ipv4.ip_forward=1
|
|
sed -i -re 's/#(net.ipv4.ip_forward=1)/\1/g' /etc/sysctl.conf
|
|
sysctl -p
|
|
|
|
cat << EOF > vide.sh
|
|
#!/bin/sh
|
|
iptables -F INPUT
|
|
iptables -F OUTPUT
|
|
iptables -F FORWARD
|
|
iptables -F POSTROUTING -t nat
|
|
iptables -F PREROUTING -t nat
|
|
EOF
|
|
|
|
chmod 755 vide.sh
|
|
|
|
cat << EOF > local-1.sh
|
|
#!/bin/sh
|
|
|
|
echo "1" > /proc/sys/net/ipv4/ip_forward
|
|
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
EOF
|
|
|
|
chmod 755 local-1.sh
|
|
|
|
cat << EOF > fermeDehors.sh
|
|
#!/bin/sh
|
|
|
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
|
|
iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS
|
|
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Mail
|
|
iptables -A INPUT -p tcp --dport 993 -j ACCEPT # Imap sur ssl
|
|
|
|
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
|
|
|
|
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
|
|
iptables -A INPUT -m state --state RELATED -j ACCEPT
|
|
|
|
iptables -A INPUT -i eth0 -j REJECT
|
|
EOF
|
|
|
|
chmod 755 fermeDehors.sh
|
|
|
|
cat << EOF > forward.sh
|
|
iptables -t nat -A PREROUTING -p tcp -d $IP_SOCIETE_PUBLIC --dport 80 -j DNAT --to 192.168.1.2
|
|
EOF
|
|
|
|
chmod 755 forward.sh
|
|
|
|
cat << EOF > local.sh
|
|
#!/bin/sh
|
|
|
|
echo "1" > /proc/sys/net/ipv4/ip_forward
|
|
|
|
iptables -s 192.168.30.0/24 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
|
|
iptables -s 192.168.1.2 -p tcp --dport 80 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
iptables -s 192.168.1.2 -p tcp --dport 53 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
iptables -s 192.168.1.2 -p tcp --dport 25 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
EOF
|
|
|
|
chmod 755 local.sh
|
|
|
|
cat << EOF > fw-on.sh
|
|
#!/bin/sh
|
|
|
|
/root/vide.sh
|
|
/root/fermeDehors.sh
|
|
/root/local.sh
|
|
/root/forward.sh
|
|
if [ -x /root/dns.sh ]; then
|
|
/root/dns.sh
|
|
fi
|
|
EOF
|
|
|
|
chmod 755 fw-on.sh
|
|
|
|
/root/fw-on.sh
|
|
"
|
|
|
|
|
|
}
|
|
|
|
test() {
|
|
# tiny peut joindre bigboss (et vice versa).
|
|
|
|
vdn-ssh root@bigboss "ping -c 1 tiny"
|
|
vdn-ssh root@tiny "ping -c 1 bigboss"
|
|
|
|
# societe est joignable par toutes les machines (et vice versa)
|
|
|
|
for i in $SYSTEMS; do
|
|
vdn-ssh root@$i "ping -c 1 societe"
|
|
done
|
|
|
|
# lambda peut joindre nomade (et vice-versa)
|
|
|
|
vdn-ssh root@lambda "ping -c 1 nomade"
|
|
vdn-ssh root@nomade "ping -c 1 lambda"
|
|
|
|
# vérifiez que les serveurs apache2 de lambda, web et bigboss fonctionnent
|
|
|
|
vdn-ssh root@bigboss "lynx -dump bigboss" | grep -q 'Bienvenue'
|
|
vdn-ssh root@web "lynx -dump web" | grep -q 'Bienvenue'
|
|
vdn-ssh root@lambda "lynx -dump lambda" | grep -q 'Bienvenue'
|
|
}
|
|
|
|
|
|
run() {
|
|
setErrorHandler
|
|
echoStart
|
|
|
|
requireSshGuests $SYSTEMS
|
|
|
|
#set -x
|
|
|
|
# Config
|
|
config
|
|
|
|
# test
|
|
#test
|
|
|
|
unsetErrorHandler
|
|
echoDone
|
|
}
|
|
|