antoine.perederii
/
IUT
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e2bb871125'
${ noResults }
IUT/vdn/networks.bak/firewall-buster/scripts/repairAll

193 lines
4.3 KiB
Raw Blame History

#!/usr/bin/env bash
DESC="TP firewall"
SYSTEMS="bigboss tiny web societe lambda nomade"
repairQ0() {
vdn-ssh -t root@societe "
cat << EOF > vide.sh
#!/bin/sh
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
EOF
chmod 755 vide.sh
./vide.sh
"
}
repairQ1() {
vdn-ssh -t root@societe "
cat << EOF > local.sh
#!/bin/sh
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
EOF
chmod 755 local.sh
./local.sh
"
}
repairQ2() {
cat << EOF > /dev/null
# Solution alternative qui valide les tests
# Semble nécessiter plus de mémoir, à vérifier
#!/bin/sh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Mail
iptables -A INPUT -p tcp --dport 993 -j ACCEPT # Imap sur ssl
iptables -A INPUT -i eth0 -m state --state NEW -j REJECT
EOF
vdn-ssh -t root@societe "
cat << EOF > fermeDehors.sh
#!/bin/sh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -p tcp --dport 53 -j ACCEPT # DNS
iptables -A INPUT -p tcp --dport 25 -j ACCEPT # Mail
iptables -A INPUT -p tcp --dport 993 -j ACCEPT # Imap sur ssl
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j REJECT
EOF
chmod 755 fermeDehors.sh
./fermeDehors.sh
"
}
repairQ3() {
vdn-ssh -t root@societe "
cat << EOF > forward.sh
iptables -t nat -A PREROUTING -p tcp -d $IP_SOCIETE_PUBLIC --dport 80 -j DNAT --to 192.168.1.2
EOF
chmod 755 forward.sh
./forward.sh
"
}
repairQ4() {
vdn-ssh -t root@societe "
mv local.sh local-1.sh
cat << EOF > local.sh
#!/bin/sh
iptables -s 192.168.30.0/24 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -s 192.168.1.2 -p tcp --dport 80 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -s 192.168.1.2 -p tcp --dport 53 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -s 192.168.1.2 -p tcp --dport 25 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
EOF
chmod 755 local.sh
./vide.sh
./fermeDehors.sh
./forward.sh
./local.sh
"
}
# Partie 2 : IPv6
# Fonction utilitaire : Récupère l'adresse IPv6 autoconfigurée
# $1 : host
# $2 : interface
# Exemple : getIPv6 bigboss eth0
getIPv6() {
echo $(vdn-ssh root@$1 'ip -6 addr show dev '$2' | grep inet6 | tr -s " " | cut -d " " -f 3 | cut -d "/" -f 1') | sed -re 's/[^[:print:]]//g'
}
repairQ5() {
# réinitialise les interfaces
echo "Repair Q5. Config IPv6... please wait..."
vdn-ssh root@bigboss "systemctl restart networking"
vdn-ssh root@web "systemctl restart networking"
vdn-ssh root@societe "
echo 1 >/proc/sys/net/ipv6/conf/all/forwarding
systemctl restart networking
"
# Ajoute les adresses IPv6 "locales uniques" en utilisant le suffixe
# de l'adresse "lien local"
#
# * la DMZ (web) aura le préfixe fc01
# * le réseau interne (bigboss) aura le préfixe fc00
#
# La fonction routage IPv6 est activé sur société
# et les routes par défaut sont fixées sur web et bigboss
#
# un ping6 de bigboss vers web valide la config.
ipSocieteWeb=$(getIPv6 societe eth1)
ipSocieteWeb=$(echo $ipSocieteWeb | sed -re 's/fe80:/fc01:/')
vdn-ssh root@societe "ip -6 addr add $ipSocieteWeb/64 dev eth1"
ipSocieteBigboss=$(getIPv6 societe eth2)
ipSocieteBigboss=$(echo $ipSocieteBigboss | sed -re 's/fe80:/fc00:/')
vdn-ssh root@societe "ip -6 addr add $ipSocieteBigboss/64 dev eth2"
ipWeb=$(getIPv6 web eth0)
ipWeb=$(echo $ipWeb | sed -re 's/fe80:/fc01:/')
vdn-ssh root@web "ip -6 addr add $ipWeb/64 dev eth0"
ipBigboss=$(getIPv6 bigboss eth0)
ipBigboss=$(echo $ipBigboss | sed -re 's/fe80:/fc00:/')
vdn-ssh root@bigboss "ip -6 addr add $ipBigboss/64 dev eth0"
vdn-ssh root@web "
ip -6 route del ::/0 &> /dev/null
ip -6 route add ::/0 via $ipSocieteWeb"
vdn-ssh root@bigboss "
ip -6 route del ::/0 &> /dev/null
ip -6 route add ::/0 via $ipSocieteBigboss"
#vdn-ssh root@bigboss "ping6 -c 3 -I eth0 $ipWeb"
}
run() {
setErrorHandler
echoStart
#requireSshGuests $SYSTEMS
IP_SOCIETE_PUBLIC=$($VDN_PATH/bin/vdn-infos societe PUBLIC_IP)
repairQ0
repairQ1
repairQ2
repairQ3
repairQ4
repairQ5
unsetErrorHandler
echoDone
sleep 1
}
Reference in new issue View Git Blame Copy Permalink