85 lines
3.6 KiB
Bash
85 lines
3.6 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -xe
|
|
|
|
source /vagrant/provisioning/firewall/firewall.conf
|
|
|
|
ufw disable
|
|
|
|
# Règles de pare-feu/routage
|
|
|
|
ufw logging on
|
|
|
|
# Règles par défaut
|
|
ufw default deny outgoing
|
|
ufw default deny
|
|
|
|
ufw allow ssh\
|
|
comment "ALLOW SSH (IN)"
|
|
ufw allow in 53,67,68/udp\
|
|
comment "ALLOW DNS + DHCP (IN)"
|
|
ufw allow out 53,67,68/udp\
|
|
comment "ALLOW DNS + DHCP (OUT)"
|
|
|
|
# Règles de routage
|
|
|
|
# Attention: l'interface MGMT_IFACE est utilisé comme gateway internet par la machine firewall
|
|
|
|
ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 80 from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> 80 INTERNET"
|
|
ufw route allow in on $DEVELOPER_IFACE out on $MGMT_IFACE to any port 443 from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> 443 INTERNET"
|
|
|
|
# On autorise les connexions HTTP(S) vers l'exterieur depuis le réseau "accounting"
|
|
# ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 80 from $ACCOUNTING_NETWORK\
|
|
# comment "ACCOUNTING -> 80 INTERNET"
|
|
# ufw route allow in on $ACCOUNTING_IFACE out on $MGMT_IFACE to any port 443 from $ACCOUNTING_NETWORK\
|
|
# comment "ACCOUNTING -> 443 INTERNET"
|
|
|
|
# On autorise toutes les connexions vers le réseau "services extranet" depuis le réseau "accounting"
|
|
# et le réseau "developer"
|
|
# ufw route allow in on $ACCOUNTING_IFACE out on $EXTRANET_IFACE to any from $ACCOUNTING_NETWORK\
|
|
# comment "ACCOUNTING -> * SERVICES EXTRANET"
|
|
ufw route allow in on $DEVELOPER_IFACE out on $EXTRANET_IFACE to any from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> * EXTRANET"
|
|
|
|
ufw route allow in on $DEVELOPER_IFACE out on $INTRANET_IFACE to any from $DEVELOPER_NETWORK\
|
|
comment "DEVELOPER -> * INTRANET"
|
|
|
|
# On autorise les connexions depuis la machine intranet-supervision vers
|
|
# la machine extranet-wordpress sur le port 9117
|
|
ufw route allow in on $INTRANET_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port 9117 from 192.168.203.20\
|
|
comment "intranet-supervision -> 9117 extranet-wordpress"
|
|
|
|
# On autorise les connexions HTTP/S depuis l'extranet vers le web
|
|
ufw route allow in on $EXTRANET_IFACE out on $MGMT_IFACE to any port 80 from $EXTRANET_NETWORK\
|
|
comment "EXTRANET -> 80 INTERNET"
|
|
ufw route allow in on $EXTRANET_IFACE out on $MGMT_IFACE to any port 443 from $EXTRANET_NETWORK\
|
|
comment "EXTRANET -> 443 INTERNET"
|
|
|
|
# On autorise les connexions HTTP/S depuis l'intranet vers le web
|
|
ufw route allow in on $INTRANET_IFACE out on $MGMT_IFACE to any port 80 from $INTRANET_NETWORK\
|
|
comment "INTRANET -> 80 INTERNET"
|
|
ufw route allow in on $INTRANET_IFACE out on $MGMT_IFACE to any port 443 from $INTRANET_NETWORK\
|
|
comment "INTRANET -> 443 INTERNET"
|
|
|
|
# On autorise toutes les connexions vers les réseaux "developer" et "accounting" depuis le réseau "services intranet"
|
|
# ufw route allow in on $INTRANET_IFACE out on $ACCOUNTING_IFACE to any from $INTRANET_NETWORK\
|
|
# comment "INTRANET -> * ACCOUNTING"
|
|
ufw route allow in on $INTRANET_IFACE out on $DEVELOPER_IFACE to any from $INTRANET_NETWORK\
|
|
comment "INTRANET -> * DEVELOPER"
|
|
|
|
# On redirige le flux entrant sur les ports 80/443 vers la machine extranet-wordpress
|
|
ufw allow in on $PUBLIC_IFACE from any port http comment "* 80 -> PUBLIC"
|
|
ufw allow in on $PUBLIC_IFACE from any port https comment "* 443 -> PUBLIC"
|
|
|
|
ufw route allow in on $PUBLIC_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port http\
|
|
comment "PUBLIC 80 -> 80 extranet-wordpress"
|
|
ufw route allow in on $PUBLIC_IFACE out on $EXTRANET_IFACE to 192.168.202.10 port https\
|
|
comment "PUBLIC 443 -> 443 extranet-wordpress"
|
|
ufw route allow in on $EXTRANET_IFACE out on $PUBLIC_IFACE
|
|
ufw allow out on $EXTRANET_IFACE to 192.168.202.10 port https
|
|
|
|
# Application des règles
|
|
ufw --force enable
|