[re2o-firewall] Deploy firewall_config.py

2020-01-19 10:54:57 +01:00 · 2020-01-19 10:54:57 +01:00 · 5ae5e275fe
parent a5614ab30c
commit 5ae5e275fe
11 changed files with 229 additions and 0 deletions
--- a/re2o.yml
+++ b/re2o.yml
@ -51,3 +51,28 @@
 - hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org,zamok.adm.crans.org,routeur.adm.crans.org
  roles:
    - re2o-firewall
+
+# Re2o firewall specific configuration for gulp
+- hosts: gulp.adm.crans.org
+  roles:
+    - re2o-firewall-gulp
+
+# Re2o firewall specific configuration for odlyd
+- hosts: odlyd.adm.crans.org
+  roles:
+    - re2o-firewall-odlyd
+
+# Re2o firewall specific configuration for ipv6-zayo
+- hosts: ipv6-zayo.adm.crans.org
+  roles:
+    - re2o-firewall-ipv6-zayo
+
+# Re2o firewall specific configuration for zamok
+- hosts: zamok.adm.crans.org
+  roles:
+    - re2o-firewall-zamok
+
+# Re2o firewall specific configuration for routeur
+- hosts: routeur.adm.crans.org
+  roles:
+    - re2o-firewall-routeur
--- a/roles/re2o-firewall-gulp/tasks/main.yml
+++ b/roles/re2o-firewall-gulp/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Deploy firewall configuration for gulp
+  template:
+    src: re2o-services/firewall/firewall_config.py.j2
+    dest: /var/local/re2o-services/firewall/firewall_config.py
+    mode: 644
+    owner: root
+    group: root
--- a/roles/re2o-firewall-gulp/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-gulp/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,41 @@
+# -*- mode: python; coding: utf-8 -*-
+# {{ ansible_managed }}
+
+### Give me a role
+
+role = ['routeur4']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['eno1.1', 'ens1f0.21', 'ens1f0.22', 'ens1f0.23', 'ens1f0.24'],
+    'sortie' : ['ens1f0.26', 'ens1f0.1132'],
+    'admin' : ['eno1.2', 'eno1.3'],
+    '6in4' : [('ens1f0.23', 'ens1f0.26')]
+}
+
+### Specify nat settings: name, interfaces with range, and global range for nat
+### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
+### contain /16 range
+
+nat = [
+    {
+        'name' : 'Wifi',
+        'interfaces_ip_to_nat' : {
+            'ens1f0.26' : '185.230.76.0/24',
+            'eno1.1' : '138.231.144.0/24',
+            'ens1f0.1132' : '138.231.144.0/24',
+        },
+        'ip_sources' : '10.53.0.0/16'
+    },
+    {
+        'name' : 'Filaire',
+        'interfaces_ip_to_nat' : {
+            'ens1f0.26' : '185.230.77.0/24',
+            'eno1.1' : '138.231.145.0/24',
+            'ens1f0.1132' : '138.231.145.0/24',
+        },
+        'ip_sources' : '10.54.0.0/16'
+    }
+]
--- a/roles/re2o-firewall-ipv6-zayo/tasks/main.yml
+++ b/roles/re2o-firewall-ipv6-zayo/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Deploy firewall configuration for ipv6-zayo
+  template:
+    src: re2o-services/firewall/firewall_config.py.j2
+    dest: /var/local/re2o-services/firewall/firewall_config.py
+    mode: 644
+    owner: root
+    group: root
--- a/roles/re2o-firewall-ipv6-zayo/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-ipv6-zayo/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,15 @@
+# -*- mode: python; coding: utf-8 -*-
+# {{ ansible_managed }}
+
+### Give me a role
+
+role = ['routeur6']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['ens18', 'ens20', 'ens21', 'ens1', 'ens2'],
+    'sortie' : ['ens22'],
+    'admin' : ['ens19', 'ens23']
+}
--- a/roles/re2o-firewall-odlyd/tasks/main.yml
+++ b/roles/re2o-firewall-odlyd/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Deploy firewall configuration for odlyd
+  template:
+    src: re2o-services/firewall/firewall_config.py.j2
+    dest: /var/local/re2o-services/firewall/firewall_config.py
+    mode: 644
+    owner: root
+    group: root
--- a/roles/re2o-firewall-odlyd/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-odlyd/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,41 @@
+# -*- mode: python; coding: utf-8 -*-
+# {{ ansible_managed }}
+
+### Give me a role
+
+role = ['routeur4']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['eth0.1', 'ens1f0.21', 'ens1f0.22', 'ens1f0.23', 'ens1f0.24'],
+    'sortie' : ['ens1f0.26', 'ens1f0.1132'],
+    'admin' : ['eth0.2', 'eth0.3', 'eth0.9', 'eth0.7', 'eth0.4'],
+    '6in4' : [('ens1f0.23', 'ens1f0.26')]
+}
+
+### Specify nat settings: name, interfaces with range, and global range for nat
+### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
+### contain /16 range
+
+nat = [
+    {
+        'name' : 'Wifi',
+        'interfaces_ip_to_nat' : {
+            'ens1f0.26' : '185.230.76.0/24',
+            'eth0.1' : '138.231.144.0/24',
+            'ens1f0.1132' : '138.231.144.0/24',
+        },
+        'ip_sources' : '10.53.0.0/16'
+    },
+    {
+        'name' : 'Filaire',
+        'interfaces_ip_to_nat' : {
+            'ens1f0.26' : '185.230.77.0/24',
+            'eth0.1' : '138.231.145.0/24',
+            'ens1f0.1132' : '138.231.145.0/24',
+        },
+        'ip_sources' : '10.54.0.0/16'
+    }
+]
--- a/roles/re2o-firewall-routeur/tasks/main.yml
+++ b/roles/re2o-firewall-routeur/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Deploy firewall configuration for routeur
+  template:
+    src: re2o-services/firewall/firewall_config.py.j2
+    dest: /var/local/re2o-services/firewall/firewall_config.py
+    mode: 644
+    owner: root
+    group: root
--- a/roles/re2o-firewall-routeur/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-routeur/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,52 @@
+# -*- mode: python; coding: utf-8 -*-
+# {{ ansible_managed }}
+
+### Give me a role
+
+role = ['portail']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['ens20', 'ens21'],
+    'sortie' : ['ens18'],
+    'admin' : ['ens19']
+}
+
+portail = {
+    'autorized_hosts' : {
+        'tcp' : {
+            '138.231.136.12' : ['22'],
+            '138.231.136.98' : ['20', '21', '80', '111', '1024:65535'],
+            '138.231.136.145' : ['80', '443'],
+            '213.154.225.236' : ['80', '443'],
+            '213.154.225.237' : ['80', '443'],
+            '172.217.18.197' : ['80', '443'], #gmail addresses
+            '108.177.15.83' : ['80', '443'],
+            '108.177.15.18' : ['80', '443'],
+            '108.177.15.17' : ['80', '443'],
+            '108.177.15.19' : ['80', '443'],
+            '172.217.18.205' : ['80', '443'], #accounts google
+            '172.217.18.195' : ['80', '443'],
+            '46.255.53.35' : ['80', '443'],
+            '46.255.53.17' : ['80', '443'],
+            '0.0.0.0/0' : ['143', '220', '993']
+        },
+        'udp' : {
+            '138.231.136.98' : ['69', '1024:65535']
+        }
+    },
+    'ip_redirect' : {
+        '10.51.0.0/16' : {
+            'tcp' : {
+                '138.231.136.145' : ['80', '443']
+            }
+        },
+        '10.52.0.0/16' : {
+            'tcp' : {
+                '138.231.136.145' : ['80', '443']
+            }
+        }
+    }
+}
--- a/roles/re2o-firewall-zamok/tasks/main.yml
+++ b/roles/re2o-firewall-zamok/tasks/main.yml
@ -0,0 +1,8 @@
+---
+- name: Deploy firewall configuration for zamok
+  template:
+    src: re2o-services/firewall/firewall_config.py.j2
+    dest: /var/local/re2o-services/firewall/firewall_config.py
+    mode: 644
+    owner: root
+    group: root
--- a/roles/re2o-firewall-zamok/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-zamok/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,15 @@
+# -*- mode: python; coding: utf-8 -*-
+# {{ ansible_managed }}
+
+### Give me a role
+
+role = ['users']
+
+
+### Specify each interface role
+
+interfaces_type = {
+    'routable' : ['eth0.1'],
+    'admin' : ['eth0.2'],
+    'sortie' : [],
+}