|
|
#!/usr/bin/env bash
|
|
|
|
|
|
DESC="Réparations de fixme."
|
|
|
|
|
|
SYSTEMS="distributeur client comanche castafiore appolo passerelle darkside brightside"
|
|
|
|
|
|
repairQ1() {
|
|
|
|
|
|
# Pas d’accès Internet depuis le réseau local
|
|
|
|
|
|
vdn-ssh root@passerelle "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
|
|
|
}
|
|
|
|
|
|
repairQ2() {
|
|
|
|
|
|
# appolo est aveugle
|
|
|
|
|
|
cat << EOF | setInterfaces appolo
|
|
|
# This file describes the network interfaces available on your system
|
|
|
# and how to activate them. For more information, see interfaces(5).
|
|
|
|
|
|
# The loopback network interface
|
|
|
auto lo
|
|
|
iface lo inet loopback
|
|
|
|
|
|
auto eth0
|
|
|
iface eth0 inet static
|
|
|
address 192.168.3.2
|
|
|
gateway 192.168.3.1
|
|
|
netmask 255.255.255.0
|
|
|
|
|
|
EOF
|
|
|
vdn-ssh root@appolo "systemctl restart networking"
|
|
|
}
|
|
|
|
|
|
repairQ3() {
|
|
|
echo -n "."
|
|
|
# Administration du serveur Web castafiore depuis le réseau local
|
|
|
# La règle doit être insérée avant le REJECT (-I INPUT 1)
|
|
|
|
|
|
vdn-ssh root@castafiore "iptables -I INPUT 1 -p tcp --dport 22 -s 192.168.2.0/24 -j ACCEPT"
|
|
|
}
|
|
|
|
|
|
repairQ4() {
|
|
|
echo -n "."
|
|
|
|
|
|
# Serveur Web visible de l’extérieur
|
|
|
|
|
|
vdn-ssh root@passerelle "iptables -t nat -A PREROUTING -p tcp -d $($VDN_PATH/bin/vdn-infos passerelle PUBLIC_IP) --dport 80 -j DNAT --to 192.168.3.3"
|
|
|
}
|
|
|
|
|
|
repairQ5() {
|
|
|
echo -n "."
|
|
|
|
|
|
# Comanche accessible à partir de client (défaut non direct et complexe)
|
|
|
|
|
|
vdn-ssh root@distributeur "\
|
|
|
sed -i -re 's/192.168.2.8/192.168.2.4/' /etc/dhcp/dhcpd.conf; \
|
|
|
systemctl restart isc-dhcp-server"
|
|
|
echo -n "."
|
|
|
vdn-ssh root@comanche "systemctl restart networking"
|
|
|
}
|
|
|
|
|
|
repairQ6() {
|
|
|
echo -n "."
|
|
|
|
|
|
# Bloquer le pirate
|
|
|
|
|
|
# Pour le détecter :
|
|
|
# iptables -I FORWARD 1 -o eth0 -d darkside -j LOG
|
|
|
#
|
|
|
|
|
|
vdn-ssh root@passerelle "iptables -A OUTPUT -o eth0 -d darkside -j DROP"
|
|
|
echo -n "."
|
|
|
vdn-ssh root@passerelle "iptables -A FORWARD -o eth0 -d darkside -j DROP"
|
|
|
}
|
|
|
|
|
|
repairQ7() {
|
|
|
echo -n "."
|
|
|
|
|
|
# La DMZ n’est pas étanche
|
|
|
|
|
|
vdn-ssh root@passerelle "iptables -A FORWARD -i eth2 -d 192.168.2.0/24 -p tcp --syn -j REJECT"
|
|
|
}
|
|
|
|
|
|
|
|
|
run() {
|
|
|
setErrorHandler
|
|
|
echoStart
|
|
|
|
|
|
#requireSshGuests $SYSTEMS
|
|
|
|
|
|
vdn-ssh root@passerelle "sh /etc/vdn/00-firewall"
|
|
|
|
|
|
repairQ1
|
|
|
repairQ2
|
|
|
repairQ3
|
|
|
repairQ4
|
|
|
repairQ5
|
|
|
repairQ6
|
|
|
repairQ7
|
|
|
|
|
|
unsetErrorHandler
|
|
|
echoDone
|
|
|
|
|
|
sleep 1
|
|
|
|
|
|
}
|
|
|
|
|
|
|
