Compare commits
9 Commits
e570e813d8
...
secret_bra
| Author | SHA1 | Date | |
|---|---|---|---|
|
a91dd239ef | ||
|
|
19c3bec0c7 | ||
|
|
b6da81c07c | ||
|
|
6cd82815e4 | ||
|
|
5d2a2e414f | ||
|
|
ecb833a122 | ||
|
|
612eeec3b2 | ||
|
|
2bdecf3cb1 | ||
|
|
3681888b5a |
13
DMZ.sh
13
DMZ.sh
@@ -7,10 +7,10 @@ routerIp=23.214.219.254
|
|||||||
mask25=255.255.255.128
|
mask25=255.255.255.128
|
||||||
|
|
||||||
dns=23.214.219.130
|
dns=23.214.219.130
|
||||||
mail=23.214.219.132
|
mail=23.214.219.131
|
||||||
vpn_gw=23.214.219.133
|
vpn_gw=23.214.219.132
|
||||||
www=23.214.219.134
|
www=23.214.219.133
|
||||||
smtp=23.214.219.135
|
smtp=23.214.219.134
|
||||||
|
|
||||||
dnsPort=53
|
dnsPort=53
|
||||||
mailPort=888
|
mailPort=888
|
||||||
@@ -21,16 +21,17 @@ sudo yum install iptables-services -y
|
|||||||
sudo systemctl stop firewalld
|
sudo systemctl stop firewalld
|
||||||
sudo systemctl disable firewalld
|
sudo systemctl disable firewalld
|
||||||
sudo systemctl mask firewalld
|
sudo systemctl mask firewalld
|
||||||
|
sudo systemctl enable iptables
|
||||||
|
|
||||||
sudo iptables -F
|
sudo iptables -F
|
||||||
sudo ifconfig enp0s8 $ip netmask $mask25
|
sudo ifconfig enp0s8 $ip netmask $mask25
|
||||||
sudo ip route add 192.168.10.0/24 via $routerIp
|
sudo ip route add 192.168.10.0/24 via $routerIp
|
||||||
|
sudo add default gw $routerIp
|
||||||
# alias dos ips
|
# alias dos ips
|
||||||
sudo ip addr add $dns dev enp0s8
|
sudo ip addr add $dns dev enp0s8
|
||||||
sudo ip addr add $mail dev enp0s8
|
sudo ip addr add $mail dev enp0s8
|
||||||
sudo ip addr add $vpn_gw dev enp0s8
|
sudo ip addr add $vpn_gw dev enp0s8
|
||||||
sudo ip addr add $ww dev enp0s8
|
sudo ip addr add $www dev enp0s8
|
||||||
sudo ip addr add $smtp dev enp0s8
|
sudo ip addr add $smtp dev enp0s8
|
||||||
|
|
||||||
# netcart
|
# netcart
|
||||||
|
|||||||
@@ -14,10 +14,11 @@ sudo yum install iptables-services -y
|
|||||||
sudo systemctl stop firewalld
|
sudo systemctl stop firewalld
|
||||||
sudo systemctl disable firewalld
|
sudo systemctl disable firewalld
|
||||||
sudo systemctl mask firewalld
|
sudo systemctl mask firewalld
|
||||||
|
sudo systemctl enable iptables
|
||||||
sudo iptables -F
|
sudo iptables -F
|
||||||
sudo ifconfig enp0s8 $ip netmask $mask24
|
sudo ifconfig enp0s8 $ip netmask $mask24
|
||||||
sudo ip route add 23.214.219.128/25 via $routerIp
|
sudo ip route add 23.214.219.128/25 via $routerIp
|
||||||
|
sudo route add default gw $routerIp
|
||||||
# aliasing
|
# aliasing
|
||||||
sudo ip addr add $ftp dev enp0s8
|
sudo ip addr add $ftp dev enp0s8
|
||||||
sudo ip addr add $datastore dev enp0s8
|
sudo ip addr add $datastore dev enp0s8
|
||||||
|
|||||||
15
INTERNET.sh
Normal file
15
INTERNET.sh
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
ip=87.248.214.98
|
||||||
|
dns2=87.248.214.99
|
||||||
|
eden=87.248.214.100
|
||||||
|
mask24=255.255.255.0
|
||||||
|
routerIp=87.248.214.97
|
||||||
|
sudo yum install iptables-services -y
|
||||||
|
sudo systemctl stop firewalld
|
||||||
|
sudo systemctl disable firewalld
|
||||||
|
sudo systemctl mask firewalld
|
||||||
|
sudo systemctl enable iptables
|
||||||
|
sudo iptables -F
|
||||||
|
sudo ifconfig enp0s8 $dn2 netmask $mask24
|
||||||
|
sudo route add default gw $routerIp
|
||||||
|
sudo ip addr add $dns2 dev enp0s8
|
||||||
|
sudo ip addr add $eden dev enp0s8
|
||||||
139
ROUTER.sh
139
ROUTER.sh
@@ -1,86 +1,69 @@
|
|||||||
# NETWORKS:
|
IF_DMZ="enp0s8"
|
||||||
# DMZ: 23.214.219.128/25
|
IF_INT="enp0s9"
|
||||||
# Internal: 192.168.10.0/24
|
IF_EXT="enp0s10"
|
||||||
#
|
NET_DMZ="23.214.219.128/25"
|
||||||
# MACHINES:
|
NET_INT="192.168.10.0/24"
|
||||||
# DNS2: 192.137.16.75
|
IP_EXT_FW="87.248.214.97"
|
||||||
# EDEN 193.138.212.1
|
IP_DMZ_FW="23.214.219.254"
|
||||||
dns2="192.137.16.75"
|
IP_INT_FW="192.168.10.254"
|
||||||
eden="193.138.212.1"
|
IP_DMZ_DNS="23.214.219.130"
|
||||||
|
IP_DMZ_SMTP="23.214.219.131"
|
||||||
|
IP_DMZ_WWW="23.214.219.132"
|
||||||
|
IP_DMZ_VPN_GW="23.214.219.133"
|
||||||
|
IP_DMZ_MAIL="23.214.219.134"
|
||||||
|
IP_INT_FTP="192.168.10.2"
|
||||||
|
IP_INT_DATASTORE="192.168.10.3"
|
||||||
|
IP_DNS2="193.137.16.75"
|
||||||
|
IP_EDEN="193.136.212.1"
|
||||||
|
|
||||||
# ==============================
|
sudo yum install epel-release -y
|
||||||
# Router 1
|
sudo yum install suricata -y
|
||||||
# INTERFACES:
|
sudo suricata-update
|
||||||
# - Internet: 87.248.214.97
|
|
||||||
# - DMZ: 23.214.219.254
|
|
||||||
# - Internal: 192.168.10.254
|
|
||||||
# ==============================
|
|
||||||
|
|
||||||
# ==============================
|
sudo ifconfig $IF_DMZ $IP_DMZ_FW netmask 255.255.255.128
|
||||||
# DMZ /25
|
sudo ifconfig $IF_INT $IP_INT_FW netmask 255.255.255.0
|
||||||
# IP:
|
sudo ifconfig $IF_EXT $IP_EXT_FW netmask 255.255.255.0
|
||||||
# - dns : 23.214.219.130
|
|
||||||
# - smtp : 23.214.219.131
|
|
||||||
# - www : 23.214.219.132
|
|
||||||
# - vpn-gw: 23.214.219.133
|
|
||||||
# ==============================
|
|
||||||
|
|
||||||
# ==============================
|
|
||||||
# Internal
|
|
||||||
# IP:
|
|
||||||
# ftp: 192.168.10.1
|
|
||||||
# datastore : 192.168.10.2
|
|
||||||
# DHCP Client : 192.168.10.3-5
|
|
||||||
# ==============================
|
|
||||||
|
|
||||||
sudo ifconfig enp0s8 23.214.219.254 netmask 255.255.255.128
|
|
||||||
sudo ifconfig enp0s9 192.168.10.254 netmask 255.255.255.0
|
|
||||||
sudo ifconfig enp0s3 87.248.214.97 netmask 255.255.255.0
|
|
||||||
|
|
||||||
sudo yum install iptables-services -y
|
|
||||||
sudo systemctl stop firewalld
|
|
||||||
sudo systemctl disable firewalld
|
|
||||||
sudo systemctl mask firewalld
|
|
||||||
sudo systemctl enable iptables
|
|
||||||
sudo iptables -F
|
sudo iptables -F
|
||||||
sudo iptables -t nat -F
|
sudo iptables -t nat -F
|
||||||
sudo iptables -t mangle -F
|
sudo iptables -t mangle -F
|
||||||
sudo sysctl -w net.ipv4.ip_forward=1
|
sudo sysctl -w net.ipv4.ip_forward=1
|
||||||
iptables -P INPUT DROP
|
|
||||||
iptables -P FORWARD DROP
|
sudo iptables -P INPUT DROP
|
||||||
iptables -P OUTPUT ACCEPT
|
sudo iptables -P FORWARD DROP
|
||||||
|
sudo iptables -P OUTPUT ACCEPT
|
||||||
|
|
||||||
|
sudo modprobe nf_conntrack_ftp
|
||||||
|
sudo modprobe nf_nat_ftp
|
||||||
|
|
||||||
|
sudo iptables -A FORWARD -j NFQUEUE --queue-num 0
|
||||||
sudo iptables -A INPUT -i lo -j ACCEPT
|
sudo iptables -A INPUT -i lo -j ACCEPT
|
||||||
sudo iptables -A OUTPUT -o lo -j ACCEPT
|
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
|
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
|
||||||
#DNS name resolution requests sent to outside servers and want a response:TODO:INPUT
|
sudo iptables -A INPUT -i $IF_INT -p tcp --dport 22 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s3 -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
sudo iptables -A INPUT -i $IF_DMZ -s $IP_DMZ_VPN_GW -p tcp --dport 22 -j ACCEPT
|
||||||
#SSH connections to the router system that originate from the inside and want an answer:TODO:INPUT
|
|
||||||
sudo iptables -A FORWARD -i enp0s3 -o enp0s9 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s3 -d 23.214.219.133 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
sudo iptables -A FORWARD -p udp -d $IP_DMZ_DNS --dport 53 -j ACCEPT
|
||||||
#The dns server should be able to resolve names using the internet (and others???)
|
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -s 23.214.219.130 -p udp --dport 53 -j ACCEPT
|
sudo iptables -A FORWARD -s $IP_DMZ_DNS -d $IP_DNS2 -p tcp --dport 53 -j ACCEPT
|
||||||
#The internal network should be able to send and recieve dns name resolutions to the dns server (1!)
|
sudo iptables -A FORWARD -s $IP_DNS2 -d $IP_DMZ_DNS -p tcp --dport 53 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.130 -p udp --dport 53 -j ACCEPT
|
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_SMTP --dport 25 -j ACCEPT
|
||||||
#The dns and dns2 servers should be able to synchronize the contents of DNS zones. (protocol tcp port 53)
|
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 110 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s3 -d 193.137.16.75 -p tcp --dport 53 -j ACCEPT
|
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_MAIL --dport 143 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s3 -o enp0s8 -d 23.214.219.130 -p tcp --dport 53 -j ACCEPT
|
sudo iptables -A FORWARD -p tcp -d $IP_DMZ_WWW -m multiport --dports 80,443 -j ACCEPT
|
||||||
#SMTP connections to the smtp server and returns
|
sudo iptables -A FORWARD -p udp -d $IP_DMZ_VPN_GW --dport 1194 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.131 -p tcp --dport 587 -j ACCEPT
|
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 587 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
sudo iptables -A FORWARD -i $IF_DMZ -s $IP_DMZ_VPN_GW -d $NET_INT -j ACCEPT
|
||||||
#POP and IMAP connections to the www server
|
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 80 -j ACCEPT
|
sudo iptables -t nat -A POSTROUTING -s $NET_INT -o $IF_EXT -j SNAT --to-source $IP_EXT_FW
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.132 -p tcp --dport 443 -j ACCEPT
|
sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p udp --dport 53 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
sudo iptables -A FORWARD -i $IF_INT -o $IF_EXT -p tcp -m multiport --dports 80,443,22,21 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p tcp --dport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
#OpenVPN connections to the vpn-gw server
|
sudo iptables -t nat -A PREROUTING -i $IF_EXT -d $IP_EXT_FW -p tcp --dport 21 -j DNAT --to-destination $IP_INT_FTP
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -p udp --dport 1194 -j ACCEPT
|
sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_FTP -p tcp --dport 21 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -p udp --dport 1194 -j ACCEPT
|
|
||||||
#VPN clients connected to the gateway vpn-gw ???? vpn should be able to acess ftp e datastore
|
sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_EDEN -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -d 192.168.10.1 -p tcp --dport ftp -j ACCEPT
|
sudo iptables -t nat -A PREROUTING -i $IF_EXT -s $IP_DNS2 -d $IP_EXT_FW -p tcp --dport 22 -j DNAT --to-destination $IP_INT_DATASTORE
|
||||||
sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -d 192.168.10.2 -j ACCEPT
|
sudo iptables -A FORWARD -i $IF_EXT -d $IP_INT_DATASTORE -p tcp --dport 22 -j ACCEPT
|
||||||
sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -d 23.214.219.133 -j ACCEPT
|
|
||||||
# Apartir daqui foi só para testar se as conecções funcionavam
|
|
||||||
sudo iptables -A FORWARD -i enp0s8 -s 23.214.219.130 -p tcp --sport 22
|
|
||||||
# Unsure these will work
|
|
||||||
sudo iptables -A FORWARD -i enp0s9 -d 23.214.219.131
|
|
||||||
|
|||||||
Reference in New Issue
Block a user