#!/bin/bash GRN='\e[32m' CYN='\e[36m' RED='\e[31m' YLW='\e[33m' END='\e[0m' echo -e "${GRN}---------------------------------------------------------------------------${END}" echo -e " ${CYN}AICFWRC: Automatic Intracto Clavister FW Rule Creator${END} " echo -e "${GRN}---------------------------------------------------------------------------${END}" # Parameters read -p "Geef de naam van de nieuwe asset, ex. web420, db069 : " asset read -p "Public IP: " pubip RESULTS=$(ssh -q root@192.168.3.30 "grep -qw $pubip /usr/local/clavbackup/var/git/intracto-fw001.fw.combell-ops.net.bak.txt ") if [[ $? == "0" ]]; then echo -e "${RED}Publiek IP lijkt al aanwezig op de clavister. Pls doublecheck${END}" exit 1 fi read -p "Private IP: " privip RESULTS=$(ssh -q root@192.168.3.30 "grep -qw $privip /usr/local/clavbackup/var/git/intracto-fw001.fw.combell-ops.net.bak.txt ") if [[ $? == "0" ]]; then echo -e "${RED}Private IP lijkt al aanwezig op de clavister. Pls doublecheck${END}" exit 1 fi read -p "IPV6: " ipv6 RESULTS=$(ssh -q root@192.168.3.30 "grep -qw $ipv6 /usr/local/clavbackup/var/git/intracto-fw001.fw.combell-ops.net.bak.txt ") if [[ $? == "0" ]]; then echo -e "${RED}IPv6 lijkt al aanwezig op de clavister. Pls doublecheck${END}" exit 1 fi # Confirm while true; do read -p "Kloppen bovenstaande gegevens? [Y/n]" yn case $yn in [Yy]* ) break;; [Nn]* ) echo "Bye bye......";exit 1;; * ) echo "yes or no.";; esac done # Verwijder intracto prefix indien ingetypt asset_renamed=${asset//intracto-/} # Check if webserver add_asset_to_webserver_grp="" if [[ $asset_renamed =~ "web" ]]; then add_asset_to_webserver_grp="set Address IP4Group Public/webservers_grp Members+=Public/intracto-${asset_renamed}_pub" fi # Check VLAN vlan=$(echo $privip | awk -F. '{printf "%d.%d.%d\n", $1, $2, $3}') case $vlan in 10.50.1) interface=uu_prod ;; 10.50.2) interface=shared ;; 10.50.3) interface=dvg ;; 10.50.4) interface=roularta ;; 10.50.5) interface=natuurmonumenten ;; 10.50.6) interface=peytz ;; 192.168.2) interface=foreach ;; 10.50.7) interface=kanker ;; 10.50.8) interface=jlr ;; *) echo -n "Onbekend VLAN, bye bye." exit 1 ;; esac # Check IP echo -e "${YLW}Secondje geduld, even kijken of het pub IP al pingt${END}" if ping -c 1 $pubip > /dev/null 2>&1; then echo -e "${RED}Public IP pingt al, please check${END}" exit 1 fi ssh admin@intracto-fw001 < /dev/null 2>&1 cc Address AddressFolder Public add IP4Address intracto-${asset_renamed}_pub Address=${pubip} cc cc Address AddressFolder Private add IP4Address intracto-${asset_renamed}_priv Address=${privip} cc cc Address AddressFolder IPV6 add IP6Address intracto-${asset_renamed}_ipv6 Address=${ipv6} cc add ARPND Interface=Public IP=Public/intracto-${asset_renamed}_pub cc IPRuleFolder 3(SAT-incoming) add IPRule Action=SAT SourceInterface=Public SourceNetwork=all-nets DestinationInterface=Public DestinationNetwork=Public/intracto-${asset_renamed}_pub Service=all_tcpudpicmp SATTranslateToIP=Private/intracto-${asset_renamed}_priv Name=s_${asset_renamed} cc cc IPRuleFolder 4(NAT-Outgoing) add IPPolicy SourceInterface=${interface} SourceNetwork=HA/fw_${interface}_net DestinationInterface=Public DestinationNetwork=Public/intracto-${asset_renamed}_pub Service=http-all Name=hairpin_${asset_renamed} DestAddressTranslation=SAT DestAddressAction=SingleIP DestNewIP=Private/intracto-${asset_renamed}_priv add IPRule Action=NAT SourceInterface=${interface} SourceNetwork=Private/intracto-${asset_renamed}_priv DestinationInterface=Public DestinationNetwork=all-nets Service=all_tcpudpicmp NATAction=SpecifySenderAddress NATSenderAddress=Public/intracto-${asset_renamed}_pub Name=n_${asset_renamed} cc cc IPRuleFolder 5(Allow-incoming) add IPRule Action=Allow SourceInterface=Public SourceNetwork=all-nets6 DestinationInterface=${interface} DestinationNetwork=IPV6/intracto-${asset_renamed}_ipv6 Service=http-all Name=allow_${asset_renamed}_http_ipv6 cc ${add_asset_to_webserver_grp} EOF echo -e "${YLW}Plaats rules nog onder juiste groep per zone:${END}" echo -e "${YLW}---------------------------------------------${END}" echo -e "${YLW} === Address Book - Private ===${END}" echo -e "${YLW} === Address Book - IPV6 ===${END}" echo -e "${YLW} === NAT-Outgoing - NAT hairpinning ===${END}" echo -e "${YLW} === NAT-Outgoing - *vlan* ===${END}" echo -e "${YLW} === Allow-incoming - *vlan* ===${END}" echo -e "\n${YLW}https://185.135.13.2/${END}"