You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

99 lines
5.1 KiB

  1. /interface bridge
  2. add name=bridge-lan
  3. /interface list
  4. add name=WAN
  5. /ip hotspot profile
  6. set [ find default=yes ] html-directory=hotspot
  7. /queue simple
  8. add max-limit=1G/1G name=bridge queue=pcq-upload-default/pcq-download-default \
  9. target=bridge-lan
  10. /snmp community
  11. set [ find default=yes ] addresses=185.123.84.25/32,10.17.24.18/32 name=\
  12. altinea
  13. /interface bridge port
  14. add bridge=bridge-lan interface=ether2
  15. add bridge=bridge-lan interface=ether3
  16. add bridge=bridge-lan interface=ether4
  17. /interface list member
  18. add interface=ether1 list=WAN
  19. /ip dhcp-client
  20. add comment=defconf interface=ether1
  21. /ip dns
  22. set allow-remote-requests=yes servers=8.8.8.8
  23. /ip firewall address-list
  24. add address=185.123.84.200 comment=vpn.altinea.fr list=altinea.safe
  25. add address=185.123.84.50 comment=oxidized.altinea.fr list=altinea.safe
  26. add address=185.123.84.25 comment=icinga2.altinea.fr list=altinea.safe
  27. add address=10.17.24.18 comment=icinga2.altinea.fr list=altinea.safe
  28. add address=158.69.205.82 comment=ext.nagios.altinea.fr list=altinea.safe
  29. add address=10.17.24.0/24 comment=adminvpn.altinea.fr list=altinea.safe
  30. /ip firewall filter
  31. add action=accept chain=forward connection-state=\
  32. established,related,untracked
  33. add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
  34. altinea.safe
  35. add action=accept chain=input dst-port=8291 protocol=tcp in-interface=bridge-lan
  36. add action=accept chain=input dst-port=161 protocol=udp src-address-list=\
  37. altinea.safe
  38. add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
  39. altinea.safe
  40. add action=accept chain=input dst-port=22 in-interface=bridge-lan protocol=\
  41. tcp
  42. add action=accept chain=input dst-port=8291 in-interface=bridge-lan protocol=\
  43. tcp
  44. add action=accept chain=input protocol=icmp
  45. add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
  46. add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
  47. add action=drop chain=input connection-state="" dst-port=22 protocol=tcp
  48. add action=drop chain=input dst-port=161 protocol=udp
  49. add action=drop chain=input connection-state="" dst-port=8291 protocol=tcp
  50. add action=drop chain=input connection-state=invalid
  51. /ip firewall mangle
  52. add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
  53. protocol=tcp tcp-flags=syn
  54. /ip firewall nat
  55. add action=masquerade chain=srcnat out-interface-list=WAN
  56. add action=masquerade chain=srcnat comment="Ex src-nat by ip" disabled=yes log-prefix=185.123.87.x
  57. add action=dst-nat chain=dstnat comment="Ex dst-nat " disabled=yes dst-address=185.123.87.173 dst-port=8443 protocol=tcp src-address=\
  58. 185.123.84.200 to-addresses=192.168.88.254 to-ports=443
  59. /ip firewall service-port
  60. set sip sip-direct-media=no
  61. /ip service
  62. set telnet disabled=yes
  63. set ftp disabled=yes
  64. set www disabled=yes
  65. set api disabled=yes
  66. set api-ssl disabled=yes
  67. /snmp
  68. set contact=noc@altinea.fr enabled=yes
  69. /system clock
  70. set time-zone-name=Europe/Paris
  71. /system note
  72. set show-at-login=no
  73. /tool romon
  74. set enabled=yes
  75. /system ntp client
  76. set enabled=yes
  77. /system ntp client servers
  78. add address=pool.ntp.org
  79. /
  80. :delay 5s;
  81. :global oxidizedcpepub "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKVHiQwYh8rdWgwAqs5+aNBp6f1gqbUfh9BO+5XG7QigMEYmmawPy9LHwcSADKLuIwaFdfalMYrx90JpNzrDEmvBCep3YlyS1YLRZlLYntSS3G8q70XFPFf84HD9Uh9MAD6qHkZArvhDZ6t0fP2HhqEN8Ud2Dx1qAvn8cdDgjO5zFGNaevQUpVXEcc2lSUkJkzw6F/nH+xJQEd7/a62f8XdcYnzOafLkZwAWR5xCpCbhCIXQ0KEo8+Z5Edc7AvmSFRdc8EC1Upz/LVsR193vNnvm9yTyu5UzhCVVfhNNzNYMX+4NF0MzvG0QlsetGinqzWW0jR8YW5Kcltef2PtaF152P5Pu+mpg3mvxCE9glxjmwegoXhQu6gcxIdUpmcXar2nS9pxnL9LLoZ5kRyXHPpktRSqte2HD8dcgVBqS7AgY9J1hduko9DWkFWiAIM0C0d6702ZXYwFFmnfJcxAFeSbZbvGyjfv0K87/Y2tZNjghZifpzi8+LRgKseoAhE4+8= oxidized-cpe@altinea.fr";
  82. /file print file=oxidized-cpe.txt;
  83. :delay 10;
  84. /file set oxidized-cpe.txt content=$oxidizedcpepub;
  85. :delay 10;
  86. /user add name=oxidized group=read password=azELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQKDAh0ZWFt;
  87. :delay 10s;
  88. /user ssh-keys import user=oxidized public-key-file=oxidized-cpe.txt
  89. :delay 10;
  90. :global supportpub "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDo7t//wpsOExn87AoUItPWZ/AF1e2UcKTaO6CVtpEh3b+Z4/vZ+LaFaczssGcPLcUpZEGB/UNkIPITAK2gXjT+2GLzQQ9DfLu9fNeE+AaWo7VZFM1Aviua0Zo2prDTCgXJ+z8kRuzvBfxuOKPNsLwxg/y3CYC+YSUb+00ZAi0I51x1VRfCIfoZqvMbEH1CIj7MRRuKu1B7Ue80vvC7XpgIZGvQepxc2j1vDSKHozM+/l3QdZBEbqdkUnO90i8XSRBpLRVadsgotg5uggKYzMQfvnuTYodmQKM3nk057wj7fmGIFNJxhH20bOTXUG8Yf80OLDsOJNqxQQgsrGVAVYL3wuP1UfDCLNXfOz81equ+S5JQuAMDRsnux+D06D/vmdEaqALMRtH2iSmlumYpRYxzYNKsrLa6Wi2oDmedFj7MpTJXRaA5a3AUNoj7S6BmG0jsTCAKOp2/i91O9zYZoedGuusUkurfdnP6qMIxpeX1zaWkWRnl1f6DhshKgOsI/t/6rPP+j0Jar/WMKLS/fmUI6OTbteQzePiQiKvVWJv8QDs4o0Krl9/LazmWhF4exElfbujjBRTk5Xf6x+0qgnAOGy2WKU9tiYIspK/I6T5O4H3L4B1S2nJppl28hHf53PuEFH8B1ezYJrY/8GPskVh35m1uiQJZ7GR7ZQOas8KWUw== support@altinea.fr";
  91. :delay 10s;
  92. /file print file=support-pub.txt;
  93. :delay 10;
  94. /file set support-pub.txt content=$supportpub;
  95. /user set admin password=BQAwazELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQKDAh0;
  96. :delay 10s;
  97. /user ssh-keys import user=admin public-key-file=support-pub.txt;
  98. :delay 10s;