Chaîne filtrage

firewall.nft

@@ -39,7 +39,7 @@ table inet firewall {
 		#
 		# On utilise des jumps pour revenir ici une fois la chaîne évaluée.
 		meta iif vmap {
-			$if_adherent : jump from_adh,
+			$if_adherent : jump from_adherent,
 			$if_admin : jump from_admin,
 			$if_federez : jump from_federez,
 			$if_supelec : jump from_supelec,
@@ -53,7 +53,7 @@ table inet firewall {
 		# On utilise des goto pour ne pas revenir ici une fois la chaîne
 		# évaluée.
 		meta oif vmap {
-			$if_adherent : goto to_adh,
+			$if_adherent : goto to_adherent,
 			$if_admin : goto to_admin,
 			$if_federez : goto to_federez,
 			$if_supelec : goto to_supelec,

firewall.py

@@ -346,17 +346,22 @@ class NetfilterSet:
                     'Did not get the right set, too wrong to fix. Got '
                     + str(netfilter_set)
                     + ("\nExpected : "
-                       "\n\tname: {name}"
+                       "\n\tname: \t{name} \t[{name_check}]"
-                       "\n\taddress_family: {family}"
+                       "\n\taddress_family: \t{family} \t[{family_check}]"
-                       "\n\ttable: {table}"
+                       "\n\ttable: \t{table} \t[{table_check}]"
-                       "\n\tflags: {flags}"
+                       "\n\tflags: \t{flags} \t[{flags_check}]"
-                       "\n\ttypes: {types}"
+                       "\n\ttypes: \t{types} \t[{types_check}]"
                       ).format(
                           name=self.name,
                           family=self.address_family,
                           table=self.table,
                           flags=self.flags,
-                          types=tuple(self.TYPES[t] for t in self.type)
+                          types=tuple(self.TYPES[t] for t in self.type),
+                          name_check= 'v' if self.name == netfilter_set['name'] else 'x',
+                          family_check= 'v' if self.address_family == netfilter_set['address_family'] else 'x',
+                          table_check= 'v' if self.table == netfilter_set['table'] else 'x',
+                          flags_check= 'v' if self.flags == netfilter_set.get('flags', set()) else 'x',
+                          types_check= 'v' if self.has_type(netfilter_set['type']) else 'x',
                       )
                 )
             if parse_elements:
@@ -388,7 +393,7 @@ class NetfilterSet:
             'name': values['name'],
             'type': values['type'].split(' . '),
             'raw_content': values['elements'],
-            'flags': values['flags'],
+            'flags': set(values['flags'].split(', ')),
         }
 
     def get_netfilter_content(self):

mac_ip.py

@@ -35,7 +35,6 @@ api_username = CONFIG.get('Re2o', 'username')
 
 api_client = Re2oAPIClient(api_hostname, api_username, api_password)
 
-api_client.list('dhcp/hostmacip')
 
 def gen_ip_mac_set():
     """Generates the ip_mac set in nftables.

zones/adherent.nft

@@ -2,11 +2,11 @@
 
 table inet firewall {
 
-	chain to_adh {
+	chain to_adherent {
 		accept
 	}
 
-	chain from_adh {
+	chain from_adherent {
 	}
 
 }

zones/dmz.nft

@@ -3,36 +3,100 @@
 
 table inet firewall {
 
-	# Définition de la DMZ
+	set dns {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.248 }
+	}
+
+	set www {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247 }
+	}
+
+	set irc {
+		type ipv4_addr
+		flags interval
+		elements = {193.48.225.244}
+	}
+
+	set znc {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.242 }
+	}
+
+	set smtp {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.249, 193.48.225.245 }
+	}
+
+	set letsencrypt {
+		type ipv4_addr
+		flags interval
+		elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
+	}
+
+	set federez {
+		type ipv4_addr
+		flags interval
+		elements = {193.48.225.201}
+	}
 
-	set z_dmz {
+	set gitlab {
 		type ipv4_addr
 		flags interval
-		elements = {193.48.225.224/27}
+		elements = { 193.48.225.243 }
 	}
 
-	set dmz_allowed_tcp_in {
+	set video {
-		type ipv4_addr . inet_service
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.240 }
 	}
-	set dmz_allowed_tcp_out {
+
-		type ipv4_addr . inet_service
+	set ldap {
+		type ipv4_addr
+		flags interval
+		elements = { 193.48.225.240 }
 	}
-	set dmz_allowed_udp_in {
+
-		type ipv4_addr . inet_service
+	set ldap_clients {
+		type ipv4_addr
+		flags interval
+		elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125}
 	}
-	set dmz_allowed_udp_out {
+
-		type ipv4_addr . inet_service
+	set mysql {
+		type ipv4_addr
+		flags interval
+		elements = {10.7.0.243}
 	}
 
 	chain to_dmz {
-		#ip daddr . tcp dport @dmz_allowed_tcp_in accept
+		ip daddr @smtp tcp dport { 22, 25, 80 } accept
-		#ip daddr . udp dport @dmz_allowed_udp_in accept
+		ip daddr @dns tcp dport { 22, 53 } accept
-		accept
+		ip daddr @dns udp dport { 53 } accept
+		ip daddr @www tcp dport { 21, 22, 80, 443 } accept
+		ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
+		ip daddr @federez udp dport { 53, 636 } accept
+		ip daddr @znc tcp dport { 6667 } accept
+		ip daddr @letsencrypt tcp dport { 80, 443 } accept
+		ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept
+		ip daddr @video tcp dport { 37700, 6754 } accept
+		ip daddr @video udp dport { 37800 } accept
+		ip daddr @video tcp dport { 5678 } accept
+
+		ip daddr @ldap ip saddr @ldap_clients tcp dport { 389, 636} accept
+
+		drop
 	}
 
 	chain from_dmz {
-		#ip saddr . tcp dport != @dmz_allowed_tcp_out drop
+		ip daddr @mysql ip saddr != @www tcp dport 3306 drop
-		#ip saddr . udp dport != @dmz_allowed_udp_out drop
+		ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
 	}
 
 }