aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

Use group vars and rename some nftables vars
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse source
This commit is contained in:
jeltz 2021-03-10 08:29:15 +01:00
parent 93c229203a
commit f24a3e1d29
3 changed files with 34 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
roles/nftables_router/templates/nftables.d/10-vars.conf.j2
View file

@ -3,45 +3,45 @@
## Interconnexion ## Interconnexion
# Réseaux d'interconnexion # Réseaux d'interconnexion
define interco_v4 = { 192.168.0.0/31, 192.168.0.2/31, 10.129.0.0/16 } define interco_v4 = { {{ nftables_interco_v4 | join(", ") }} }
define interco_v6 = { 2a09:6840:129::0/48 } define interco_v6 = { {{ nftables_interco_v6 | join(", ") }} }
## Administration ## Administration
# Réseaux d'administration # Réseaux d'administration
define adm_v4 = { 10.128.0.0/16, 10.133.0.0/16 } define adm_v4 = { {{ nftables_adm_v4 | join(", ") }} }
define adm_v6 = { 2a09:6840:128::0/48, 2a09:6840:133::0/48 } define adm_v6 = { {{ nftables_adm_v6 | join(", ") }} }
# Serveurs de centralisation des journaux # Serveurs de centralisation des journaux
define syslog_adm_v4 = { 10.128.0.51 } define syslog_adm_v4 = { 10.128.0.51 }
define syslog_adm_v6 = { 2a09:6840:128::251 } define syslog_adm_v6 = { 2a09:6840:128::251 }
# Adresses des bastions autorisés # Adresses des bastions autorisés
define bastion_v4 = { 10.128.0.224, 10.133.0.250 } define bastions_v4 = { {{ nftables_bastions_v4 | join(", ") }} }
define bastion_v6 = { 2a09:6840:133::250 } define bastions_v6 = { {{ nftables_bastions_v6 | join(", ") }} }
## Services ## Services
# Réseaux de services privés # Réseaux de services privés
define svc_v4 = { 10.132.0.0/16 } define svc_v4 = { {{ nftables_svc_v4 | join(", ") }} }
define svc_v6 = { 2a09:6840:132::0/48 } define svc_v6 = { {{ nftables_svc_v6 | join(", ") }} }
## Adhérents ## Adhérents
# Réseaux des adhérents # Réseaux des adhérents
define member_v4 = { 10.50.0.0/16 } define members_v4 = { {{ nftables_members_v4 | join(", ") }} }
define member_v6 = { 2a09:6840:50::0/48 } define members_v6 = { {{ nftables_members_v6 | join(", ") }} }
# Sous-réseau d'inscription des adhérents # Sous-réseau d'inscription des adhérents
define signup_v4 = { 10.50.0.0/16 } define signup_v4 = { {{ nftables_signup_v4 | join(", ") }} }
define signup_v6 = { 2a09:6840:50::0/48 } define signup_v6 = { {{ nftables_signup_v6 | join(", ") }} }
# Hôtes déclencheurs d'accès à Internet pour inscription # Hôtes déclencheurs d'accès à Internet pour inscription
define signup_trigger_v4 = { 1.1.1.1 } define signup_triggers_v4 = { {{ nftables_signup_triggers_v4 | join(", ") }} }
define signup_trigger_v6 = { 2606:4700:4700::1111 } define signup_triggers_v6 = { {{ nftables_signup_triggers_v6 | join(", ") }} }
## NAT ## NAT
@ -49,7 +49,5 @@ define signup_trigger_v6 = { 2606:4700:4700::1111 }
# Interface sur laquelle appliquer le NAT # Interface sur laquelle appliquer le NAT
define wan_iface = "ens18" define wan_iface = "ens18"
define member_priv_v4 = { 10.50.0.0/16 } define members_nat_v4 = 92.222.211.198
define member_nat_v4 = 92.222.211.198
define any_nat_v4 = 92.222.211.198 define any_nat_v4 = 92.222.211.198

36
roles/nftables_router/templates/nftables.d/50-filter.conf.j2
View file

@ -25,8 +25,8 @@ table inet filter {
counter accept counter accept
} }
chain input_from_member { chain input_from_members {
log prefix "in-from-member" group 0 log prefix "in-from-members" group 0
} }
chain input_from_signup { chain input_from_signup {
@ -56,8 +56,8 @@ table inet filter {
ip saddr $interco_v4 goto input_from_interco ip saddr $interco_v4 goto input_from_interco
ip6 saddr $interco_v6 goto input_from_interco ip6 saddr $interco_v6 goto input_from_interco
ip saddr $member_v4 goto input_from_member ip saddr $members_v4 goto input_from_members
ip6 saddr $member_v6 goto input_from_member ip6 saddr $members_v6 goto input_from_members
ip saddr $signup_v4 goto input_from_signup ip saddr $signup_v4 goto input_from_signup
ip6 saddr $signup_v6 goto input_from_signup ip6 saddr $signup_v6 goto input_from_signup
@ -79,21 +79,21 @@ table inet filter {
ip6 saddr $interco_v6 accept ip6 saddr $interco_v6 accept
} }
chain forward_to_member_re2o_ports { chain forward_to_members_re2o_ports {
# TODO # TODO
} }
chain forward_to_member { chain forward_to_members {
# Les adhérents peuvent communiquer entre eux # Les adhérents peuvent communiquer entre eux
ip saddr $member_v4 accept ip saddr $members_v4 accept
ip6 saddr $member_v6 accept ip6 saddr $members_v6 accept
# L'administration n'a pas accès à l'extérieur # L'administration n'a pas accès à l'extérieur
ip saddr $adm_v4 drop ip saddr $adm_v4 drop
ip6 saddr $adm_v6 drop ip6 saddr $adm_v6 drop
# Les ouvertures de ports sont générées par re2o # Les ouvertures de ports sont générées par re2o
goto forward_to_member_re2o_ports goto forward_to_members_re2o_ports
} }
chain forward_to_signup { chain forward_to_signup {
@ -111,8 +111,8 @@ table inet filter {
ip6 saddr != $adm_v6 drop ip6 saddr != $adm_v6 drop
# Les bastions ont accès à toute l'administration # Les bastions ont accès à toute l'administration
ip saddr $bastion_v4 accept ip saddr $bastions_v4 accept
ip6 saddr $bastion_v6 accept ip6 saddr $bastions_v6 accept
# Tous les serveurs ont accès au collecteur de logs # Tous les serveurs ont accès au collecteur de logs
ip daddr $syslog_adm_v4 tcp dport 20514 accept ip daddr $syslog_adm_v4 tcp dport 20514 accept
@ -127,12 +127,12 @@ table inet filter {
log prefix "fwd-to-inet" group 0 log prefix "fwd-to-inet" group 0
# On évite certains problèmes de spam # On évite certains problèmes de spam
ip saddr $member_v4 tcp dport 25 drop ip saddr $members_v4 tcp dport 25 drop
ip6 saddr $member_v6 tcp dport 25 drop ip6 saddr $members_v6 tcp dport 25 drop
# Les adhérents ont accès à internet # Les adhérents ont accès à internet
ip saddr $member_v4 accept ip saddr $members_v4 accept
ip6 saddr $member_v6 accept ip6 saddr $members_v6 accept
# Les réseaus d'inscription ont accès à internet # Les réseaus d'inscription ont accès à internet
ip saddr $signup_v4 accept ip saddr $signup_v4 accept
@ -155,7 +155,7 @@ table inet filter {
# http://lists.netfilter.org/pipermail/netfilter-buglog/2017-August/003868.html # http://lists.netfilter.org/pipermail/netfilter-buglog/2017-August/003868.html
#ip daddr vmap { #ip daddr vmap {
# $interco_v4 : goto forward_to_interco, # $interco_v4 : goto forward_to_interco,
# $member_v4 : goto forward_to_member, # $members_v4 : goto forward_to_members,
# $svc_v4 : goto forward_to_svc, # $svc_v4 : goto forward_to_svc,
# $adm_v4 : goto forward_to_adm, # $adm_v4 : goto forward_to_adm,
#} #}
@ -163,8 +163,8 @@ table inet filter {
ip daddr $interco_v4 goto forward_to_interco ip daddr $interco_v4 goto forward_to_interco
ip6 daddr $interco_v6 goto forward_to_interco ip6 daddr $interco_v6 goto forward_to_interco
ip daddr $member_v4 goto forward_to_member ip daddr $members_v4 goto forward_to_members
ip6 daddr $member_v6 goto forward_to_member ip6 daddr $members_v6 goto forward_to_members
ip daddr $signup_v4 goto forward_to_signup ip daddr $signup_v4 goto forward_to_signup
ip6 daddr $signup_v6 goto forward_to_signup ip6 daddr $signup_v6 goto forward_to_signup

2
roles/nftables_router/templates/nftables.d/60-nat.conf.j2
View file

@ -10,7 +10,7 @@ table ip nat {
chain snat_to_wan { chain snat_to_wan {
log prefix "snat-to-wan" group 0 log prefix "snat-to-wan" group 0
ip saddr $member_priv_v4 snat $member_nat_v4 persistent ip saddr $members_v4 snat $members_nat_v4 persistent
snat $any_nat_v4 persistent snat $any_nat_v4 persistent
} }