admin:procedures:installation_serveur_physique
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédenteDernière révisionLes deux révisions suivantes | ||
admin:procedures:installation_serveur_physique [2017/08/09 15:07] – fpoulain | admin:procedures:installation_serveur_physique [2022/04/15 20:40] – s/drdb/drbd/ pilou | ||
---|---|---|---|
Ligne 49: | Ligne 49: | ||
client_icinga_ports=" | client_icinga_ports=" | ||
</ | </ | ||
- | <code bash / | + | <code bash / |
#FHVER: 1:213 | #FHVER: 1:213 | ||
# La premiere ligne ci dessus est nécessaire !! | # La premiere ligne ci dessus est nécessaire !! | ||
Ligne 55: | Ligne 55: | ||
client_drbd_ports=" | client_drbd_ports=" | ||
</ | </ | ||
- | ===== Sur coon ===== | ||
- | On reste permissif : même si les routes ne sont pas censées être celles là, on n' | + | ===== Script |
- | On a aussi les règles commentées pour le routage dans l' | + | On a un script de firewalling destiné à être identique entre maine et coon. La différence se situant au niveau de la configuration. |
- | <code bash / | + | Dans le principe on reste permissif : même si les routes ne sont pas censées être celles là, on n' |
- | ## Only relevant when fip links to coon | + | |
- | ## NAT | + | Il faut par ailleurs gérer le dnat sur l'IP de FIP. On le fait en premier car c'est une contrainte de la conf de firehol. Ensuite il faut penser dans les routeurs comme si la destination était changée. Le bon goût de cette conséquence est que la gestion ipv6 est assez bien intégrée. Enfin on contrôle l'IP de sortie du cluster avec une règle de SNAT. |
- | ## NB: en plus du NAT il faut ouvrir les filtres. | + | |
- | ## cf les router4 fip2bastion, | + | <code bash / |
- | #ipv4 dnat to 192.168.1.93 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 22 | + | ################################################################################ |
- | #ipv4 dnat to 192.168.1.57 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 25 | + | # Configuration |
- | #ipv4 dnat to 192.168.1.53 inface enp0s31f6 dst 88.99.233.240 | + | ################################################################################ |
- | #ipv4 dnat to 192.168.1.53 | + | |
- | #ipv4 dnat to 192.168.1.93 | + | myPrivateIp=" |
- | #ipv4 dnat to 192.168.1.93 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 443 | + | myPublicIp4=" |
- | #ipv4 dnat to 192.168.1.70 | + | myPublicIp6=" |
- | ## Contrôle de l'IP de sortie | + | |
- | #ipv4 snat to 88.99.233.240 | + | clusterPrivateNetwork=" |
- | ## /only | + | clusterV6Network=" |
+ | |||
+ | # Si vous décommentez la ligne qui suit, le firewall considérera que fip | ||
+ | # pointe sur cette machine avec l' | ||
+ | |||
+ | # fip="88.99.233.240" | ||
+ | |||
+ | declare -A dispatching=( | ||
+ | | ||
+ | [" | ||
+ | [" | ||
+ | [" | ||
+ | | ||
+ | | ||
+ | ) | ||
+ | |||
+ | ################################################################################ | ||
+ | # / | ||
+ | ################################################################################ | ||
+ | |||
+ | ################################################################################ | ||
+ | # NAT pour ipv4 | ||
+ | ################################################################################ | ||
+ | if test -n " | ||
+ | then | ||
+ | for service in " | ||
+ | do | ||
+ | eval " | ||
+ | dport=" | ||
+ | protos=" | ||
+ | ipv4=" | ||
+ | for proto in $protos | ||
+ | do | ||
+ | | ||
+ | done | ||
+ | | ||
+ | |||
+ | | ||
+ | ipv4 snat to $fip outface enp0s31f6 | ||
+ | fi | ||
+ | ################################################################################ | ||
# IPv6 | # IPv6 | ||
+ | ################################################################################ | ||
ipv6 interface any v6interop proto icmpv6 | ipv6 interface any v6interop proto icmpv6 | ||
client ipv6neigh accept | client ipv6neigh accept | ||
Ligne 83: | Ligne 123: | ||
policy return | policy return | ||
+ | ################################################################################ | ||
# DHCP | # DHCP | ||
+ | ################################################################################ | ||
interface4 virbr0 dhcp | interface4 virbr0 dhcp | ||
policy return | policy return | ||
server dhcp accept | server dhcp accept | ||
- | ## Only relevant when fip links to coon | + | ################################################################################ |
+ | # FIP -> ME | ||
+ | # The purpose of this interface is to control the traffic | ||
+ | # on the enp0s31f6 interface destinated to fip IP. | ||
+ | ################################################################################ | ||
+ | if test -n " | ||
+ | then | ||
+ | interface enp0s31f6 fip_trafic dst4 $fip dst6 $myPublicIp6 | ||
- | ## FIP -> ME | + | |
- | ## The purpose of this interface is to control the traffic | + | policy drop |
- | ## on the enp0s31f6 interface with IP 88.99.233.240. | + | |
- | #interface enp0s31f6 fip_trafic dst4 88.99.233.240 dst6 2a01: | + | |
- | # | + | |
- | # | + | |
- | # | + | |
- | # | + | |
- | # # Protection anti flood | + | |
- | # protection strong | + | |
- | # | + | |
- | # # Services acceptés | + | |
- | # server ICMP accept | + | |
- | # server ICMPV6 | + | |
- | # | + | |
- | # # The following means that this machine can REQUEST anything via enp0s31f6. | + | |
- | # client all accept | + | |
- | ## /only | + | |
+ | protection strong | ||
+ | # Services acceptés | ||
+ | server ICMP accept | ||
+ | server ICMPV6 | ||
+ | |||
+ | # The following means that this machine can REQUEST anything via enp0s31f6. | ||
+ | client all accept | ||
+ | fi | ||
+ | |||
+ | ################################################################################ | ||
# EXT->ME | # EXT->ME | ||
# The purpose of this interface is to control the traffic | # The purpose of this interface is to control the traffic | ||
- | # on the enp0s31f6 interface | + | # on the enp0s31f6 interface |
- | interface enp0s31f6 external_trafic dst4 94.130.8.3 | + | ################################################################################ |
+ | interface enp0s31f6 external_trafic dst4 $myPublicIp4 | ||
# The default policy is DROP. | # The default policy is DROP. | ||
Ligne 129: | Ligne 174: | ||
client all accept | client all accept | ||
+ | ################################################################################ | ||
# LAN->ME | # LAN->ME | ||
# The purpose of this interface is to control the traffic | # The purpose of this interface is to control the traffic | ||
- | # on the {enp1s0, | + | # on the {enp1s0, |
- | interface " | + | ################################################################################ |
+ | interface " | ||
# On est entre amis | # On est entre amis | ||
Ligne 151: | Ligne 198: | ||
client all accept | client all accept | ||
+ | ################################################################################ | ||
# Clients on enp0s31f6 (Internet) accessing servers on {enp1s0, | # Clients on enp0s31f6 (Internet) accessing servers on {enp1s0, | ||
+ | ################################################################################ | ||
router ext2me inface enp0s31f6 outface " | router ext2me inface enp0s31f6 outface " | ||
protection strong | protection strong | ||
- | ## Only relevant when fip links to coon | + | ########################## |
- | + | ||
- | ## Clients on enp0s31f6 (Internet) accessing servers on bastion. | + | |
- | #router fip2bastion inface enp0s31f6 outface " | + | |
- | # | + | |
- | # | + | |
- | # | + | |
- | # | + | |
- | + | ||
- | ## Clients on enp0s31f6 (Internet) accessing servers on mail. | + | |
- | #router fip2mail inface enp0s31f6 outface " | + | |
- | # | + | |
- | # | + | |
- | + | ||
- | ## Clients on enp0s31f6 (Internet) accessing servers on dns. | + | |
- | #router fip2dns inface enp0s31f6 outface " | + | |
- | # | + | |
- | # | + | |
- | + | ||
- | ## Clients on enp0s31f6 (Internet) accessing servers on admin. | + | |
- | #router fip2admin inface enp0s31f6 outface " | + | |
- | # | + | |
- | # | + | |
- | + | ||
- | ## /only | + | |
# Clients on {enp1s0, | # Clients on {enp1s0, | ||
+ | ################################################################################ | ||
router me2ext inface " | router me2ext inface " | ||
masquerade | masquerade | ||
Ligne 187: | Ligne 212: | ||
route all accept | route all accept | ||
+ | ################################################################################ | ||
# Clients on {enp1s0, | # Clients on {enp1s0, | ||
+ | ################################################################################ | ||
router me2me inface " | router me2me inface " | ||
# If you remove it, no REQUEST will pass matching this traffic. | # If you remove it, no REQUEST will pass matching this traffic. | ||
route all accept | route all accept | ||
+ | |||
+ | ################################################################################ | ||
+ | # Clients on enp0s31f6 (Internet) accessing cluster' | ||
+ | ################################################################################ | ||
+ | if test -n " | ||
+ | then | ||
+ | for service in " | ||
+ | do | ||
+ | eval " | ||
+ | dport=" | ||
+ | protos=" | ||
+ | ipv4=" | ||
+ | ipv6=" | ||
+ | for proto in $protos | ||
+ | do | ||
+ | router " | ||
+ | protection strong | ||
+ | server $service accept | ||
+ | done | ||
+ | done | ||
+ | fi | ||
</ | </ | ||
- | ===== Sur maine ===== | + | ===== Configuration sur coon ===== |
- | + | ||
- | Sur maine on met le même firewall que sur coon, //mutatis mutandis// | + | |
- | + | ||
- | Il faut par ailleurs ajouter le dnat sur l'ip de FIP. On le fait en premier car c'est une contrainte de la conf de firehol. Ensuite il faut penser dans les routeurs comme si la dst était changée, ce qui implique de faire des routeurs fip2bastion, | + | |
<code bash / | <code bash / | ||
- | ## Only relevant when fip links to maine | + | ################################################################################ |
- | # NAT | + | # Configuration |
- | # NB: en plus du NAT il faut ouvrir les filtres. | + | ################################################################################ |
- | # cf les router4 fip2bastion, | + | |
- | ipv4 dnat to 192.168.1.93 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 22 | + | |
- | ipv4 dnat to 192.168.1.57 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 25 | + | |
- | ipv4 dnat to 192.168.1.53 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 53 | + | |
- | ipv4 dnat to 192.168.1.53 inface enp0s31f6 dst 88.99.233.240 proto udp dport 53 | + | |
- | ipv4 dnat to 192.168.1.93 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 80 | + | |
- | ipv4 dnat to 192.168.1.93 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 443 | + | |
- | ipv4 dnat to 192.168.1.70 inface enp0s31f6 dst 88.99.233.240 proto tcp dport 5663 | + | |
- | # Contrôle de l'IP de sortie | + | |
- | ipv4 snat to 88.99.233.240 outface enp0s31f6 | + | |
- | ## /only | + | |
- | # IPv6 | + | myPrivateIp=" |
- | ipv6 interface any v6interop proto icmpv6 | + | myPublicIp4=" |
- | | + | myPublicIp6=" |
- | server ipv6neigh accept | + | |
- | policy return | + | |
- | # DHCP | + | clusterPrivateNetwork=" |
- | interface4 virbr0 dhcp | + | clusterV6Network=" |
- | policy return | + | |
- | server dhcp accept | + | |
- | # FIP -> ME | + | # Si vous décommentez la ligne qui suit, le firewall considérera que fip |
- | # The purpose of this interface is to control the traffic | + | # pointe sur cette machine avec l' |
- | # on the enp0s31f6 interface with IP 88.99.233.240. | + | |
- | interface enp0s31f6 fip_trafic dst4 88.99.233.240 dst6 2a01: | + | |
- | | + | # fip=" |
- | policy drop | + | |
- | | + | declare -A dispatching=( |
- | | + | |
+ | | ||
+ | | ||
+ | [" | ||
+ | [" | ||
+ | | ||
+ | ) | ||
- | # Services acceptés | + | </ |
- | server ICMP accept | + | |
- | server ICMPV6 | + | |
- | # The following means that this machine can REQUEST anything via enp0s31f6. | + | ===== Configuration sur maine ===== |
- | client all accept | + | |
- | # EXT->ME | + | <code bash / |
- | # The purpose of this interface is to control the traffic | + | ################################################################################ |
- | # on the enp0s31f6 interface with IP 94.130.8.2. | + | # Configuration |
- | interface enp0s31f6 external_trafic dst4 94.130.8.2 dst6 2a01: | + | ################################################################################ |
- | # The default policy is DROP. | + | myPrivateIp=" |
- | | + | myPublicIp4=" |
+ | myPublicIp6=" | ||
- | # Protection anti flood | + | clusterPrivateNetwork=" |
- | | + | clusterV6Network=" |
- | | + | # Si vous décommentez la ligne qui suit, le firewall considérera que fip |
- | | + | # pointe sur cette machine avec l' |
- | server ICMP accept | + | |
- | server ICMPV6 accept | + | |
- | # The following means that this machine can REQUEST anything via enp0s31f6. | + | fip=" |
- | client all accept | + | |
- | # LAN->ME | + | declare |
- | # The purpose of this interface is to control the traffic | + | [" |
- | # on the {enp1s0, | + | ["http"]=' |
- | interface | + | ["https"]='( "443" " |
- | + | ["icinga" | |
- | # On est entre amis | + | |
- | # The default policy is REJECT. | + | [" |
- | policy reject | + | ) |
- | + | ||
- | # Here are the services listening on enp1s0. | + | |
- | server ICMP accept | + | |
- | server ICMPV6 accept | + | |
- | server dns accept | + | |
- | server ssh accept | + | |
- | server dhcp accept | + | |
- | server dhcpv6 accept | + | |
- | server icinga accept | + | |
- | server drbd accept | + | |
- | + | ||
- | # The following means that this machine can REQUEST anything via enp1s0. | + | |
- | client all accept | + | |
- | + | ||
- | # Clients on enp0s31f6 (Internet) accessing servers on {enp1s0, | + | |
- | router ext2me inface enp0s31f6 outface | + | |
- | protection strong | + | |
- | + | ||
- | ## Only relevant when fip links to maine | + | |
- | + | ||
- | # Clients on enp0s31f6 | + | |
- | router fip2bastion inface enp0s31f6 outface | + | |
- | protection strong | + | |
- | server http accept | + | |
- | server https accept | + | |
- | server ssh accept | + | |
- | + | ||
- | # Clients on enp0s31f6 (Internet) accessing servers on mail. | + | |
- | router fip2mail inface enp0s31f6 outface | + | |
- | | + | |
- | server | + | |
- | + | ||
- | # Clients on enp0s31f6 | + | |
- | router fip2dns inface enp0s31f6 outface | + | |
- | | + | |
- | server dns accept | + | |
- | + | ||
- | # Clients on enp0s31f6 | + | |
- | router fip2admin inface enp0s31f6 outface | + | |
- | protection strong | + | |
- | server icinga accept | + | |
- | + | ||
- | ## /only | + | |
- | + | ||
- | # Clients on {enp1s0, | + | |
- | router me2ext inface " | + | |
- | masquerade | + | |
- | # If you remove it, no REQUEST will pass matching this traffic. | + | |
- | route all accept | + | |
- | + | ||
- | # Clients on {enp1s0, | + | |
- | router me2me inface " | + | |
- | # If you remove it, no REQUEST will pass matching this traffic. | + | |
- | route all accept | + | |
</ | </ |
admin/procedures/installation_serveur_physique.txt · Dernière modification : 2023/11/11 19:02 de pitchum