Tâche #35613
Scénario #35593: Amon 2.8 - VLAN et DNS de forward RVP/Agriates
Étude
Statut:
À valider
Priorité:
Normal
Assigné à:
Version cible:
Début:
01/10/2022
Echéance:
% réalisé:
0%
Restant à faire (heures):
Historique
#1 Mis à jour par Benjamin Bohard il y a 7 mois
- Statut changé de Nouveau à En cours
#2 Mis à jour par Benjamin Bohard il y a 7 mois
Le forward vers le DNS agriates repose sur l’utilisation de la fonctionnalité "view" dans la configuration de bind9.
C’est-à-dire que le forward est utilisée uniquement pour les requêtes qui correspondent à certains critères.
Dans la configuration générée, le critère est l’appartenance de la machine émettant la requête à un sous-réseau.
Dans un premier temps, est-il possible de vérifier que la machine qui émet la requête se présente bien avec une adresse d’un des sous-réseaux déclarés ?
La "vue" où chercher l’information est dans le fichier /etc/bind/named.conf et s’appelle "Zones AGRIATES-FORWARD".
Voici un exemple tiré d’un amon utilisé en qualification
view "Zones AGRIATES-FORWARD" {
match-clients {
127.0.0.1;
10.1.1.0/24;
10.1.15.0/24;
10.1.16.0/24;
10.1.17.0/24;
192.168.11.0/24;
192.168.12.0/24;
10.1.26.0/24;
10.1.36.0/24;
};
include "/etc/bind/agriates.zones";
include "/etc/bind/forward.zones";
include "/etc/bind/local.zones";
include "/etc/bind/safesearch.config";
};
#3 Mis à jour par Richard Hong il y a 7 mois
Bonjour,
Benjamin Bohard a écrit :
Dans un premier temps, est-il possible de vérifier que la machine qui émet la requête se présente bien avec une adresse d’un des sous-réseaux déclarés ?
Mon poste se présente bien avec une IP appartenant à l'un des réseaux :
richard@celeste:~$ ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.8 netmask 255.255.255.240 broadcast 10.222.15.15
inet6 fe80::7b6f:8195:f34e:fea3 prefixlen 64 scopeid 0x20<link>
ether 98:fa:9b:bd:20:bb txqueuelen 1000 (Ethernet)
RX packets 52 bytes 8563 (8.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 91 bytes 11861 (11.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xa2700000-a2720000
richard@celeste:~$ nslookup agriates.in.ac-paris.fr
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find agriates.in.ac-paris.fr: SERVFAIL
La "vue" où chercher l’information est dans le fichier /etc/bind/named.conf et s’appelle "Zones AGRIATES-FORWARD".
Et le contenu de la vue qui nous intéresse dans named.conf :
view "Reseau Agriates" {
match-clients {
127.0.0.1;
192.168.232.0/24;
10.222.15.0/28;
172.26.8.0/28;
10.222.6.208/29;
10.175.1.0/24;
};
include "/etc/bind/agriates.zones";
include "/etc/bind/local.zones";
include "/etc/bind/safesearch.config";
};
#4 Mis à jour par Benjamin Bohard il y a 7 mois
Côté configuration de l’Amon, cela semble pourtant correct.
Quelques questions supplémentaires pour continuer à circonscrire le problème :
- est-ce que fichier /etc/bind/agriates.zones contient bien la déclaration de la zone "in-ac-paris.fr" (pour autant que ce soit la seul zone problématique) ?
- 10.222.15.14 est-elle l’IP de l’Amon ou d’un Scribe contrôleur de domaine ?
- est-ce que la résolution d’un nom de domaine hors agriates est fonctionnelle avec la configuration poussée par le serveur ?
- est-ce que le problème a également été rencontré hors VLAN ?
#5 Mis à jour par Richard Hong il y a 7 mois
Benjamin Bohard a écrit :
Quelques questions supplémentaires pour continuer à circonscrire le problème :
- est-ce que fichier /etc/bind/agriates.zones contient bien la déclaration de la zone "in-ac-paris.fr" (pour autant que ce soit la seul zone problématique) ?
Le fichier agriates.zones contient bien la zone "in.ac-paris.fr" :
// Academie de Paris
zone "in.ac-paris.fr" in {
type forward;
forwarders {
192.168.51.195;
};
forward only;
};
Et ce n'est pas la seule zone problématique, je ne peux visiblement pas résoudre les adresses en .in :
richard@celeste:~$ nslookup tribin.in.phm.education.gouv.fr Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find tribin.in.phm.education.gouv.fr: SERVFAIL
- 10.222.15.14 est-elle l’IP de l’Amon ou d’un Scribe contrôleur de domaine ?
C'est l'IP de l'Amon sur le VLAN
- est-ce que la résolution d’un nom de domaine hors agriates est fonctionnelle avec la configuration poussée par le serveur ?
Oui, pas de souci pour la résolution hors .in
- est-ce que le problème a également été rencontré hors VLAN ?
Je viens de refaire la configuration du amon, type_amon en 2zones, avec mon poste branché directement sur l'interface "admin", la résolution fonctionne cette fois :
richard@celeste:~$ ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.8 netmask 255.255.255.240 broadcast 10.222.15.15
inet6 fe80::7b6f:8195:f34e:fea3 prefixlen 64 scopeid 0x20<link>
ether 98:fa:9b:bd:20:bb txqueuelen 1000 (Ethernet)
RX packets 122 bytes 25236 (25.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 187 bytes 23377 (23.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xa2700000-a2720000
richard@celeste:~$ resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s31f6)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.222.15.14
DNS Servers: 10.222.15.14
richard@celeste:~$ nslookup agriates.in.ac-paris.fr
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
agriates.in.ac-paris.fr canonical name = webets3.in.ac-paris.fr.
Name: webets3.in.ac-paris.fr
Address: 192.168.51.210
richard@celeste:~$ nslookup tribin.in.phm.education.gouv.fr
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
tribin.in.phm.education.gouv.fr canonical name = pr-foa-viprevrac01.foad.in.phm.education.gouv.fr.
Name: pr-foa-viprevrac01.foad.in.phm.education.gouv.fr
Address: 172.29.58.240
A noter : je viens de remarquer qu'en basculant en mode sans vlan, la résolution se fait correctement sur le serveur Amon :
root@amonrsi:~# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 193.50.248.18 netmask 255.255.255.248 broadcast 193.50.248.23
ether 70:10:6f:3e:2c:c8 txqueuelen 1000 (Ethernet)
RX packets 5448086 bytes 2948168958 (2.9 GB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 1272699 bytes 306409502 (306.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
eno2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.14 netmask 255.255.255.240 broadcast 10.222.15.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 2691539 bytes 376038475 (376.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1711640 bytes 1582776292 (1.5 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Boucle locale)
RX packets 1432977 bytes 117775468 (117.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1432977 bytes 117775468 (117.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@amonrsi:~# nslookup agriates.in.ac-paris.fr
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
agriates.in.ac-paris.fr canonical name = webets3.in.ac-paris.fr.
Name: webets3.in.ac-paris.fr
Address: 192.168.51.210
Alors qu'avec mes vlan actifs, la résolution ne fonctionne pas sur le serveur Amon également :
------------------------------------------------------------------------------------------------
Reconfiguration OK
------------------------------------------------------------------------------------------------
root@amonrsi:~# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 193.50.248.18 netmask 255.255.255.248 broadcast 193.50.248.23
ether 70:10:6f:3e:2c:c8 txqueuelen 1000 (Ethernet)
RX packets 5450969 bytes 2948456348 (2.9 GB)
RX errors 0 dropped 1 overruns 0 frame 0
TX packets 1273451 bytes 306557398 (306.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
eno2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.1 netmask 255.255.255.0 broadcast 192.168.232.255
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 2691664 bytes 376051491 (376.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1711684 bytes 1582784808 (1.5 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Boucle locale)
RX packets 1436185 bytes 119428603 (119.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1436185 bytes 119428603 (119.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan60: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.14 netmask 255.255.255.240 broadcast 10.222.15.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 126 (126.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan514: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.26.8.14 netmask 255.255.255.240 broadcast 172.26.8.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan810: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.6.214 netmask 255.255.255.248 broadcast 10.222.6.215
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan812: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.175.1.254 netmask 255.255.255.0 broadcast 10.175.1.255
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@amonrsi:~# nslookup tribin.in.phm.education.gouv.fr
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; connection timed out; no servers could be reached
#6 Mis à jour par Laurent Gourvenec il y a 5 mois
Bonjour,
Pourriez-vous nous envoyer les résultats des commandes suivantes, avec et sans les VLANs ?
- iptables-save
- ip r
- dig @192.168.51.195 agriates.in.ac-paris.fr
#7 Mis à jour par Richard Hong il y a 5 mois
Bonjour,
Voici le résultat avec VLANs :
root@amonrsi:~# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 193.50.248.18 netmask 255.255.255.248 broadcast 193.50.248.23
ether 70:10:6f:3e:2c:c8 txqueuelen 1000 (Ethernet)
RX packets 6723715 bytes 5114445110 (5.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1125791 bytes 299555302 (299.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
eno2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.1 netmask 255.255.255.0 broadcast 192.168.232.255
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 2740634 bytes 436453593 (436.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3248840 bytes 3729389962 (3.7 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Boucle locale)
RX packets 1339663 bytes 97333190 (97.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1339663 bytes 97333190 (97.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan60: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.14 netmask 255.255.255.240 broadcast 10.222.15.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan514: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.26.8.14 netmask 255.255.255.240 broadcast 172.26.8.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 16 bytes 1866 (1.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7 bytes 739 (739.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan810: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.6.214 netmask 255.255.255.248 broadcast 10.222.6.215
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 131 bytes 16452 (16.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan812: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.175.1.254 netmask 255.255.255.0 broadcast 10.175.1.255
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@amonrsi:~# iptables-save
# Generated by iptables-save v1.8.4 on Fri Nov 17 10:26:11 2023
*mangle
:PREROUTING ACCEPT [232007:92032626]
:INPUT ACCEPT [216694:91584003]
:FORWARD ACCEPT [15313:448623]
:OUTPUT ACCEPT [164601:19966191]
:POSTROUTING ACCEPT [179914:20414814]
:marquage - [0:0]
-A INPUT -j marquage
-A FORWARD -j marquage
-A OUTPUT -j marquage
COMMIT
# Completed on Fri Nov 17 10:26:11 2023
# Generated by iptables-save v1.8.4 on Fri Nov 17 10:26:11 2023
*nat
:PREROUTING ACCEPT [158:7051]
:INPUT ACCEPT [9:508]
:OUTPUT ACCEPT [295:18801]
:POSTROUTING ACCEPT [233:14195]
-A PREROUTING ! -d 193.50.248.18/32 -i eno2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http sans proxy" -j REDIRECT --to-ports 3128
-A PREROUTING ! -d 193.50.248.18/32 -i eno2 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http sans proxy" -j REDIRECT --to-ports 3128
-A PREROUTING ! -d 193.50.248.18/32 -i eno2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http sans proxy" -j REDIRECT --to-ports 3128
-A PREROUTING -i eno2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux vers le serveur de distribution du fichier wpad" -j REDIRECT --to-ports 81
-A PREROUTING -i eno2 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux vers le serveur de distribution du fichier wpad" -j REDIRECT --to-ports 81
-A PREROUTING -i eno2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux vers le serveur de distribution du fichier wpad" -j REDIRECT --to-ports 81
-A PREROUTING -i eno2 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j REDIRECT --to-ports 82
-A PREROUTING -d 192.168.232.1/32 -i eno2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection pour le fichier wpad." -j REDIRECT --to-ports 81
-A POSTROUTING -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 192.168.232.0/24 -o eno1 -j SNAT --to-source 193.50.248.18
-A POSTROUTING -o eno1 -j SNAT --to-source 193.50.248.18
-A POSTROUTING -o eno1 -j SNAT --to-source 193.50.248.18
-A POSTROUTING -o eno1 -j SNAT --to-source 193.50.248.18
-A POSTROUTING -o eno1 -j SNAT --to-source 193.50.248.18
COMMIT
# Completed on Fri Nov 17 10:26:11 2023
# Generated by iptables-save v1.8.4 on Fri Nov 17 10:26:11 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2355:867393]
:adm-adm - [0:0]
:adm-bas - [0:0]
:adm-dat - [0:0]
:adm-ext - [0:0]
:adm-mgt - [0:0]
:adm-toi - [0:0]
:adm-wif - [0:0]
:bas-adm - [0:0]
:bas-bas - [0:0]
:bas-dat - [0:0]
:bas-ext - [0:0]
:bas-mgt - [0:0]
:bas-toi - [0:0]
:bas-wif - [0:0]
:dat-adm - [0:0]
:dat-bas - [0:0]
:dat-dat - [0:0]
:dat-ext - [0:0]
:dat-mgt - [0:0]
:dat-toi - [0:0]
:dat-wif - [0:0]
:ext-adm - [0:0]
:ext-bas - [0:0]
:ext-dat - [0:0]
:ext-ext - [0:0]
:ext-mgt - [0:0]
:ext-toi - [0:0]
:ext-wif - [0:0]
:icmp-acc - [0:0]
:lo - [0:0]
:mgt-adm - [0:0]
:mgt-bas - [0:0]
:mgt-dat - [0:0]
:mgt-ext - [0:0]
:mgt-mgt - [0:0]
:mgt-toi - [0:0]
:mgt-wif - [0:0]
:netbios-ext - [0:0]
:toi-adm - [0:0]
:toi-bas - [0:0]
:toi-dat - [0:0]
:toi-ext - [0:0]
:toi-mgt - [0:0]
:toi-toi - [0:0]
:toi-wif - [0:0]
:wif-adm - [0:0]
:wif-bas - [0:0]
:wif-dat - [0:0]
:wif-ext - [0:0]
:wif-mgt - [0:0]
:wif-toi - [0:0]
:wif-wif - [0:0]
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 161.48.0.0/19 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 161.48.0.0/19 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.51.224/27 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.51.224/27 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 100.64.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 100.64.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eno1 -p icmp -j icmp-acc
-A INPUT -i vlan812 -p icmp -j icmp-acc
-A INPUT -i vlan810 -p icmp -j icmp-acc
-A INPUT -i vlan514 -p icmp -j icmp-acc
-A INPUT -i vlan60 -p icmp -j icmp-acc
-A INPUT -i eno2 -p icmp -j icmp-acc
-A INPUT -i eno1 -j ext-bas
-A INPUT -i vlan812 -j wif-bas
-A INPUT -i vlan810 -j mgt-bas
-A INPUT -i vlan514 -j toi-bas
-A INPUT -i vlan60 -j dat-bas
-A INPUT -i eno2 -j adm-bas
-A FORWARD -s 172.16.0.0/12 -d 172.26.8.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 172.26.8.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.6.208/29 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.6.208/29 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.6.208/29 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.6.208/29 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 161.48.0.0/19 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 161.48.0.0/19 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.6.208/29 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.6.208/29 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.51.224/27 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.51.224/27 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 172.26.8.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 172.26.8.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 100.64.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 100.64.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -o eno1 -j netbios-ext
-A FORWARD -i eno1 -o eno1 -j ext-ext
-A FORWARD -i eno1 -o vlan812 -j ext-wif
-A FORWARD -i eno1 -o vlan810 -j ext-mgt
-A FORWARD -i eno1 -o vlan514 -j ext-toi
-A FORWARD -i eno1 -o vlan60 -j ext-dat
-A FORWARD -i eno1 -o eno2 -j ext-adm
-A FORWARD -i vlan812 -o eno1 -j wif-ext
-A FORWARD -i vlan812 -o vlan812 -j wif-wif
-A FORWARD -i vlan812 -o vlan810 -j wif-mgt
-A FORWARD -i vlan812 -o vlan514 -j wif-toi
-A FORWARD -i vlan812 -o vlan60 -j wif-dat
-A FORWARD -i vlan812 -o eno2 -j wif-adm
-A FORWARD -i vlan810 -o eno1 -j mgt-ext
-A FORWARD -i vlan810 -o vlan812 -j mgt-wif
-A FORWARD -i vlan810 -o vlan810 -j mgt-mgt
-A FORWARD -i vlan810 -o vlan514 -j mgt-toi
-A FORWARD -i vlan810 -o vlan60 -j mgt-dat
-A FORWARD -i vlan810 -o eno2 -j mgt-adm
-A FORWARD -i vlan514 -o eno1 -j toi-ext
-A FORWARD -i vlan514 -o vlan812 -j toi-wif
-A FORWARD -i vlan514 -o vlan810 -j toi-mgt
-A FORWARD -i vlan514 -o vlan514 -j toi-toi
-A FORWARD -i vlan514 -o vlan60 -j toi-dat
-A FORWARD -i vlan514 -o eno2 -j toi-adm
-A FORWARD -i vlan60 -o eno1 -j dat-ext
-A FORWARD -i vlan60 -o vlan812 -j dat-wif
-A FORWARD -i vlan60 -o vlan810 -j dat-mgt
-A FORWARD -i vlan60 -o vlan514 -j dat-toi
-A FORWARD -i vlan60 -o vlan60 -j dat-dat
-A FORWARD -i vlan60 -o eno2 -j dat-adm
-A FORWARD -i eno2 -o eno1 -j adm-ext
-A FORWARD -i eno2 -o vlan812 -j adm-wif
-A FORWARD -i eno2 -o vlan810 -j adm-mgt
-A FORWARD -i eno2 -o vlan514 -j adm-toi
-A FORWARD -i eno2 -o vlan60 -j adm-dat
-A FORWARD -i eno2 -o eno2 -j adm-adm
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 161.48.0.0/19 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 161.48.0.0/19 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.51.224/27 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.51.224/27 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 100.64.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 100.64.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A adm-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 3128 -m comment --comment "era: Redirection des flux http sans proxy" -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 3128 -m comment --comment "era: Redirection des flux http sans proxy" -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 3128 -m comment --comment "era: Redirection des flux http sans proxy" -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection des flux vers le serveur de distribution du fichier wpad" -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection des flux vers le serveur de distribution du fichier wpad" -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection des flux vers le serveur de distribution du fichier wpad" -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 82 -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j ACCEPT
-A adm-bas -d 192.168.232.1/32 -i eno2 -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A adm-bas -i eno2 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection pour le fichier wpad." -j ACCEPT
-A adm-bas -s 172.30.1.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.6.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.9.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh admin vers Amon" -j ACCEPT
-A adm-bas -s 10.222.15.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.1.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.6.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.9.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 10.222.15.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.1.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.6.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.9.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 10.222.15.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.1.0/24 -d 192.168.232.1/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.6.0/24 -d 192.168.232.1/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.9.0/24 -d 192.168.232.1/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -s 10.222.15.0/24 -d 192.168.232.1/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration admin vers Amon" -j ACCEPT
-A adm-bas -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A adm-bas -d 192.168.232.1/32 -i eno2 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A adm-bas -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A adm-bas -s 172.30.1.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.6.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config admin vers Amon" -j ACCEPT
-A adm-bas -s 172.30.9.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config admin vers Amon" -j ACCEPT
-A adm-bas -s 10.222.15.0/24 -d 192.168.232.1/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config admin vers Amon" -j ACCEPT
-A adm-bas -i eno2 -j DROP
-A adm-dat -m state --state RELATED,ESTABLISHED -j ACCEPT
-A adm-dat -i eno2 -o vlan60 -j ACCEPT
-A adm-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A adm-ext -s 192.168.232.0/24 -i eno2 -o eno1 -j ACCEPT
-A adm-ext -i eno2 -o eno1 -j ACCEPT
-A adm-mgt -m state --state RELATED,ESTABLISHED -j ACCEPT
-A adm-mgt -i eno2 -o vlan810 -j ACCEPT
-A adm-toi -m state --state RELATED,ESTABLISHED -j ACCEPT
-A adm-toi -i eno2 -o vlan514 -j ACCEPT
-A adm-wif -m state --state RELATED,ESTABLISHED -j ACCEPT
-A adm-wif -i eno2 -o vlan812 -j ACCEPT
-A bas-adm -m state --state RELATED,ESTABLISHED -j ACCEPT
-A bas-dat -m state --state RELATED,ESTABLISHED -j ACCEPT
-A bas-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A bas-mgt -m state --state RELATED,ESTABLISHED -j ACCEPT
-A bas-toi -m state --state RELATED,ESTABLISHED -j ACCEPT
-A bas-wif -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-adm -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-adm -i vlan60 -o eno2 -j DROP
-A dat-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-bas -i vlan60 -j ACCEPT
-A dat-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-ext -i vlan60 -o eno1 -j ACCEPT
-A dat-ext -i vlan60 -o eno1 -j ACCEPT
-A dat-mgt -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-mgt -i vlan60 -o vlan810 -j DROP
-A dat-toi -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-toi -i vlan60 -o vlan514 -j DROP
-A dat-wif -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dat-wif -i vlan60 -o vlan812 -j DROP
-A ext-adm -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-adm -i eno1 -o eno2 -j DROP
-A ext-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-bas -s 195.83.73.248/32 -d 193.50.248.18/32 -i eno1 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh exterieur vers Amon" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p esp -m state --state NEW -m comment --comment "era: Autoriser ipsec" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p udp -m state --state NEW -m udp --dport 4500 -m comment --comment "era: Autoriser ipsec" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p udp -m state --state NEW -m udp --dport 500 -m comment --comment "era: Autoriser ipsec" -j ACCEPT
-A ext-bas -s 195.83.73.248/32 -d 193.50.248.18/32 -i eno1 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config exterieur vers Amon" -j ACCEPT
-A ext-bas -i eno1 -m limit --limit 2/sec -j LOG --log-prefix "iptables connection attempt: "
-A ext-bas -i eno1 -j DROP
-A ext-dat -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-dat -i eno1 -o vlan60 -j DROP
-A ext-mgt -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-mgt -i eno1 -o vlan810 -j DROP
-A ext-toi -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-toi -i eno1 -o vlan514 -j DROP
-A ext-wif -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-wif -i eno1 -o vlan812 -j DROP
-A icmp-acc -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A mgt-adm -m state --state RELATED,ESTABLISHED -j ACCEPT
-A mgt-adm -i vlan810 -o eno2 -j DROP
-A mgt-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A mgt-bas -i vlan810 -j ACCEPT
-A mgt-dat -m state --state RELATED,ESTABLISHED -j ACCEPT
-A mgt-dat -i vlan810 -o vlan60 -j DROP
-A mgt-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A mgt-ext -i vlan810 -o eno1 -j ACCEPT
-A mgt-ext -i vlan810 -o eno1 -j ACCEPT
-A mgt-toi -m state --state RELATED,ESTABLISHED -j ACCEPT
-A mgt-toi -i vlan810 -o vlan514 -j DROP
-A mgt-wif -m state --state RELATED,ESTABLISHED -j ACCEPT
-A mgt-wif -i vlan810 -o vlan812 -j DROP
-A netbios-ext -p tcp -m tcp --dport 135 --tcp-flags SYN,RST,ACK SYN -j DROP
-A netbios-ext -p udp -m udp --dport 135 -j DROP
-A netbios-ext -p tcp -m tcp --dport 137:139 --tcp-flags SYN,RST,ACK SYN -j DROP
-A netbios-ext -p udp -m udp --dport 137:139 -j DROP
-A netbios-ext -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j DROP
-A netbios-ext -p udp -m udp --dport 445 -j DROP
-A toi-adm -m state --state RELATED,ESTABLISHED -j ACCEPT
-A toi-adm -i vlan514 -o eno2 -j DROP
-A toi-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A toi-bas -i vlan514 -j ACCEPT
-A toi-dat -m state --state RELATED,ESTABLISHED -j ACCEPT
-A toi-dat -i vlan514 -o vlan60 -j DROP
-A toi-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A toi-ext -i vlan514 -o eno1 -j ACCEPT
-A toi-ext -i vlan514 -o eno1 -j ACCEPT
-A toi-mgt -m state --state RELATED,ESTABLISHED -j ACCEPT
-A toi-mgt -i vlan514 -o vlan810 -j DROP
-A toi-wif -m state --state RELATED,ESTABLISHED -j ACCEPT
-A toi-wif -i vlan514 -o vlan812 -j DROP
-A wif-adm -m state --state RELATED,ESTABLISHED -j ACCEPT
-A wif-adm -i vlan812 -o eno2 -j DROP
-A wif-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A wif-bas -i vlan812 -j ACCEPT
-A wif-dat -m state --state RELATED,ESTABLISHED -j ACCEPT
-A wif-dat -i vlan812 -o vlan60 -j DROP
-A wif-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A wif-ext -i vlan812 -o eno1 -j ACCEPT
-A wif-ext -i vlan812 -o eno1 -j ACCEPT
-A wif-mgt -m state --state RELATED,ESTABLISHED -j ACCEPT
-A wif-mgt -i vlan812 -o vlan810 -j DROP
-A wif-toi -m state --state RELATED,ESTABLISHED -j ACCEPT
-A wif-toi -i vlan812 -o vlan514 -j DROP
COMMIT
# Completed on Fri Nov 17 10:26:11 2023
root@amonrsi:~# ip r
default via 193.50.248.22 dev eno1 proto static
10.0.0.0/8 dev eno1 scope link src 192.168.232.1
10.175.1.0/24 dev vlan812 proto kernel scope link src 10.175.1.254
10.222.6.208/29 dev vlan810 proto kernel scope link src 10.222.6.214
10.222.15.0/28 dev vlan60 proto kernel scope link src 10.222.15.14
100.64.0.0/12 dev eno1 scope link src 10.222.15.14
161.48.0.0/19 dev eno1 scope link src 10.222.15.14
172.16.0.0/12 dev eno1 scope link src 192.168.232.1
172.26.8.0/28 dev vlan514 proto kernel scope link src 172.26.8.14
192.168.0.0/16 dev eno1 scope link src 192.168.232.1
192.168.51.224/27 dev eno1 scope link src 10.222.15.14
192.168.232.0/24 dev eno2 proto kernel scope link src 192.168.232.1
193.50.248.16/29 dev eno1 proto kernel scope link src 193.50.248.18
root@amonrsi:~# dig @192.168.51.195 agriates.in.ac-paris.fr
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.51.195 agriates.in.ac-paris.fr
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
root@amonrsi:~#
Et le résultat sans VLAN :
root@amonrsi:~# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 193.50.248.18 netmask 255.255.255.248 broadcast 193.50.248.23
ether 70:10:6f:3e:2c:c8 txqueuelen 1000 (Ethernet)
RX packets 6721445 bytes 5114210976 (5.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1125208 bytes 299382618 (299.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
eno2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.14 netmask 255.255.255.240 broadcast 10.222.15.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 2740180 bytes 436389642 (436.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3248833 bytes 3729389139 (3.7 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Boucle locale)
RX packets 1336874 bytes 95527971 (95.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1336874 bytes 95527971 (95.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@amonrsi:~# iptables-save
# Generated by iptables-save v1.8.4 on Fri Nov 17 10:35:30 2023
*mangle
:PREROUTING ACCEPT [1132:486545]
:INPUT ACCEPT [1132:486545]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1079:573470]
:POSTROUTING ACCEPT [1079:573470]
:marquage - [0:0]
-A INPUT -j marquage
-A FORWARD -j marquage
-A OUTPUT -j marquage
COMMIT
# Completed on Fri Nov 17 10:35:30 2023
# Generated by iptables-save v1.8.4 on Fri Nov 17 10:35:30 2023
*nat
:PREROUTING ACCEPT [16:715]
:INPUT ACCEPT [2:112]
:OUTPUT ACCEPT [84:4992]
:POSTROUTING ACCEPT [80:4648]
-A PREROUTING -i eno2 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-10-src src -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j RETURN
-A PREROUTING -i eno2 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-10-dst dst -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j RETURN
-A PREROUTING -i eno2 -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j REDIRECT --to-ports 3128
-A PREROUTING -i eno2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-10-src src -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j RETURN
-A PREROUTING -i eno2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-10-dst dst -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j RETURN
-A PREROUTING -i eno2 -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j REDIRECT --to-ports 3128
-A PREROUTING ! -d 193.50.248.18/32 -i eno2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-11-src src -m comment --comment "era: Redirection des flux http sans proxy vers une page d\'erreur" -j RETURN
-A PREROUTING ! -d 193.50.248.18/32 -i eno2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-11-dst dst -m comment --comment "era: Redirection des flux http sans proxy vers une page d\'erreur" -j RETURN
-A PREROUTING ! -d 193.50.248.18/32 -i eno2 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux http sans proxy vers une page d\'erreur" -j REDIRECT --to-ports 81
-A PREROUTING -i eno2 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-12-src src -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j RETURN
-A PREROUTING -i eno2 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m set --match-set bastion-ped-ext-12-dst dst -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j RETURN
-A PREROUTING -i eno2 -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j REDIRECT --to-ports 82
-A POSTROUTING -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state NEW -j ACCEPT
-A POSTROUTING -s 10.222.15.0/28 -o eno1 -j SNAT --to-source 193.50.248.18
COMMIT
# Completed on Fri Nov 17 10:35:30 2023
# Generated by iptables-save v1.8.4 on Fri Nov 17 10:35:30 2023
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [222:84575]
:bas-bas - [0:0]
:bas-ext - [0:0]
:bas-ped - [0:0]
:ext-bas - [0:0]
:ext-ext - [0:0]
:ext-ped - [0:0]
:icmp-acc - [0:0]
:lo - [0:0]
:netbios-ext - [0:0]
:ped-bas - [0:0]
:ped-ext - [0:0]
:ped-ped - [0:0]
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 100.64.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 100.64.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 161.48.0.0/19 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 161.48.0.0/19 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 172.16.0.0/12 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.51.224/27 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -s 192.168.51.224/27 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eno1 -p icmp -j icmp-acc
-A INPUT -i eno2 -p icmp -j icmp-acc
-A INPUT -i eno1 -j ext-bas
-A INPUT -i eno2 -j ped-bas
-A FORWARD -s 172.16.0.0/12 -d 10.222.6.208/29 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.6.208/29 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.6.208/29 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.6.208/29 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.6.208/29 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.6.208/29 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.6.208/29 -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 172.26.8.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 172.26.8.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 172.26.8.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 172.26.8.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.26.8.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 100.64.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 100.64.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 100.64.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 161.48.0.0/19 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 161.48.0.0/19 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 161.48.0.0/19 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 172.16.0.0/12 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/16 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.51.224/27 -d 10.222.15.0/28 -i eno1 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 192.168.51.224/27 -d 10.222.15.0/28 -i eno1 -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.222.15.0/28 -d 192.168.51.224/27 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -o eno1 -j netbios-ext
-A FORWARD -i eno1 -o eno1 -j ext-ext
-A FORWARD -i eno1 -o eno2 -j ext-ped
-A FORWARD -i eno2 -o eno1 -j ped-ext
-A FORWARD -i eno2 -o eno2 -j ped-ped
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 100.64.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 100.64.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 161.48.0.0/19 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 161.48.0.0/19 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.51.224/27 -o eno1 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -d 192.168.51.224/27 -o eno1 -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A bas-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A bas-ped -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-bas -s 195.83.73.248/32 -d 193.50.248.18/32 -i eno1 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh exterieur vers Amon" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p tcp -m state --state NEW -m tcp --dport 4201 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Acces backend EAD exterieure vers Amon" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p tcp -m state --state NEW -m tcp --dport 4202 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Acces backend EAD exterieure vers Amon" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p esp -m state --state NEW -m comment --comment "era: Autoriser ipsec" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p udp -m state --state NEW -m udp --dport 4500 -m comment --comment "era: Autoriser ipsec" -j ACCEPT
-A ext-bas -d 193.50.248.18/32 -i eno1 -p udp -m state --state NEW -m udp --dport 500 -m comment --comment "era: Autoriser ipsec" -j ACCEPT
-A ext-bas -s 195.83.73.248/32 -d 193.50.248.18/32 -i eno1 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config exterieur vers Amon" -j ACCEPT
-A ext-bas -i eno1 -m limit --limit 2/sec -j LOG --log-prefix "iptables connection attempt: "
-A ext-bas -i eno1 -j DROP
-A ext-ped -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ext-ped -i eno1 -o eno2 -j DROP
-A icmp-acc -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A icmp-acc -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A netbios-ext -p tcp -m tcp --dport 135 --tcp-flags SYN,RST,ACK SYN -j DROP
-A netbios-ext -p udp -m udp --dport 135 -j DROP
-A netbios-ext -p tcp -m tcp --dport 137:139 --tcp-flags SYN,RST,ACK SYN -j DROP
-A netbios-ext -p udp -m udp --dport 137:139 -j DROP
-A netbios-ext -p tcp -m tcp --dport 445 --tcp-flags SYN,RST,ACK SYN -j DROP
-A netbios-ext -p udp -m udp --dport 445 -j DROP
-A ped-bas -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ped-bas -i eno2 -p tcp -m tcp --dport 3128 -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j ACCEPT
-A ped-bas -i eno2 -p tcp -m tcp --dport 3128 -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j ACCEPT
-A ped-bas -i eno2 -p tcp -m tcp --dport 81 -m comment --comment "era: Redirection des flux http sans proxy vers une page d\'erreur" -j ACCEPT
-A ped-bas -i eno2 -p tcp -m tcp --dport 82 -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: ssh pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8090 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4200 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p icmp -m state --state NEW -m icmp --icmp-type 8 -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 8062 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: administration pedago vers Amon" -j ACCEPT
-A ped-bas -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 53 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A ped-bas -d 10.222.15.14/32 -i eno2 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A ped-bas -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A ped-bas -s 172.30.1.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.6.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config pedago vers Amon" -j ACCEPT
-A ped-bas -s 172.30.9.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config pedago vers Amon" -j ACCEPT
-A ped-bas -s 10.222.15.0/24 -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 7000 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: gen_config pedago vers Amon" -j ACCEPT
-A ped-bas -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4201 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Acces backend EAD pedago vers Amon" -j ACCEPT
-A ped-bas -d 10.222.15.14/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 4202 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Acces backend EAD pedago vers Amon" -j ACCEPT
-A ped-bas -d 193.50.248.18/32 -i eno2 -p tcp -m state --state NEW -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m comment --comment "era: Autorisation reverse proxy + WPAD" -j ACCEPT
-A ped-bas -d 10.222.15.14/32 -i eno2 -p udp -m state --state NEW -m udp --dport 123 -m comment --comment "era: Autoriser ntp depuis pedago" -j ACCEPT
-A ped-bas -i eno2 -j DROP
-A ped-ext -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ped-ext -i eno2 -o eno1 -m set --match-set bastion-ped-ext-10-src src -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j ACCEPT
-A ped-ext -i eno2 -o eno1 -m set --match-set bastion-ped-ext-10-dst dst -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j ACCEPT
-A ped-ext -i eno2 -o eno1 -m set --match-set bastion-ped-ext-10-src src -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j ACCEPT
-A ped-ext -i eno2 -o eno1 -m set --match-set bastion-ped-ext-10-dst dst -m comment --comment "era: Redirection des flux http avec proxy alternatif" -j ACCEPT
-A ped-ext ! -d 193.50.248.18/32 -i eno2 -o eno1 -m set --match-set bastion-ped-ext-11-src src -m comment --comment "era: Redirection des flux http sans proxy vers une page d\'erreur" -j ACCEPT
-A ped-ext ! -d 193.50.248.18/32 -i eno2 -o eno1 -m set --match-set bastion-ped-ext-11-dst dst -m comment --comment "era: Redirection des flux http sans proxy vers une page d\'erreur" -j ACCEPT
-A ped-ext -i eno2 -o eno1 -m set --match-set bastion-ped-ext-12-src src -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j ACCEPT
-A ped-ext -i eno2 -o eno1 -m set --match-set bastion-ped-ext-12-dst dst -m comment --comment "era: Redirection des flux https sans proxy vers une page d\'erreur" -j ACCEPT
-A ped-ext -s 10.222.15.0/28 -i eno2 -o eno1 -j ACCEPT
-A ped-ext -i eno2 -o eno1 -j ACCEPT
COMMIT
# Completed on Fri Nov 17 10:35:30 2023
root@amonrsi:~# ip r
default via 193.50.248.22 dev eno1 proto static
10.0.0.0/8 dev eno1 scope link src 10.222.15.14
10.222.15.0/28 dev eno2 proto kernel scope link src 10.222.15.14
100.64.0.0/12 dev eno1 scope link src 10.222.15.14
161.48.0.0/19 dev eno1 scope link src 10.222.15.14
172.16.0.0/12 dev eno1 scope link src 10.222.15.14
192.168.0.0/16 dev eno1 scope link src 10.222.15.14
192.168.51.224/27 dev eno1 scope link src 10.222.15.14
193.50.248.16/29 dev eno1 proto kernel scope link src 193.50.248.18
root@amonrsi:~# dig @192.168.51.195 agriates.in.ac-paris.fr
; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.51.195 agriates.in.ac-paris.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56397
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;agriates.in.ac-paris.fr. IN A
;; ANSWER SECTION:
agriates.in.ac-paris.fr. 10800 IN CNAME webets3.in.ac-paris.fr.
webets3.in.ac-paris.fr. 10800 IN A 192.168.51.210
;; AUTHORITY SECTION:
in.ac-paris.fr. 10800 IN NS corum.in.ac-paris.fr.
in.ac-paris.fr. 10800 IN NS fuji.in.ac-paris.fr.
;; ADDITIONAL SECTION:
fuji.in.ac-paris.fr. 10800 IN A 172.30.8.20
corum.in.ac-paris.fr. 10800 IN A 172.30.8.11
;; Query time: 3 msec
;; SERVER: 192.168.51.195#53(192.168.51.195)
;; WHEN: ven. nov. 17 10:35:34 CET 2023
;; MSG SIZE rcvd: 161
root@amonrsi:~#
#8 Mis à jour par Laurent Gourvenec il y a 2 mois
Je vois peut-être une erreur de zone recouvrante :
AVEC VLAN
192.168.0.0/16 dev eno1 scope link src 192.168.232.1 192.168.51.224/27 dev eno1 scope link src 10.222.15.14
SANS VLAN
192.168.0.0/16 dev eno1 scope link src 10.222.15.14 192.168.51.224/27 dev eno1 scope link src 10.222.15.14
#9 Mis à jour par Benjamin Bohard il y a 25 jours
Dans le template du script ipsec_updown, le calcul de la source pour les routes n’est pas adapté à l’usage des VLAN.
Le calcul actuel s’appuie sur une variable (sw_force_ip_src) qui ne permet que de déclarer une interface (entier qui est utilisé en concaténation avec la chaîne "eth").
Auparavant, l’utilisation de la variable sw_force_ip_src permettait de renseigner le nom complet de l’interface (par exemple "vlan60").
Le patch suivant remplace le calcul de la source en s’appuyant sur le réseau local (passé au script par la variable PLUTO_MY_CLIENT). Ce patch met de côté la prise en compte de la variable Creole et ne constitue pas une solution bien intégrée.
--- distrib/ipsec_updown 2021-01-11 08:32:26.000000000 +0100
+++ modif/ipsec_updown 2024-04-02 11:49:22.959574178 +0200
@@ -117,7 +117,7 @@
# is the UDP/TCP port to which the IPsec SA is
# restricted on the peer side.
#
-
+RIGHT_ROUTE=$(ip route get ${PLUTO_MY_CLIENT%%/*} | sed -e "s/^.*dev.//" -e "s/ .*//")
# uncomment to log VPN connections
VPN_LOGGING=1
#
@@ -240,7 +240,7 @@
fi
%if %%is_defined('sw_force_ip_src') and %%sw_force_ip_src != "non"
#PLUTO_MY_SOURCEIP=`grep -A 2 "auto %%sw_force_ip_src" /etc/network/interfaces |grep address|cut -d" " -f2`
- PLUTO_MY_SOURCEIP=`ip addr show dev %%getVar('nom_zone_eth' + %%sw_force_ip_src) | grep -m 1 "inet " | sed -e "s/^.*inet \(.*\)\/.*$/\1/"`
+ PLUTO_MY_SOURCEIP=`ip addr show dev $RIGHT_ROUTE | grep -m 1 "inet " | sed -e "s/^.*inet \(.*\)\/.*$/\1/"`
%else
PLUTO_MY_SOURCEIP=""
%end if
@@ -254,7 +254,7 @@
if [ "${SRC_IP_ROUTE}" == "" ]
then
%if %%is_defined('sw_force_ip_src') and %%sw_force_ip_src != "non"
- MY_SOURCEIP_NETMASK_CIDR=$(ip addr show dev %%getVar('nom_zone_eth' + %%sw_force_ip_src)|grep "${PLUTO_MY_SOURCEIP}"|sed "s/^.*inet.*\/\([0-9]*\) .*$/\1/")
+ MY_SOURCEIP_NETMASK_CIDR=$(ip addr show dev $RIGHT_ROUTE|grep "${PLUTO_MY_SOURCEIP}"|sed "s/^.*inet.*\/\([0-9]*\) .*$/\1/")
%else
MY_SOURCEIP_NETMASK_CIDR=$(ip addr show dev %%getVar('nom_zone_eth1', 'no_eth1')|grep "${PLUTO_MY_SOURCEIP}"|sed "s/^.*inet.*\/\([0-9]*\) .*$/\1/")
%end if
#10 Mis à jour par Richard Hong il y a 25 jours
Après application du patch, la résolution fonctionne correctement depuis le poste client avec Amon déclaré en unique DNS :
richard@celeste:~$ ifconfig
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.8 netmask 255.255.255.240 broadcast 10.222.15.15
inet6 fe80::7b6f:8195:f34e:fea3 prefixlen 64 scopeid 0x20<link>
ether 98:fa:9b:bd:20:bb txqueuelen 1000 (Ethernet)
RX packets 16413 bytes 18607026 (18.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7350 bytes 1310771 (1.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xa2700000-a2720000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Boucle locale)
RX packets 789 bytes 83819 (83.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 789 bytes 83819 (83.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
richard@celeste:~$ resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (enp0s31f6)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.222.15.14
DNS Servers: 10.222.15.14
Link 3 (wlp5s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
richard@celeste:~$ nslookup agriates.in.ac-paris.fr
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
agriates.in.ac-paris.fr canonical name = webets3.in.ac-paris.fr.
Name: webets3.in.ac-paris.fr
Address: 192.168.51.210
Et la résolution se fait également depuis le serveur Amon :
root@amon24rsi:~# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 193.50.248.18 netmask 255.255.255.248 broadcast 193.50.248.23
ether 70:10:6f:3e:2c:c8 txqueuelen 1000 (Ethernet)
RX packets 99439 bytes 46762665 (46.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44849 bytes 13397303 (13.3 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
eno2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.232.1 netmask 255.255.255.0 broadcast 192.168.232.255
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 30243 bytes 5196176 (5.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35945 bytes 39727595 (39.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Boucle locale)
RX packets 31541 bytes 9736671 (9.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31541 bytes 9736671 (9.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan60: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.15.14 netmask 255.255.255.240 broadcast 10.222.15.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 9891 bytes 1333078 (1.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11778 bytes 34696114 (34.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan514: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.26.8.14 netmask 255.255.255.240 broadcast 172.26.8.15
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 106 bytes 7768 (7.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 95 bytes 9030 (9.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan810: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.222.6.214 netmask 255.255.255.248 broadcast 10.222.6.215
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 895 bytes 82037 (82.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 119 bytes 14014 (14.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vlan812: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.175.1.254 netmask 255.255.255.0 broadcast 10.175.1.255
ether 70:10:6f:3e:2c:c9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@amon24rsi:~# ip r
default via 193.50.248.22 dev eno1 proto static
10.0.0.0/8 dev eno1 scope link src 10.222.6.214
10.175.1.0/24 dev vlan812 proto kernel scope link src 10.175.1.254
10.222.6.208/29 dev vlan810 proto kernel scope link src 10.222.6.214
10.222.15.0/28 dev vlan60 proto kernel scope link src 10.222.15.14
100.64.0.0/12 dev eno1 scope link src 10.222.15.14
161.48.0.0/19 dev eno1 scope link src 10.222.15.14
172.16.0.0/12 dev eno1 scope link src 10.222.6.214
172.26.8.0/28 dev vlan514 proto kernel scope link src 172.26.8.14
192.168.0.0/16 dev eno1 scope link src 10.222.6.214
192.168.51.224/27 dev eno1 scope link src 10.222.15.14
192.168.232.0/24 dev eno2 proto kernel scope link src 192.168.232.1
193.50.248.16/29 dev eno1 proto kernel scope link src 193.50.248.18
root@amon24rsi:~# dig @192.168.51.195 agriates.in.ac-paris.fr
; <<>> DiG 9.16.48-Ubuntu <<>> @192.168.51.195 agriates.in.ac-paris.fr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1737
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;agriates.in.ac-paris.fr. IN A
;; ANSWER SECTION:
agriates.in.ac-paris.fr. 10800 IN CNAME webets3.in.ac-paris.fr.
webets3.in.ac-paris.fr. 10800 IN A 192.168.51.210
;; AUTHORITY SECTION:
in.ac-paris.fr. 10800 IN NS corum.in.ac-paris.fr.
in.ac-paris.fr. 10800 IN NS fuji.in.ac-paris.fr.
;; ADDITIONAL SECTION:
fuji.in.ac-paris.fr. 10800 IN A 172.30.8.20
corum.in.ac-paris.fr. 10800 IN A 172.30.8.11
;; Query time: 0 msec
;; SERVER: 192.168.51.195#53(192.168.51.195)
;; WHEN: Tue Apr 02 13:41:48 CEST 2024
;; MSG SIZE rcvd: 161
Un grand merci !
#11 Mis à jour par Benjamin Bohard il y a 18 jours
Pour la pérennisation de la modification, il est envisagé de permettre les deux comportements suivant :
- le choix du numéro d’interface comme actuellement
- le calcul automatique de l’interface selon le réseau source comme mis en place dans le patch proposé dans ce scénario.
Une variable supplémentaire pour activer un mode ou l’autre est nécessaire dispensable. Il est possible d’ajouter une valeur supplémentaire pour la variable sw_force_ip_src pour prendre en compte le cas du calcul automatique.
Le comportement par défaut et la trajectoire de migration reste l’utilisation du numéro d’interface pour avoir une continuité de comportement. Dans le cas d’un ajout simple de choix, la migration ne pose pas de problème de changement de comportement.
#12 Mis à jour par Benjamin Bohard il y a 18 jours
- Statut changé de En cours à À valider