diff --git a/ROUTER.sh b/ROUTER.sh index 74adedc..a10a985 100644 --- a/ROUTER.sh +++ b/ROUTER.sh @@ -1,63 +1,80 @@ -# NETWORKS: -# DMZ: 23.214.219.128/25 -# Internal: 192.168.10.0/24 -# -# MACHINES: -# DNS2: 192.137.16.75 -# EDEN 193.138.212.1 -dns2="192.137.16.75" -eden="193.138.212.1" - -# ============================== -# Router 1 -# INTERFACES: -# - Internet: 87.248.214.97 -# - DMZ: 23.214.219.254 -# - Internal: 192.168.10.254 -# ============================== - -# ============================== -# DMZ /25 -# IP: -# - dns : 23.214.219.129 -# - dns2 : 23.214.219.130 -# - smtp : 23.214.219.131 -# - www : 23.214.219.132 -# - vpn-gw: 23.214.219.133 -# ============================== - -# ============================== -# Internal -# IP: -# ftp: 192.168.10.1 -# datastore : 192.168.10.2 -# DHCP Client : 192.168.10.3-5 -# ============================== - -sudo ifconfig enp0s8 23.214.219.254 netmask 255.255.255.128 -sudo ifconfig enp0s9 192.168.10.254 netmask 255.255.255.128 -sudo ifconfig enp0s3 87.248.214.97 netmask 255.255.255.0 - - -sudo iptables -F -sudo iptables -t nat -F -sudo iptables -t mangle -F -sudo sysctl -w net.ipv4.ip_forward=1 -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -P OUTPUT ACCEPT -sudo iptables -A INPUT -i lo -j ACCEPT -sudo iptables -A OUTPUT -o lo -j ACCEPT -sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE -#DNS name resolution requests sent to outside servers and want a response: -sudo iptables -A FORWARD -i enp0s3 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT -#SSH connections to the router system that originate from the inside and want an answer:É preciso outra regra uma para a port enp0s9 e o ip do vpn -sudo iptables -A FORWARD -i enp0s9 -o enp0s3 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT -sudo iptables -A FORWARD -o enp0s3 -d 23.214.219.133 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT -#The dns server should be able to resolve names using the internet (and others???) -sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 23.214.219.129 -p udp --dport 53 -j ACCEPT -sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT -# Apartir daqui foi só para testar se as conecções funcionavam -sudo iptables -A FORWARD -i enp0s8 -s 23.214.219.129 -p tcp --sport 22 -# Unsure these will work -sudo iptables -A FORWARD -i enp0s9 -s 23.214.219.131 +# NETWORKS: +# DMZ: 23.214.219.128/25 +# Internal: 192.168.10.0/24 +# +# MACHINES: +# DNS2: 192.137.16.75 +# EDEN 193.138.212.1 +dns2="192.137.16.75" +eden="193.138.212.1" + +# ============================== +# Router 1 +# INTERFACES: +# - Internet: 87.248.214.97 +# - DMZ: 23.214.219.254 +# - Internal: 192.168.10.254 +# ============================== + +# ============================== +# DMZ /25 +# IP: +# - dns : 23.214.219.129 +# - dns2 : 23.214.219.130 +# - smtp : 23.214.219.131 +# - www : 23.214.219.132 +# - vpn-gw: 23.214.219.133 +# ============================== + +# ============================== +# Internal +# IP: +# ftp: 192.168.10.1 +# datastore : 192.168.10.2 +# DHCP Client : 192.168.10.3-5 +# ============================== + +sudo ifconfig enp0s8 23.214.219.254 netmask 255.255.255.128 +sudo ifconfig enp0s9 192.168.10.254 netmask 255.255.255.0 +sudo ifconfig enp0s3 87.248.214.97 netmask 255.255.255.0 + + +sudo iptables -F +sudo iptables -t nat -F +sudo iptables -t mangle -F +sudo sysctl -w net.ipv4.ip_forward=1 +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT +sudo iptables -A INPUT -i lo -j ACCEPT +sudo iptables -A OUTPUT -o lo -j ACCEPT +sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE +#DNS name resolution requests sent to outside servers and want a response:TODO:INPUT +sudo iptables -A FORWARD -i enp0s3 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT +#SSH connections to the router system that originate from the inside and want an answer:TODO:INPUT +sudo iptables -A FORWARD -i enp0s3 -o enp0s9 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT +sudo iptables -A FORWARD -i enp0s3 -d 23.214.219.133 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT +#The dns server should be able to resolve names using the internet (and others???) +sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 23.214.219.129 -p udp --dport 53 -j ACCEPT +#The internal network should be able to send and recieve dns name resolutions to the dns server (1!) +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.129 -p udp --dport 53 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -i enp0s9 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT +#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53) +sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -d 193.137.16.75 -p tcp --dport 53 -j ACCEPT +sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -d 23.214.219.129 -p tcp --dport 53 -j ACCEPT +#SMTP connections to the smtp server and returns +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT +#POP and IMAP connections to the www server +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT +#OpenVPN connections to the vpn-gw server +sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT +sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT +#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore +# Apartir daqui foi só para testar se as conecções funcionavam +sudo iptables -A FORWARD -i enp0s8 -s 23.214.219.129 -p tcp --sport 22 +# Unsure these will work +sudo iptables -A FORWARD -i enp0s9 -d 23.214.219.131