46 lines
1.5 KiB
Bash
46 lines
1.5 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -xe
|
|
|
|
source /vagrant/provisioning/firewall/firewall.conf
|
|
|
|
ufw disable
|
|
|
|
# Règles de pare-feu/routage
|
|
|
|
ufw logging on
|
|
|
|
# Règles par défaut
|
|
ufw default deny outgoing
|
|
ufw default deny
|
|
|
|
ufw allow ssh\
|
|
comment "ALLOW SSH (IN)"
|
|
ufw allow in 53,67,68/udp\
|
|
comment "ALLOW DNS + DHCP (IN)"
|
|
ufw allow out 53,67,68/udp\
|
|
comment "ALLOW DNS + DHCP (OUT)"
|
|
|
|
# Règles de routage
|
|
|
|
ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 80 from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> 80 INTERNET"
|
|
ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 443 from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> 443 INTERNET"
|
|
|
|
# On autorise les connexions HTTP(S) vers l'exterieur depuis le réseau "accounting"
|
|
ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\
|
|
comment "ACCOUNTING -> 80 INTERNET"
|
|
ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\
|
|
comment "ACCOUNTING -> 443 INTERNET"
|
|
|
|
# On autorise toutes les connexions vers le réseau "services intranet" depuis le réseau "accounting"
|
|
# et le réseau "developer"
|
|
ufw route allow in on $ACCOUNTING_IFACE out on $INTRANET_IFACE to any from $ACCOUNTING_NETWORK\
|
|
comment "ACCOUNTING -> * SERVICES INTRA"
|
|
ufw route allow in on $DEVELOPER_IFACE out on $INTRANET_IFACE to any from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> * SERVICES INTRA"
|
|
|
|
# Application des règles
|
|
ufw --force enable
|