[re2o-firewall] Deploy firewall_config.py

2020-01-19 10:54:57 +01:00 · 2020-01-19 10:54:57 +01:00 · 5ae5e275fe
parent a5614ab30c
commit 5ae5e275fe
11 changed files with 229 additions and 0 deletions
--- a/re2o.yml
+++ b/re2o.yml
@ -51,3 +51,28 @@
 - hosts: gulp.adm.crans.org,odlyd.adm.crans.org,ipv6-zayo.adm.crans.org,zamok.adm.crans.org,routeur.adm.crans.org
  roles:
    - re2o-firewall
 # Re2o firewall specific configuration for gulp
 - hosts: gulp.adm.crans.org
  roles:
    - re2o-firewall-gulp
 # Re2o firewall specific configuration for odlyd
 - hosts: odlyd.adm.crans.org
  roles:
    - re2o-firewall-odlyd
 # Re2o firewall specific configuration for ipv6-zayo
 - hosts: ipv6-zayo.adm.crans.org
  roles:
    - re2o-firewall-ipv6-zayo
 # Re2o firewall specific configuration for zamok
 - hosts: zamok.adm.crans.org
  roles:
    - re2o-firewall-zamok
 # Re2o firewall specific configuration for routeur
 - hosts: routeur.adm.crans.org
  roles:
    - re2o-firewall-routeur
--- a/roles/re2o-firewall-gulp/tasks/main.yml
+++ b/roles/re2o-firewall-gulp/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Deploy firewall configuration for gulp
  template:
    src: re2o-services/firewall/firewall_config.py.j2
    dest: /var/local/re2o-services/firewall/firewall_config.py
    mode: 644
    owner: root
    group: root
--- a/roles/re2o-firewall-gulp/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-gulp/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,41 @@
 # -*- mode: python; coding: utf-8 -*-
 # {{ ansible_managed }}
 ### Give me a role
 role = ['routeur4']
 ### Specify each interface role
 interfaces_type = {
    'routable' : ['eno1.1', 'ens1f0.21', 'ens1f0.22', 'ens1f0.23', 'ens1f0.24'],
    'sortie' : ['ens1f0.26', 'ens1f0.1132'],
    'admin' : ['eno1.2', 'eno1.3'],
    '6in4' : [('ens1f0.23', 'ens1f0.26')]
 }
 ### Specify nat settings: name, interfaces with range, and global range for nat
 ### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
 ### contain /16 range
 nat = [
    {
        'name' : 'Wifi',
        'interfaces_ip_to_nat' : {
            'ens1f0.26' : '185.230.76.0/24',
            'eno1.1' : '138.231.144.0/24',
            'ens1f0.1132' : '138.231.144.0/24',
        },
        'ip_sources' : '10.53.0.0/16'
    },
    {
        'name' : 'Filaire',
        'interfaces_ip_to_nat' : {
            'ens1f0.26' : '185.230.77.0/24',
            'eno1.1' : '138.231.145.0/24',
            'ens1f0.1132' : '138.231.145.0/24',
        },
        'ip_sources' : '10.54.0.0/16'
    }
 ]
--- a/roles/re2o-firewall-ipv6-zayo/tasks/main.yml
+++ b/roles/re2o-firewall-ipv6-zayo/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Deploy firewall configuration for ipv6-zayo
  template:
    src: re2o-services/firewall/firewall_config.py.j2
    dest: /var/local/re2o-services/firewall/firewall_config.py
    mode: 644
    owner: root
    group: root
--- a/roles/re2o-firewall-ipv6-zayo/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-ipv6-zayo/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,15 @@
 # -*- mode: python; coding: utf-8 -*-
 # {{ ansible_managed }}
 ### Give me a role
 role = ['routeur6']
 ### Specify each interface role
 interfaces_type = {
    'routable' : ['ens18', 'ens20', 'ens21', 'ens1', 'ens2'],
    'sortie' : ['ens22'],
    'admin' : ['ens19', 'ens23']
 }
--- a/roles/re2o-firewall-odlyd/tasks/main.yml
+++ b/roles/re2o-firewall-odlyd/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Deploy firewall configuration for odlyd
  template:
    src: re2o-services/firewall/firewall_config.py.j2
    dest: /var/local/re2o-services/firewall/firewall_config.py
    mode: 644
    owner: root
    group: root
--- a/roles/re2o-firewall-odlyd/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-odlyd/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,41 @@
 # -*- mode: python; coding: utf-8 -*-
 # {{ ansible_managed }}
 ### Give me a role
 role = ['routeur4']
 ### Specify each interface role
 interfaces_type = {
    'routable' : ['eth0.1', 'ens1f0.21', 'ens1f0.22', 'ens1f0.23', 'ens1f0.24'],
    'sortie' : ['ens1f0.26', 'ens1f0.1132'],
    'admin' : ['eth0.2', 'eth0.3', 'eth0.9', 'eth0.7', 'eth0.4'],
    '6in4' : [('ens1f0.23', 'ens1f0.26')]
 }
 ### Specify nat settings: name, interfaces with range, and global range for nat
 ### WARNING : "interface_ip_to_nat' MUST contain /24 ranges, and ip_sources MUST
 ### contain /16 range
 nat = [
    {
        'name' : 'Wifi',
        'interfaces_ip_to_nat' : {
            'ens1f0.26' : '185.230.76.0/24',
            'eth0.1' : '138.231.144.0/24',
            'ens1f0.1132' : '138.231.144.0/24',
        },
        'ip_sources' : '10.53.0.0/16'
    },
    {
        'name' : 'Filaire',
        'interfaces_ip_to_nat' : {
            'ens1f0.26' : '185.230.77.0/24',
            'eth0.1' : '138.231.145.0/24',
            'ens1f0.1132' : '138.231.145.0/24',
        },
        'ip_sources' : '10.54.0.0/16'
    }
 ]
--- a/roles/re2o-firewall-routeur/tasks/main.yml
+++ b/roles/re2o-firewall-routeur/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Deploy firewall configuration for routeur
  template:
    src: re2o-services/firewall/firewall_config.py.j2
    dest: /var/local/re2o-services/firewall/firewall_config.py
    mode: 644
    owner: root
    group: root
--- a/roles/re2o-firewall-routeur/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-routeur/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,52 @@
 # -*- mode: python; coding: utf-8 -*-
 # {{ ansible_managed }}
 ### Give me a role
 role = ['portail']
 ### Specify each interface role
 interfaces_type = {
    'routable' : ['ens20', 'ens21'],
    'sortie' : ['ens18'],
    'admin' : ['ens19']
 }
 portail = {
    'autorized_hosts' : {
        'tcp' : {
            '138.231.136.12' : ['22'],
            '138.231.136.98' : ['20', '21', '80', '111', '1024:65535'],
            '138.231.136.145' : ['80', '443'],
            '213.154.225.236' : ['80', '443'],
            '213.154.225.237' : ['80', '443'],
            '172.217.18.197' : ['80', '443'], #gmail addresses
            '108.177.15.83' : ['80', '443'],
            '108.177.15.18' : ['80', '443'],
            '108.177.15.17' : ['80', '443'],
            '108.177.15.19' : ['80', '443'],
            '172.217.18.205' : ['80', '443'], #accounts google
            '172.217.18.195' : ['80', '443'],
            '46.255.53.35' : ['80', '443'],
            '46.255.53.17' : ['80', '443'],
            '0.0.0.0/0' : ['143', '220', '993']
        },
        'udp' : {
            '138.231.136.98' : ['69', '1024:65535']
        }
    },
    'ip_redirect' : {
        '10.51.0.0/16' : {
            'tcp' : {
                '138.231.136.145' : ['80', '443']
            }
        },
        '10.52.0.0/16' : {
            'tcp' : {
                '138.231.136.145' : ['80', '443']
            }
        }
    }
 }
--- a/roles/re2o-firewall-zamok/tasks/main.yml
+++ b/roles/re2o-firewall-zamok/tasks/main.yml
@ -0,0 +1,8 @@
 ---
 - name: Deploy firewall configuration for zamok
  template:
    src: re2o-services/firewall/firewall_config.py.j2
    dest: /var/local/re2o-services/firewall/firewall_config.py
    mode: 644
    owner: root
    group: root
--- a/roles/re2o-firewall-zamok/templates/re2o-services/firewall/firewall_config.py.j2
+++ b/roles/re2o-firewall-zamok/templates/re2o-services/firewall/firewall_config.py.j2
@ -0,0 +1,15 @@
 # -*- mode: python; coding: utf-8 -*-
 # {{ ansible_managed }}
 ### Give me a role
 role = ['users']
 ### Specify each interface role
 interfaces_type = {
    'routable' : ['eth0.1'],
    'admin' : ['eth0.2'],
    'sortie' : [],
 }