aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Use group vars and rename some nftables vars
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse source
This commit is contained in:
jeltz 2021-03-10 08:29:15 +01:00
parent 93c229203a
commit f24a3e1d29
3 changed files with 34 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
roles/nftables_router/templates/nftables.d/10-vars.conf.j2
View file

@ -3,45 +3,45 @@
## Interconnexion
# Réseaux d'interconnexion
define interco_v4 = { 192.168.0.0/31, 192.168.0.2/31, 10.129.0.0/16 }
define interco_v6 = { 2a09:6840:129::0/48 }
define interco_v4 = { {{ nftables_interco_v4 | join(", ") }} }
define interco_v6 = { {{ nftables_interco_v6 | join(", ") }} }
## Administration
# Réseaux d'administration
define adm_v4 = { 10.128.0.0/16, 10.133.0.0/16 }
define adm_v6 = { 2a09:6840:128::0/48, 2a09:6840:133::0/48 }
define adm_v4 = { {{ nftables_adm_v4 | join(", ") }} }
define adm_v6 = { {{ nftables_adm_v6 | join(", ") }} }
# Serveurs de centralisation des journaux
define syslog_adm_v4 = { 10.128.0.51 }
define syslog_adm_v6 = { 2a09:6840:128::251 }
# Adresses des bastions autorisés
define bastion_v4 = { 10.128.0.224, 10.133.0.250 }
define bastion_v6 = { 2a09:6840:133::250 }
define bastions_v4 = { {{ nftables_bastions_v4 | join(", ") }} }
define bastions_v6 = { {{ nftables_bastions_v6 | join(", ") }} }
## Services
# Réseaux de services privés
define svc_v4 = { 10.132.0.0/16 }
define svc_v6 = { 2a09:6840:132::0/48 }
define svc_v4 = { {{ nftables_svc_v4 | join(", ") }} }
define svc_v6 = { {{ nftables_svc_v6 | join(", ") }} }
## Adhérents
# Réseaux des adhérents
define member_v4 = { 10.50.0.0/16 }
define member_v6 = { 2a09:6840:50::0/48 }
define members_v4 = { {{ nftables_members_v4 | join(", ") }} }
define members_v6 = { {{ nftables_members_v6 | join(", ") }} }
# Sous-réseau d'inscription des adhérents
define signup_v4 = { 10.50.0.0/16 }
define signup_v6 = { 2a09:6840:50::0/48 }
define signup_v4 = { {{ nftables_signup_v4 | join(", ") }} }
define signup_v6 = { {{ nftables_signup_v6 | join(", ") }} }
# Hôtes déclencheurs d'accès à Internet pour inscription
define signup_trigger_v4 = { 1.1.1.1 }
define signup_trigger_v6 = { 2606:4700:4700::1111 }
define signup_triggers_v4 = { {{ nftables_signup_triggers_v4 | join(", ") }} }
define signup_triggers_v6 = { {{ nftables_signup_triggers_v6 | join(", ") }} }
## NAT
@ -49,7 +49,5 @@ define signup_trigger_v6 = { 2606:4700:4700::1111 }
# Interface sur laquelle appliquer le NAT
define wan_iface = "ens18"
define member_priv_v4 = { 10.50.0.0/16 }
define member_nat_v4 = 92.222.211.198
define members_nat_v4 = 92.222.211.198
define any_nat_v4 = 92.222.211.198

36
roles/nftables_router/templates/nftables.d/50-filter.conf.j2
View file

@ -25,8 +25,8 @@ table inet filter {
counter accept
}
chain input_from_member {
log prefix "in-from-member" group 0
chain input_from_members {
log prefix "in-from-members" group 0
}
chain input_from_signup {
@ -56,8 +56,8 @@ table inet filter {
ip saddr $interco_v4 goto input_from_interco
ip6 saddr $interco_v6 goto input_from_interco
ip saddr $member_v4 goto input_from_member
ip6 saddr $member_v6 goto input_from_member
ip saddr $members_v4 goto input_from_members
ip6 saddr $members_v6 goto input_from_members
ip saddr $signup_v4 goto input_from_signup
ip6 saddr $signup_v6 goto input_from_signup
@ -79,21 +79,21 @@ table inet filter {
ip6 saddr $interco_v6 accept
}
chain forward_to_member_re2o_ports {
chain forward_to_members_re2o_ports {
# TODO
}
chain forward_to_member {
chain forward_to_members {
# Les adhérents peuvent communiquer entre eux
ip saddr $member_v4 accept
ip6 saddr $member_v6 accept
ip saddr $members_v4 accept
ip6 saddr $members_v6 accept
# L'administration n'a pas accès à l'extérieur
ip saddr $adm_v4 drop
ip6 saddr $adm_v6 drop
# Les ouvertures de ports sont générées par re2o
goto forward_to_member_re2o_ports
goto forward_to_members_re2o_ports
}
chain forward_to_signup {
@ -111,8 +111,8 @@ table inet filter {
ip6 saddr != $adm_v6 drop
# Les bastions ont accès à toute l'administration
ip saddr $bastion_v4 accept
ip6 saddr $bastion_v6 accept
ip saddr $bastions_v4 accept
ip6 saddr $bastions_v6 accept
# Tous les serveurs ont accès au collecteur de logs
ip daddr $syslog_adm_v4 tcp dport 20514 accept
@ -127,12 +127,12 @@ table inet filter {
log prefix "fwd-to-inet" group 0
# On évite certains problèmes de spam
ip saddr $member_v4 tcp dport 25 drop
ip6 saddr $member_v6 tcp dport 25 drop
ip saddr $members_v4 tcp dport 25 drop
ip6 saddr $members_v6 tcp dport 25 drop
# Les adhérents ont accès à internet
ip saddr $member_v4 accept
ip6 saddr $member_v6 accept
ip saddr $members_v4 accept
ip6 saddr $members_v6 accept
# Les réseaus d'inscription ont accès à internet
ip saddr $signup_v4 accept
@ -155,7 +155,7 @@ table inet filter {
# http://lists.netfilter.org/pipermail/netfilter-buglog/2017-August/003868.html
#ip daddr vmap {
# $interco_v4 : goto forward_to_interco,
# $member_v4 : goto forward_to_member,
# $members_v4 : goto forward_to_members,
# $svc_v4 : goto forward_to_svc,
# $adm_v4 : goto forward_to_adm,
#}
@ -163,8 +163,8 @@ table inet filter {
ip daddr $interco_v4 goto forward_to_interco
ip6 daddr $interco_v6 goto forward_to_interco
ip daddr $member_v4 goto forward_to_member
ip6 daddr $member_v6 goto forward_to_member
ip daddr $members_v4 goto forward_to_members
ip6 daddr $members_v6 goto forward_to_members
ip daddr $signup_v4 goto forward_to_signup
ip6 daddr $signup_v6 goto forward_to_signup

2
roles/nftables_router/templates/nftables.d/60-nat.conf.j2
View file

@ -10,7 +10,7 @@ table ip nat {
chain snat_to_wan {
log prefix "snat-to-wan" group 0
ip saddr $member_priv_v4 snat $member_nat_v4 persistent
ip saddr $members_v4 snat $members_nat_v4 persistent
snat $any_nat_v4 persistent
}