Project

General

Profile

60-Sphynx_rules.patch

Fabrice Barconnière, 05/29/2017 08:33 AM

Download (4.12 KB)

View differences:

modif/60-Sphynx_rules 2017-05-24 13:05:58.132841159 +0200
28 28 
# autoriser les connexions au travers d'ipsec
29 29 
/sbin/iptables -A root-eth0 -m policy --pol ipsec --proto esp --dir out -j ACCEPT
30 
## definition de la chaine eth0-root
31 
/sbin/iptables -A eth0-root -p tcp -m state --state NEW -m tcp --dport 4201:4202 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
32 
%if %%admin_eth0 == 'oui'
33 
#ead-web on eth0
34 
 %for %%ip_admin in %%ip_admin_eth0
35 
/sbin/iptables -A eth0-root -s %%ip_admin/%%ip_admin.netmask_admin_eth0 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
36 
/sbin/iptables -A eth0-root -s %%ip_admin/%%ip_admin.netmask_admin_eth0 -p tcp -m state --state NEW -m tcp --dport 8088 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
37 
 %end for
38 
%end if
39 
%if %%ssh_eth0 == "oui"
40 
#ssh on eth0
41 
 %for %%reseau_ssh in %%ip_ssh_eth0
42 
#/sbin/iptables -A eth0-root -s %%reseau_ssh/%%reseau_ssh.netmask_ssh_eth0 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
43 
/sbin/iptables -A eth0-root -s %%reseau_ssh/%%reseau_ssh.netmask_ssh_eth0 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
44 
 %end for
45 
%end if
30 
%def ethX_root_ARV(%%num_int)
31 
 %set %%chain_name = "eth" + %%num_int + "-root"
32 
 %if %%getVar('admin_eth' + %%num_int) == 'oui'
33 
#ARV on eth%%num_int
34 
  %for %%ip_admin in %%getVar('ip_admin_eth' + %%num_int)
35 
   %set %%netmask_key = "netmask_admin_eth"+%%num_int
36 
/sbin/iptables -A %%chain_name -s %%ip_admin/%%getattr(%%ip_admin, %%netmask_key) -p tcp -m state --state NEW -m tcp --dport %%arv_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
37 
  %end for
38 
 %end if
39 
%end def
40 
## definition de la chaine eth0-root
41 
%%ethX_root_ARV('0')
46 42 
/sbin/iptables -A eth0-root -p udp -m udp --dport 500 -j ACCEPT
47 43 
/sbin/iptables -A eth0-root -p udp -m udp --dport 4500 -j ACCEPT
48 44 
/sbin/iptables -A eth0-root -p esp -j ACCEPT
......
62 58 
## definition de la chaine eth1-root
63 59 
/sbin/iptables -A INPUT -d %%adresse_ip_eth1 -i eth1 -j eth1-root
64 60 
/sbin/iptables -A eth1-root -m policy --dir in --pol ipsec --proto esp -j ACCEPT
65 
/sbin/iptables -A eth1-root -p tcp -m state --state NEW -m tcp --dport 4201:4202 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
66 
 %if %%admin_eth1 == 'oui'
67 
#ead-web on eth1
68 
  %for %%ip_admin in %%ip_admin_eth1
69 
/sbin/iptables -A eth1-root -s %%ip_admin/%%ip_admin.netmask_admin_eth1 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
70 
/sbin/iptables -A eth1-root -s %%ip_admin/%%ip_admin.netmask_admin_eth1 -p tcp -m state --state NEW -m tcp --dport 8088 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
71 
  %end for
72 
 %end if
73 
 %if %%ssh_eth1 == "oui"
74 
 #ssh on eth1
75 
  %for %%reseau_ssh in %%ip_ssh_eth1
76 
/sbin/iptables -A eth1-root -s %%reseau_ssh/%%reseau_ssh.netmask_ssh_eth1 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
77 
  %end for
78 
 %end if
61 
%%ethX_root_ARV('1')
79 62 
%end if
80 63 
%if %%nombre_interfaces >= '3'
81 64 
## definition de la chaine eth2-root
82 
/sbin/iptables -A eth2-root -p tcp -m state --state NEW -m tcp --dport 4201:4202 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
83 
#ead-web on eth2
84 
%if %%admin_eth2 == 'oui'
85 
  %for %%ip_admin in %%ip_admin_eth2
86 
/sbin/iptables -A eth2-root -s %%ip_admin/%%ip_admin.netmask_admin_eth2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
87 
/sbin/iptables -A eth1-root -s %%ip_admin/%%ip_admin.netmask_admin_eth2 -p tcp -m state --state NEW -m tcp --dport 8088 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
88 
  %end for
89 
 %end if
90 
 %if %%ssh_eth2 == "oui"
91 
 #ssh on eth2
92 
  %for %%reseau_ssh in %%ip_ssh_eth2
93 
/sbin/iptables -A eth2-root -s %%reseau_ssh/%%reseau_ssh.netmask_ssh_eth2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
94 
  %end for
95 
 %end if
65 
%%ethX_root_ARV('2')
96 66 
 %if %%getVar('activer_haute_dispo', 'non') != "non"
97 67 
/sbin/iptables -A %%corosync_dial_if-root -m pkttype --pkt-type multicast -j ACCEPT
98 68 
/sbin/iptables -A %%corosync_dial_if-root -p udp -m udp --dport %%corosync_mcastport -j ACCEPT