#!/usr/bin/env bash set -xe source /vagrant/provisioning/firewall/firewall.conf ufw disable # Règles de pare-feu/routage ufw logging on # Règles par défaut ufw default deny outgoing ufw default deny ufw allow ssh\ comment "ALLOW SSH (IN)" ufw allow in 53,67,68/udp\ comment "ALLOW DNS + DHCP (IN)" ufw allow out 53,67,68/udp\ comment "ALLOW DNS + DHCP (OUT)" # Règles de routage # Attention: l'interface MGMT_IFACE est utilisé comme gateway internet par la machine firewall ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 80 from $DEVELOPER_NETWORK\ comment "DEVELOPER -> 80 INTERNET" ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 443 from $DEVELOPER_NETWORK\ comment "DEVELOPER -> 443 INTERNET" # On autorise les connexions HTTP(S) vers l'exterieur depuis le réseau "accounting" # ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\ # comment "ACCOUNTING -> 80 INTERNET" # ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\ # comment "ACCOUNTING -> 443 INTERNET" # On autorise toutes les connexions vers le réseau "services extranet" depuis le réseau "accounting" # et le réseau "developer" # ufw route allow in on $ACCOUNTING_IFACE out on $EXTRANET_IFACE to any from $ACCOUNTING_NETWORK\ # comment "ACCOUNTING -> * SERVICES EXTRANET" ufw route allow in on $DEVELOPER_IFACE out on $EXTRANET_IFACE to any from $DEVELOPER_NETWORK\ comment "DEVELOPER -> * EXTRANET" # On autorise les connexions depuis la machine intranet-supervision vers # la machine extranet-wordpress sur le port 9117 ufw route allow in on $INTRANET_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port 9117 from 192.168.203.20\ comment "intranet-supervision -> 9117 extranet-wordpress" # On autorise les connexions HTTP/S depuis l'extranet vers le web ufw route allow in on $EXTRANET_IFACE out on $MGMT_IFACE to any port 80 from $EXTRANET_NETWORK\ comment "EXTRANET -> 80 INTERNET" ufw route allow in on $EXTRANET_IFACE out on $MGMT_IFACE to any port 443 from $EXTRANET_NETWORK\ comment "EXTRANET -> 443 INTERNET" # On autorise les connexions HTTP/S depuis l'intranet vers le web ufw route allow in on $INTRANET_IFACE out on $MGMT_IFACE to any port 80 from $INTRANET_NETWORK\ comment "INTRANET -> 80 INTERNET" ufw route allow in on $INTRANET_IFACE out on $MGMT_IFACE to any port 443 from $INTRANET_NETWORK\ comment "INTRANET -> 443 INTERNET" # On autorise toutes les connexions vers les réseaux "developer" et "accounting" depuis le réseau "services intranet" # ufw route allow in on $INTRANET_IFACE out on $ACCOUNTING_IFACE to any from $INTRANET_NETWORK\ # comment "INTRANET -> * ACCOUNTING" ufw route allow in on $INTRANET_IFACE out on $DEVELOPER_IFACE to any from $INTRANET_NETWORK\ comment "INTRANET -> * DEVELOPER" # On redirige le flux entrant sur les ports 80/443 vers la machine extranet-wordpress ufw allow in on $PUBLIC_IFACE from any port http comment "* 80 -> PUBLIC" ufw allow in on $PUBLIC_IFACE from any port https comment "* 443 -> PUBLIC" ufw route allow in on $PUBLIC_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port http\ comment "PUBLIC 80 -> 80 extranet-wordpress" ufw route allow in on $PUBLIC_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port https\ comment "PUBLIC 443 -> 443 extranet-wordpress" ufw route allow in on $EXTRANET_IFACE out on $PUBLIC_IFACE ufw allow out on $EXTRANET_IFACE to 192.168.202.10 port https # Application des règles ufw --force enable