ansible/roles/router/templates/firewall_config.py

# -*- mode: python; coding: utf-8 -*-
# 
# Re2o est un logiciel d'administration développé initiallement au rezometz. Il
# se veut agnostique au réseau considéré, de manière à être installable en
# quelques clics.
#
# Copyright © 2017  Gabriel Détraz
# Copyright © 2017  Goulven Kermarec
# Copyright © 2017  Augustin Lemesle
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

### Give me a role

# previously: routeur4 = routeur IPv4
role = ['routeur']


### Specify each interface role

interfaces_type = {
    'routable' : ['ens20', 'ens21', 'ens23'],
    'sortie' : ['ens19'],
    'admin' : ['ens18']
}


### Specify nat settings: name, interfaces with range, and global range for nat
### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
### contain /16 range

nat = [
    {
        'name' : 'Wifi',
        'interfaces_ip_to_nat' : {
            'ens19' : '45.66.109.0/24',
        },
        'ip_sources' : '10.{{ subnet_ids.users_wifi }}.0.0/16',
        'extra_nat' : {}
    },
    {
        'name' : 'Filaire',
        'interfaces_ip_to_nat' : {
            'ens19' : '45.66.108.0/24',
        },
        'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
        'extra_nat' : {
            '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
                apartment_block_id }}',
            '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
        }
    },
    {
        'name': 'Accueil',
        'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
        'extra_nat': {
            '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{
            apartment_block_id }}',
            '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}'
        },
        'extra_nat_group': 'accueil_ens23_allowed',
        'masquerade': [
            '10.{{ subnet_ids.users_accueil }}.1.0/24',
            '10.{{ subnet_ids.users_accueil }}.2.0/24',
        ]
    },
]

# ATTENTION: on doit avoir retry ≥ grace
# ATTENTION: il faut que ip_redirect gère tous les ports
# autorisés dans le profile re2o, sinon on laisse sortir
# du trafic
accueils = [
    {
        'iface': 'ens23',
        'grace_period': 1800,
        'retry_period': 86400,
        'ip_sources': [
            '10.{{ subnet_ids.users_accueil }}.1.0/24',
            '10.{{ subnet_ids.users_accueil }}.2.0/24',
        ],
        'ip_redirect': {
            "tcp": {
                "10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
            }
        },
        'triggers': [
            ('4', 'tcp', '46.255.53.35', 443),  # ComNPay
            ('4', 'tcp', '46.255.53.35', 80),
        ]
    }
]
aurore-firewall: initial setup group_vars: add apartment_block_id var dhcp: move vars to role 2020-05-07 19:24:02 +02:00			`# -- mode: python; coding: utf-8 --`
			`#`
			`# Re2o est un logiciel d'administration développé initiallement au rezometz. Il`
			`# se veut agnostique au réseau considéré, de manière à être installable en`
			`# quelques clics.`
			`#`
			`# Copyright © 2017 Gabriel Détraz`
			`# Copyright © 2017 Goulven Kermarec`
			`# Copyright © 2017 Augustin Lemesle`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation; either version 2 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License along`
			`# with this program; if not, write to the Free Software Foundation, Inc.,`
			`# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.`

			`### Give me a role`

roll out (private) IPv6 on George Sand 2020-08-01 17:48:39 +02:00			`# previously: routeur4 = routeur IPv4`
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`role = ['routeur']`
aurore-firewall: initial setup group_vars: add apartment_block_id var dhcp: move vars to role 2020-05-07 19:24:02 +02:00

			`### Specify each interface role`

			`interfaces_type = {`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`'routable' : ['ens20', 'ens21', 'ens23'],`
aurore-firewall: initial setup group_vars: add apartment_block_id var dhcp: move vars to role 2020-05-07 19:24:02 +02:00			`'sortie' : ['ens19'],`
			`'admin' : ['ens18']`
			`}`


			`### Specify nat settings: name, interfaces with range, and global range for nat`
			`### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST`
			`### contain /16 range`

			`nat = [`
			`{`
			`'name' : 'Wifi',`
			`'interfaces_ip_to_nat' : {`
			`'ens19' : '45.66.109.0/24',`
			`},`
			`'ip_sources' : '10.{{ subnet_ids.users_wifi }}.0.0/16',`
			`'extra_nat' : {}`
			`},`
			`{`
			`'name' : 'Filaire',`
			`'interfaces_ip_to_nat' : {`
			`'ens19' : '45.66.108.0/24',`
			`},`
			`'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',`
			`'extra_nat' : {`
keepalived: initial config 2020-05-08 15:54:54 +02:00			`'10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{`
			`apartment_block_id }}',`
			`'10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'`
aurore-firewall: initial setup group_vars: add apartment_block_id var dhcp: move vars to role 2020-05-07 19:24:02 +02:00			`}`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`},`
			`{`
			`'name': 'Accueil',`
			`'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',`
			`'extra_nat': {`
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{`
			`apartment_block_id }}',`
			`'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}'`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`},`
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`'extra_nat_group': 'accueil_ens23_allowed',`
Update masquerade configuration for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 17:08:24 +01:00			`'masquerade': [`
			`'10.{{ subnet_ids.users_accueil }}.1.0/24',`
			`'10.{{ subnet_ids.users_accueil }}.2.0/24',`
			`]`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`},`
aurore-firewall: initial setup group_vars: add apartment_block_id var dhcp: move vars to role 2020-05-07 19:24:02 +02:00			`]`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`# ATTENTION: on doit avoir retry ≥ grace`
			`# ATTENTION: il faut que ip_redirect gère tous les ports`
			`# autorisés dans le profile re2o, sinon on laisse sortir`
			`# du trafic`
			`accueils = [`
			`{`
			`'iface': 'ens23',`
			`'grace_period': 1800,`
			`'retry_period': 86400,`
			`'ip_sources': [`
			`'10.{{ subnet_ids.users_accueil }}.1.0/24',`
			`'10.{{ subnet_ids.users_accueil }}.2.0/24',`
			`],`
			`'ip_redirect': {`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`"tcp": {`
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`}`
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`},`
			`'triggers': [`
			`('4', 'tcp', '46.255.53.35', 443), # ComNPay`
			`('4', 'tcp', '46.255.53.35', 80),`
			`]`
Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-01-24 12:04:21 +01:00			`}`
Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-02-01 15:50:32 +01:00			`]`