Deploy firewall config for the captive portal

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
ynerant 2021-02-01 15:50:32 +01:00 committed by ynerant
parent ba9e60dba8
commit 154cbedec2
Signed by untrusted user: ynerant
GPG key ID: 3A75C55819C8CF85

View file

@ -25,14 +25,13 @@
### Give me a role
# previously: routeur4 = routeur IPv4
role = ['routeur', 'portail']
role = ['routeur']
### Specify each interface role
interfaces_type = {
'routable' : ['ens20', 'ens21', 'ens23'],
'routable-portail' : ['ens23'],
'sortie' : ['ens19'],
'admin' : ['ens18']
}
@ -67,24 +66,35 @@ nat = [
'name': 'Accueil',
'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
'extra_nat': {
'10.{{ subnet_ids.users_accueil }}.0.0/16': '45.66.108.25{{ apartment_block_id }}'
'10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{
apartment_block_id }}',
'10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}'
},
'extra_nat_group': 'accueil_ens23_allowed',
},
]
portail = {
"authorized_hosts": {
# ATTENTION: on doit avoir retry ≥ grace
# ATTENTION: il faut que ip_redirect gère tous les ports
# autorisés dans le profile re2o, sinon on laisse sortir
# du trafic
accueils = [
{
'iface': 'ens23',
'grace_period': 1800,
'retry_period': 86400,
'ip_sources': [
'10.{{ subnet_ids.users_accueil }}.1.0/24',
'10.{{ subnet_ids.users_accueil }}.2.0/24',
],
'ip_redirect': {
"tcp": {
"45.66.111.61": ["80", "443"],
"92.222.211.195": ["80", "443"]
"10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
}
},
"udp": {}
},
"ip_redirect": {
"0.0.0.0/0": {
"tcp": {
"45.66.111.61": ["80", "443"]
}
}
}
'triggers': [
('4', 'tcp', '46.255.53.35', 443), # ComNPay
('4', 'tcp', '46.255.53.35', 80),
]
}
]