From 83534230db16c9d0450fd6bd113a4a850c88a103 Mon Sep 17 00:00:00 2001 From: Vincent Vanwaelscappel Date: Thu, 28 Dec 2023 14:17:26 +0100 Subject: [PATCH] wip #6601 @1.5 --- app/Models/TeamServers.php | 34 ++++++++++++++++------- resources/servers/alphaville/firewall | 29 +++++++++++-------- resources/servers/brazil/firewall | 29 +++++++++++-------- resources/servers/dobermann/firewall | 29 +++++++++++-------- resources/servers/dracula/firewall | 29 +++++++++++-------- resources/servers/elephantman/firewall | 29 +++++++++++-------- resources/servers/fastandfurious/firewall | 29 +++++++++++-------- resources/servers/godzilla/firewall | 29 +++++++++++-------- resources/servers/her2/firewall | 29 +++++++++++-------- resources/servers/kingkong/firewall | 29 +++++++++++-------- 10 files changed, 186 insertions(+), 109 deletions(-) diff --git a/app/Models/TeamServers.php b/app/Models/TeamServers.php index 61c2f6406..c2d07702e 100644 --- a/app/Models/TeamServers.php +++ b/app/Models/TeamServers.php @@ -54,6 +54,23 @@ ufw disable ufw default allow outgoing '; + $locals = ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']; + $lhosts = []; + foreach ($locals as $k => $local) { + $lhosts[] = '$l' . $k; + $fw .= 'l' . $k . '=' . self::digOrIP($local) . "\n"; + } + + + foreach ($ip as $k => $i) { + $lhosts[] = '$i' . $k; + $fw .= 'i' . $k . '=' . self::digOrIP($i) . "\n"; + } + $fw .= "\n"; + + $fw .= 'local=(' . implode(' ', $lhosts) . ')' . "\n\n"; + + $bhosts = []; foreach ($blacklist as $k => $b) { $bhosts[] = '$b' . $k; @@ -76,12 +93,6 @@ ufw default allow outgoing } $fw .= "\n"; - foreach ($ip as $k => $i) { - $hosts[] = '$i' . $k; - $fw .= 'i' . $k . '=' . self::digOrIP($i) . "\n"; - } - $fw .= "\n"; - $fw .= 'auth=(' . implode(' ', $hosts) . ')' . "\n\n"; @@ -123,16 +134,19 @@ ufw default allow outgoing $fw .= 'for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do' . "\n"; $fw .= "\t" . 'ufw allow from $ip' . "\n"; $fw .= "\t" . 'ufw allow to $ip' . "\n"; - $fw .= "\t" . 'ufw allow out from $ip' . "\n"; - $fw .= "\t" . 'ufw allow out to $ip' . "\n"; $fw .= 'done' . "\n\n"; if (isset($backup) && count($backup)) { $fw .= 'for ip in "${backup[@]}" diff --git a/resources/servers/alphaville/firewall b/resources/servers/alphaville/firewall index ee54214df..44ba90fe2 100644 --- a/resources/servers/alphaville/firewall +++ b/resources/servers/alphaville/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -32,29 +42,26 @@ s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8) ufw allow 80 ufw allow 443 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done #SSH diff --git a/resources/servers/brazil/firewall b/resources/servers/brazil/firewall index b61c08103..8a7cb80f7 100644 --- a/resources/servers/brazil/firewall +++ b/resources/servers/brazil/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -33,27 +43,24 @@ s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8) for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done #SSH diff --git a/resources/servers/dobermann/firewall b/resources/servers/dobermann/firewall index 79ec81979..d292d48bb 100644 --- a/resources/servers/dobermann/firewall +++ b/resources/servers/dobermann/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -33,13 +43,7 @@ s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s2 $s2_0 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s2 $s2_0 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8) c0=`dig +short s1.adangelis.com | tail -1` c1=`dig +short www.fondation-sycomore.com | tail -1` @@ -50,16 +54,19 @@ ufw allow 443 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done for ip in "${backup[@]}" diff --git a/resources/servers/dracula/firewall b/resources/servers/dracula/firewall index 3130b8a79..d71543994 100644 --- a/resources/servers/dracula/firewall +++ b/resources/servers/dracula/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -32,13 +42,7 @@ s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8) ufw allow 53 ufw allow 80 @@ -46,16 +50,19 @@ ufw allow 443 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done #SSH diff --git a/resources/servers/elephantman/firewall b/resources/servers/elephantman/firewall index e99d9e581..f90c536b6 100644 --- a/resources/servers/elephantman/firewall +++ b/resources/servers/elephantman/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -33,27 +43,24 @@ s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8) for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done for ip in "${backup[@]}" diff --git a/resources/servers/fastandfurious/firewall b/resources/servers/fastandfurious/firewall index 18ea48428..6eaabcea1 100644 --- a/resources/servers/fastandfurious/firewall +++ b/resources/servers/fastandfurious/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -33,28 +43,25 @@ s6_1=`dig +short mail.cubedesigners.com | tail -1` s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s7) ufw allow 51820 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done for ip in "${backup[@]}" diff --git a/resources/servers/godzilla/firewall b/resources/servers/godzilla/firewall index cc3914727..df310229d 100644 --- a/resources/servers/godzilla/firewall +++ b/resources/servers/godzilla/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -29,13 +39,7 @@ s6_2=`dig +short mail2.cubedesigners.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s6 $s6_0 $s6_1 $s6_2 $s7 $s8) ufw allow 53 ufw allow 80 @@ -43,16 +47,19 @@ ufw allow 443 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done for ip in "${backup[@]}" diff --git a/resources/servers/her2/firewall b/resources/servers/her2/firewall index 25e37694b..e9dcfb27e 100644 --- a/resources/servers/her2/firewall +++ b/resources/servers/her2/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -30,13 +40,7 @@ s5_3=`dig +short hosting.fluidbook.com | tail -1` s7=`dig +short kingkong.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s7 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s7 $s8) ufw allow 53 ufw allow 80 @@ -50,16 +54,19 @@ ufw allow 4190 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done for ip in "${backup[@]}" diff --git a/resources/servers/kingkong/firewall b/resources/servers/kingkong/firewall index 907ae460a..7f1993cf3 100644 --- a/resources/servers/kingkong/firewall +++ b/resources/servers/kingkong/firewall @@ -9,6 +9,16 @@ ufw disable ufw default allow outgoing +l0=127.0.0.0/8 +l1=10.0.0.0/8 +l2=172.16.0.0/12 +l3=192.168.0.0/16 +i0=`dig +short paris.cubedesigners.com | tail -1` +i1=`dig +short montpellier.cubedesigners.com | tail -1` +i2=`dig +short tortuga.enhydra.fr | tail -1` + +local=($l0 $l1 $l2 $l3 $i0 $i1 $i2) + b0=24.104.34.225 b1=62.99.220.220 b2=50.62.177.177 @@ -33,29 +43,26 @@ s6_1=`dig +short mail.cubedesigners.com | tail -1` s6_2=`dig +short mail2.cubedesigners.com | tail -1` s8=`dig +short fastandfurious.cubedesigners.com | tail -1` -i0=127.0.0.0/8 -i1=10.0.0.0/8 -i2=172.16.0.0/12 -i3=192.168.0.0/16 -i4=`dig +short tortuga.enhydra.fr | tail -1` - -auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s8 $i0 $i1 $i2 $i3 $i4) +auth=($s0 $s0_0 $s1 $s2 $s2_0 $s3 $s4 $s5 $s5_0 $s5_1 $s5_2 $s5_3 $s6 $s6_0 $s6_1 $s6_2 $s8) ufw allow 80 ufw allow 443 for ip in "${blacklist[@]}" do - ufw deny in from $ip - ufw deny in to $ip + ufw deny from $ip + ufw deny to $ip +done + +for ip in "${local[@]}" +do + ufw allow from $ip done for ip in "${auth[@]}" do ufw allow from $ip ufw allow to $ip - ufw allow out from $ip - ufw allow out to $ip done for ip in "${backup[@]}" -- 2.39.5