CESI: Sécurité des entreprises, infrastructure Vagrant avec supervision Prometheus

cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_dns.sh

@@ -14,10 +14,10 @@ systemctl disable systemd-resolved
 cat > /etc/dnsmasq.d/local.conf <<EOF
 
 interface=$DEVELOPER_IFACE
-interface=$ACCOUNTING_IFACE
+#interface=$ACCOUNTING_IFACE
 
 dhcp-range=$DEVELOPER_IFACE,192.168.201.10,192.168.201.100,4h
-dhcp-range=$DEVELOPER_IFACE,192.168.200.10,192.168.200.100,4h
+#dhcp-range=$DEVELOPER_IFACE,192.168.200.10,192.168.200.100,4h
 EOF
 
 

cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_firewall_rules.sh

@@ -23,23 +23,59 @@ ufw allow out 53,67,68/udp\
 
 # Règles de routage
 
+# Attention: l'interface MGMT_IFACE est utilisé comme gateway internet par la machine firewall
+
 ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 80 from $DEVELOPER_NETWORK\
   comment "DEVELOPER -> 80 INTERNET"
 ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 443 from $DEVELOPER_NETWORK\
   comment "DEVELOPER -> 443 INTERNET"
 
 # On autorise les connexions HTTP(S) vers l'exterieur depuis le réseau "accounting"
-ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\
-  comment "ACCOUNTING -> 80 INTERNET"
-ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\
-  comment "ACCOUNTING -> 443 INTERNET"
+# ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\
+#   comment "ACCOUNTING -> 80 INTERNET"
+# ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\
+#   comment "ACCOUNTING -> 443 INTERNET"
 
-# On autorise toutes les connexions vers le réseau "services intranet" depuis le réseau "accounting"
+# On autorise toutes les connexions vers le réseau "services extranet" depuis le réseau "accounting"
 # et le réseau "developer"
-ufw route allow in on $ACCOUNTING_IFACE out on $INTRANET_IFACE to any from $ACCOUNTING_NETWORK\
-  comment "ACCOUNTING -> * SERVICES INTRA"
-ufw route allow in on $DEVELOPER_IFACE out on $INTRANET_IFACE to any from $DEVELOPER_NETWORK\
-  comment "DEVELOPER -> * SERVICES INTRA"
+# ufw route allow in on $ACCOUNTING_IFACE out on $EXTRANET_IFACE to any from $ACCOUNTING_NETWORK\
+#   comment "ACCOUNTING -> * SERVICES EXTRANET"
+ufw route allow in on $DEVELOPER_IFACE out on $EXTRANET_IFACE to any from $DEVELOPER_NETWORK\
+  comment "DEVELOPER -> * EXTRANET"
+
+# On autorise les connexions depuis la machine intranet-supervision vers
+# la machine extranet-wordpress sur le port 9117
+ufw route allow in on $INTRANET_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port 9117 from 192.168.203.20\
+  comment "intranet-supervision -> 9117 extranet-wordpress"
+
+# On autorise les connexions HTTP/S depuis l'extranet vers le web
+ufw route allow in on $EXTRANET_IFACE out on $MGMT_IFACE to any port 80 from $EXTRANET_NETWORK\
+  comment "EXTRANET -> 80 INTERNET"
+ufw route allow in on $EXTRANET_IFACE out on $MGMT_IFACE to any port 443 from $EXTRANET_NETWORK\
+  comment "EXTRANET -> 443 INTERNET"
+
+# On autorise les connexions HTTP/S depuis l'intranet vers le web
+ufw route allow in on $INTRANET_IFACE out on $MGMT_IFACE to any port 80 from $INTRANET_NETWORK\
+  comment "INTRANET -> 80 INTERNET"
+ufw route allow in on $INTRANET_IFACE out on $MGMT_IFACE to any port 443 from $INTRANET_NETWORK\
+  comment "INTRANET -> 443 INTERNET"
+
+# On autorise toutes les connexions vers les réseaux "developer" et "accounting" depuis le réseau "services intranet"
+# ufw route allow in on $INTRANET_IFACE out on $ACCOUNTING_IFACE to any from $INTRANET_NETWORK\
+#   comment "INTRANET -> * ACCOUNTING"
+ufw route allow in on $INTRANET_IFACE out on $DEVELOPER_IFACE to any from $INTRANET_NETWORK\
+  comment "INTRANET -> * DEVELOPER"
+
+# On redirige le flux entrant sur les ports 80/443 vers la machine extranet-wordpress
+ufw allow in on $PUBLIC_IFACE from any port http comment "* 80 -> PUBLIC"
+ufw allow in on $PUBLIC_IFACE from any port https comment "* 443 -> PUBLIC"
+
+ufw route allow in on $PUBLIC_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port http\
+  comment "PUBLIC 80 -> 80 extranet-wordpress"
+ufw route allow in on $PUBLIC_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port https\
+  comment "PUBLIC 443 -> 443 extranet-wordpress"
+ufw route allow in on $EXTRANET_IFACE out on $PUBLIC_IFACE
+ufw allow out on $EXTRANET_IFACE to 192.168.202.10 port https
 
 # Application des règles
 ufw --force enable

cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/configure_ip_forwarding.sh

@@ -15,10 +15,17 @@ sed -i 's/^#net\/ipv6\/conf\/all\/forwarding.*$/net\/ipv6\/conf\/all\/forwarding
 TMP_FILE=$(mktemp)
 cat > "$TMP_FILE" <<EOF
 *nat
+
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s $INTRANET_NETWORK -o $MGMT_IFACE -j MASQUERADE
--A POSTROUTING -s $ACCOUNTING_NETWORK -o $MGMT_IFACE -j MASQUERADE
+#-A POSTROUTING -s $ACCOUNTING_NETWORK -o $MGMT_IFACE -j MASQUERADE
 -A POSTROUTING -s $DEVELOPER_NETWORK -o $MGMT_IFACE -j MASQUERADE
+-A POSTROUTING -s $EXTRANET_NETWORK -o $MGMT_IFACE -j MASQUERADE
+
+:PREROUTING ACCEPT [0:0]
+-A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.202.10:80
+-A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-destination 192.168.202.10:443
+
 COMMIT
 
 $(cat /etc/ufw/before.rules)

cesi/securite_entreprise/ressources/intranet-demo/provisioning/firewall/firewall.conf

@@ -2,10 +2,12 @@ IFACES=($(ls /sys/class/net))
 
 MGMT_IFACE="${IFACES[0]}"
 PUBLIC_IFACE="eth1"
+DEVELOPER_IFACE="eth2"
+# ACCOUNTING_IFACE="eth2"
+EXTRANET_IFACE="eth3"
 INTRANET_IFACE="eth4"
-DEVELOPER_IFACE="eth3"
-ACCOUNTING_IFACE="eth2"
 
-INTRANET_NETWORK="192.168.202.0/24"
+EXTRANET_NETWORK="192.168.202.0/24"
 DEVELOPER_NETWORK="192.168.201.0/24"
-ACCOUNTING_NETWORK="192.168.200.0/24"
+# ACCOUNTING_NETWORK="192.168.200.0/24"
+INTRANET_NETWORK="192.168.203.0/24"