Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
tech:hypervisor-01 [29/09/2023 17:40] – [Adressage IP] LibertAdmin | tech:hypervisor-01 [09/01/2025 22:50] (Version actuelle) – [Topologie] LibertAdmin | ||
---|---|---|---|
Ligne 21: | Ligne 21: | ||
* [[tech: | * [[tech: | ||
* [[tech: | * [[tech: | ||
- | * < | + | * < |
- | * [[tech: | + | * [[tech: |
- | * [[tech: | + | |
- | * < | + | * < |
- | * [[tech: | + | * [[tech: |
- | Toutes les requêtes venant d' | + | Toutes les requêtes venant d' |
===== Configuration ===== | ===== Configuration ===== | ||
==== Système d' | ==== Système d' | ||
- | Debian stable (Debian | + | * Debian stable (Debian |
==== Adressage IP ==== | ==== Adressage IP ==== | ||
Hetzner offre une IP publique. Nous avons modifié l' | Hetzner offre une IP publique. Nous avons modifié l' | ||
- | L' | + | L' |
- | L' | + | L' |
< | < | ||
Ligne 64: | Ligne 64: | ||
iface br0 inet6 static | iface br0 inet6 static | ||
bridge_ports enp0s31f6 | bridge_ports enp0s31f6 | ||
- | bridge_hz | + | bridge_hw |
bridge_fd 0 | bridge_fd 0 | ||
bridge_stp off | bridge_stp off | ||
Ligne 78: | Ligne 78: | ||
bridge_fd 0 | bridge_fd 0 | ||
bridge_stp off | bridge_stp off | ||
- | address | + | address |
- | netmask 255.X.Y.Z | + | netmask 255.255.255.0 |
iface br1 inet6 static | iface br1 inet6 static | ||
Ligne 85: | Ligne 85: | ||
bridge_fd 0 | bridge_fd 0 | ||
bridge_stp off | bridge_stp off | ||
- | address | + | address |
netmask 120 | netmask 120 | ||
Ligne 101: | Ligne 101: | ||
bridge_fd 0 | bridge_fd 0 | ||
bridge_stp off | bridge_stp off | ||
- | address ::ffff:c0a8:a01 | + | address |
netmask 120 | netmask 120 | ||
</ | </ | ||
+ | ==== Paramètres réseau et swap dans sysctl ==== | ||
+ | Dans ''/ | ||
+ | |||
+ | < | ||
+ | net.ipv4.conf.all.accept_redirects = 0 | ||
+ | net.ipv4.conf.all.rp_filter=1 | ||
+ | net.ipv4.conf.default.rp_filter=1 | ||
+ | net.ipv4.icmp_echo_ignore_broadcasts=1 | ||
+ | net.ipv4.ip_forward=1 | ||
+ | net.ipv6.conf.all.accept_dad=0 | ||
+ | net.ipv6.conf.all.accept_ra=0 | ||
+ | net.ipv6.conf.all.accept_ra_defrtr=0 | ||
+ | net.ipv6.conf.all.accept_ra_pinfo=0 | ||
+ | net.ipv6.conf.all.accept_ra_rtr_pref=0 | ||
+ | net.ipv6.conf.all.accept_redirects = 0 | ||
+ | net.ipv6.conf.all.accept_redirects=0 | ||
+ | net.ipv6.conf.all.accept_source_route=0 | ||
+ | net.ipv6.conf.all.autoconf=0 | ||
+ | net.ipv6.conf.all.forwarding=1 | ||
+ | net.ipv6.conf.default.accept_dad=0 | ||
+ | net.ipv6.conf.default.accept_ra=0 | ||
+ | net.ipv6.conf.default.accept_ra_defrtr=0 | ||
+ | net.ipv6.conf.default.accept_ra_pinfo=0 | ||
+ | net.ipv6.conf.default.accept_ra_rtr_pref=0 | ||
+ | net.ipv6.conf.default.accept_redirects=0 | ||
+ | net.ipv6.conf.default.accept_source_route=0 | ||
+ | net.ipv6.conf.default.autoconf=0 | ||
+ | vm.swappiness=0 | ||
+ | </ | ||
==== Routage et filtrage avec iptables ==== | ==== Routage et filtrage avec iptables ==== | ||
Ligne 112: | Ligne 141: | ||
Le paquet '' | Le paquet '' | ||
- | Le port SSH a été masqué. | ||
Il est bien sûr extrêmement important de sécuriser SSH : interdire le login root avec mot de passe, utiliser de bons algorithmes de chiffrement, | Il est bien sûr extrêmement important de sécuriser SSH : interdire le login root avec mot de passe, utiliser de bons algorithmes de chiffrement, | ||
- | Les règles concernant le réseau d' | + | Cela dit, pour information une configuration similaire à la suivante est en place : |
- | + | ||
- | Pour IPv4, dans ''/ | + | |
<code bash> | <code bash> | ||
+ | # / | ||
- | *nat | + | # Common parameters: |
+ | Port < | ||
+ | Port < | ||
+ | AcceptEnv LANG LC_* | ||
+ | ChallengeResponseAuthentication no | ||
+ | KbdInteractiveAuthentication no | ||
+ | PrintMotd no | ||
+ | PasswordAuthentication no | ||
+ | Subsystem sftp / | ||
+ | UsePAM yes | ||
+ | X11Forwarding no | ||
- | # Router le trafic Web vers le serveur web : | + | # Port < |
- | -A PREROUTING -d 159.69.59.13/32 -p tcp -m tcp --syn -m multiport --dports 80,443 -j DNAT --to-destination 192.168.10.5 | + | Match Address="< |
+ | AllowUsers root < | ||
- | # Router le mail envoi/réception vers le serveur mail : | + | # Port < |
- | -A PREROUTING -d 159.69.59.13/32 -p tcp -m tcp --syn -m multiport --dports 587,993,25 -j DNAT --to-destination 192.168.10.7 | + | Match LocalPort=< |
+ | AllowUsers < | ||
+ | </code> | ||
- | # Tests | + | Les règles concernant |
- | ## Router les ports des applications vers le serveur web : | + | |
- | #-A PREROUTING -d 159.69.59.13/32 -p tcp -m tcp --syn -m multiport --dports 1935, | + | |
- | # | + | |
- | ## Router le port 5868 vers le serveur audio pour Funkwhale : | + | |
- | #-A PREROUTING -d 159.69.59.13/ | + | |
- | # Router le 8484 pour Zabbix vers le serveur monitoring : | + | Pour IPv4, dans '' |
- | -A PREROUTING -d 159.69.59.13/ | + | |
- | + | ||
- | # Ne pas appliquer le masquerading sur le broadcast/ | + | |
- | -A POSTROUTING -s 192.168.10.0/ | + | |
- | -A POSTROUTING -s 192.168.10.0/ | + | |
- | + | ||
- | # Masquerading sur tous les ports dans le sens sortant (VM -> Internet) | + | |
- | -A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 | + | |
- | -A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 | + | |
- | -A POSTROUTING -s 192.168.10.0/ | + | |
+ | <code bash> | ||
+ | *nat | ||
+ | -A PREROUTING -d 159.69.59.13/ | ||
+ | -A PREROUTING -d 159.69.59.13/ | ||
+ | -A PREROUTING -d 159.69.59.13/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
+ | -A POSTROUTING -s 192.168.10.0/ | ||
COMMIT | COMMIT | ||
- | |||
*filter | *filter | ||
- | + | -A INPUT -m conntrack --ctstate RELATED, | |
- | # Accepter le trafic basique : ICMP, boucle locale et connexions établies, en entrée : | + | -A INPUT -i lo -m comment --comment " |
- | -A INPUT -m conntrack --ctstate RELATED, | + | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m comment --comment "Accepter le trafic basique ICMP, en entrée" |
- | -A INPUT -i lo -j ACCEPT | + | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -m comment --comment " |
- | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT | + | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 1984 -m comment --comment "Accepter le SSH" -j ACCEPT |
- | + | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 587, | |
- | # Accepter le SSH : | + | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 52365 -m comment --comment "Accepter le tunnel SSH vers le serveur web-01 sur le port 52365" -j ACCEPT |
- | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT | + | -A INPUT -i br2 -p udp -m udp -m multiport |
- | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 1984 -j ACCEPT | + | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -m comment --comment " |
- | + | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -m comment --comment "Bloquer les requêtes rpcbind/ | |
- | # Accepter | + | -A INPUT -i br2 -p tcp -m multiport --dport 111 -m comment --comment " |
- | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 587,993,25 -j ACCEPT | + | -A INPUT -p tcp -s 127.0.0.1 --dport 111 -m comment --comment " |
- | + | -A INPUT -p udp --dport 111 -m comment --comment " | |
- | # Accepter le tunnel SSH vers le serveur web-01 sur le port 52365 : | + | -A INPUT -p tcp --dport 111 -m comment --comment " |
- | -A INPUT -p tcp -m tcp -m conntrack | + | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 10050 -m comment --comment " |
- | + | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -m comment --comment "On refuse les trop nombreux ping" | |
- | # Accepter les requêtes DNS (port 53) depuis les VM : | + | -A INPUT -p icmp -m comment --comment "On refuse les trop nombreux ping" |
- | -A INPUT -i br2 -p udp -m udp -m multiport --dports 53 -j ACCEPT | + | -A INPUT -m conntrack --ctstate INVALID |
- | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -j ACCEPT | + | -A INPUT -p tcp -m tcp -m comment --comment "On refuse tout le reste" |
- | + | -A INPUT -m comment --comment "On refuse tout le reste" | |
- | # Bloquer les requêtes rpcbind/ | + | -A FORWARD -d 192.168.10.0/ |
- | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -j ACCEPT | + | -A FORWARD -s 192.168.10.0/ |
- | -A INPUT -i br2 -p tcp -m multiport --dport 111 -j ACCEPT | + | -A FORWARD -i br2 -o br2 -m comment --comment " |
- | -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT | + | -A FORWARD -d 192.168.10.5/ |
- | -A INPUT -p udp --dport 111 -j DROP | + | -A FORWARD -d 192.168.10.7/ |
- | -A INPUT -p tcp --dport 111 -j DROP | + | -A FORWARD -d 192.168.10.250/ |
- | + | -A INPUT -s 102.132.96.0/20 -m comment | |
- | # Accepter | + | -A INPUT -s 103.4.96.0/ |
- | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 10050 -j ACCEPT | + | -A INPUT -s 129.134.0.0/ |
- | + | -A INPUT -s 129.134.160.0/ | |
- | # On refuse les trop nombreux ping : | + | -A INPUT -s 129.134.25.0/ |
- | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT | + | -A INPUT -s 129.134.26.0/ |
- | -A INPUT -p icmp -j DROP | + | -A INPUT -s 129.134.27.0/ |
- | + | -A INPUT -s 129.134.28.0/ | |
- | # On refuse tout le reste : | + | -A INPUT -s 129.134.29.0/ |
- | -A INPUT -m conntrack --ctstate INVALID -j DROP | + | -A INPUT -s 129.134.30.0/ |
- | -A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset | + | -A INPUT -s 129.134.31.0/ |
- | -A INPUT -j REJECT --reject-with icmp-port-unreachable | + | -A INPUT -s 139.223.200.130/ |
- | + | -A INPUT -s 157.240.0.0/ | |
- | # Accepter les connexions établies sur le LAN : | + | -A INPUT -s 157.240.192.0/ |
- | -A FORWARD -d 192.168.10.0/ | + | -A INPUT -s 157.240.195.0/ |
- | + | -A INPUT -s 157.240.196.0/ | |
- | # Accepter | + | -A INPUT -s 157.240.197.0/ |
- | -A FORWARD -s 192.168.10.0/ | + | -A INPUT -s 157.240.198.0/ |
- | + | -A INPUT -s 157.240.199.0/ | |
- | # Accepter le trafic | + | -A INPUT -s 157.240.200.0/ |
- | -A FORWARD -i br2 -o br2 -j ACCEPT | + | -A INPUT -s 157.240.201.0/ |
- | + | -A INPUT -s 157.240.202.0/ | |
- | # Accepter les paquets redirigés vers des ports particuliers pour le Web vers le serveur web : | + | -A INPUT -s 157.240.203.0/ |
- | -A FORWARD -d 192.168.10.5/ | + | -A INPUT -s 157.240.204.0/ |
- | + | -A INPUT -s 157.240.205.0/ | |
- | # Accepter les paquets redirigés vers des ports particuliers pour le mail vers le serveur | + | -A INPUT -s 157.240.207.0/ |
- | -A FORWARD -d 192.168.10.7/ | + | -A INPUT -s 157.240.208.0/ |
- | + | -A INPUT -s 157.240.209.0/ | |
- | # Accepter les paquets redirigés vers des ports particuliers pour le monitoring | + | -A INPUT -s 157.240.210.0/ |
- | -A FORWARD -d 192.168.10.250/ | + | -A INPUT -s 157.240.211.0/ |
- | + | -A INPUT -s 157.240.212.0/ | |
- | # Tests | + | -A INPUT -s 157.240.214.0/ |
- | ## Accepter les paquets redirigés vers des ports particuliers vers le serveur web : | + | -A INPUT -s 157.240.215.0/ |
- | #-A FORWARD -d 192.168.10.5/ | + | -A INPUT -s 157.240.216.0/ |
- | # | + | -A INPUT -s 157.240.217.0/ |
- | ## Accepter les paquets redirigés vers des ports particuliers pour funkwhale service 5868 vers le serveur | + | -A INPUT -s 157.240.218.0/ |
- | #-A FORWARD | + | -A INPUT -s 157.240.22.0/ |
- | + | -A INPUT -s 157.240.221.0/ | |
- | # On bloque TOUT le trafic en provenance de Meta/ | + | -A INPUT -s 157.240.222.0/ |
- | -A INPUT -s 102.132.96.0/ | + | -A INPUT -s 157.240.223.0/ |
- | -A INPUT -s 103.4.96.0/ | + | -A INPUT -s 157.240.224.0/ |
- | -A INPUT -s 129.134.0.0/ | + | -A INPUT -s 157.240.225.0/ |
- | -A INPUT -s 129.134.160.0/ | + | -A INPUT -s 157.240.226.0/ |
- | -A INPUT -s 129.134.25.0/ | + | -A INPUT -s 157.240.227.0/ |
- | -A INPUT -s 129.134.26.0/ | + | -A INPUT -s 157.240.228.0/ |
- | -A INPUT -s 129.134.27.0/ | + | -A INPUT -s 157.240.229.0/ |
- | -A INPUT -s 129.134.28.0/ | + | -A INPUT -s 157.240.23.0/ |
- | -A INPUT -s 129.134.29.0/ | + | -A INPUT -s 157.240.231.0/ |
- | -A INPUT -s 129.134.30.0/ | + | -A INPUT -s 157.240.232.0/ |
- | -A INPUT -s 129.134.31.0/ | + | -A INPUT -s 157.240.233.0/ |
- | -A INPUT -s 139.223.200.130/ | + | -A INPUT -s 157.240.234.0/ |
- | -A INPUT -s 157.240.0.0/ | + | -A INPUT -s 157.240.235.0/ |
- | -A INPUT -s 157.240.192.0/ | + | -A INPUT -s 157.240.236.0/ |
- | -A INPUT -s 157.240.195.0/ | + | -A INPUT -s 157.240.237.0/ |
- | -A INPUT -s 157.240.196.0/ | + | -A INPUT -s 157.240.238.0/ |
- | -A INPUT -s 157.240.197.0/ | + | -A INPUT -s 157.240.239.0/ |
- | -A INPUT -s 157.240.198.0/ | + | -A INPUT -s 157.240.240.0/ |
- | -A INPUT -s 157.240.199.0/ | + | -A INPUT -s 157.240.24.0/ |
- | -A INPUT -s 157.240.200.0/ | + | -A INPUT -s 157.240.241.0/ |
- | -A INPUT -s 157.240.201.0/ | + | -A INPUT -s 157.240.242.0/ |
- | -A INPUT -s 157.240.202.0/ | + | -A INPUT -s 157.240.243.0/ |
- | -A INPUT -s 157.240.203.0/ | + | -A INPUT -s 157.240.244.0/ |
- | -A INPUT -s 157.240.204.0/ | + | -A INPUT -s 157.240.245.0/ |
- | -A INPUT -s 157.240.205.0/ | + | -A INPUT -s 157.240.247.0/ |
- | -A INPUT -s 157.240.207.0/ | + | -A INPUT -s 157.240.249.0/ |
- | -A INPUT -s 157.240.208.0/ | + | -A INPUT -s 157.240.250.0/ |
- | -A INPUT -s 157.240.209.0/ | + | -A INPUT -s 157.240.25.0/ |
- | -A INPUT -s 157.240.210.0/ | + | -A INPUT -s 157.240.251.0/ |
- | -A INPUT -s 157.240.211.0/ | + | -A INPUT -s 157.240.252.0/ |
- | -A INPUT -s 157.240.212.0/ | + | -A INPUT -s 157.240.253.0/ |
- | -A INPUT -s 157.240.214.0/ | + | -A INPUT -s 157.240.254.0/ |
- | -A INPUT -s 157.240.215.0/ | + | -A INPUT -s 157.240.26.0/ |
- | -A INPUT -s 157.240.216.0/ | + | -A INPUT -s 157.240.27.0/ |
- | -A INPUT -s 157.240.217.0/ | + | -A INPUT -s 157.240.28.0/ |
- | -A INPUT -s 157.240.218.0/ | + | -A INPUT -s 157.240.29.0/ |
- | -A INPUT -s 157.240.22.0/ | + | -A INPUT -s 157.240.30.0/ |
- | -A INPUT -s 157.240.221.0/ | + | -A INPUT -s 157.240.3.0/ |
- | -A INPUT -s 157.240.222.0/ | + | -A INPUT -s 157.240.31.0/ |
- | -A INPUT -s 157.240.223.0/ | + | -A INPUT -s 157.240.5.0/ |
- | -A INPUT -s 157.240.224.0/ | + | -A INPUT -s 157.240.6.0/ |
- | -A INPUT -s 157.240.225.0/ | + | -A INPUT -s 157.240.7.0/ |
- | -A INPUT -s 157.240.226.0/ | + | -A INPUT -s 157.240.8.0/ |
- | -A INPUT -s 157.240.227.0/ | + | -A INPUT -s 157.240.9.0/ |
- | -A INPUT -s 157.240.228.0/ | + | -A INPUT -s 162.254.207.51/ |
- | -A INPUT -s 157.240.229.0/ | + | -A INPUT -s 162.255.119.207/ |
- | -A INPUT -s 157.240.23.0/ | + | -A INPUT -s 172.67.135.213/ |
- | -A INPUT -s 157.240.231.0/ | + | -A INPUT -s 173.252.64.0/ |
- | -A INPUT -s 157.240.232.0/ | + | -A INPUT -s 179.60.192.0/ |
- | -A INPUT -s 157.240.233.0/ | + | -A INPUT -s 185.199.108.153/ |
- | -A INPUT -s 157.240.234.0/ | + | -A INPUT -s 185.199.111.153/ |
- | -A INPUT -s 157.240.235.0/ | + | -A INPUT -s 185.60.216.0/ |
- | -A INPUT -s 157.240.236.0/ | + | -A INPUT -s 198.54.117.211/ |
- | -A INPUT -s 157.240.237.0/ | + | -A INPUT -s 204.15.20.0/ |
- | -A INPUT -s 157.240.238.0/ | + | -A INPUT -s 27.124.125.189/ |
- | -A INPUT -s 157.240.239.0/ | + | -A INPUT -s 31.13.24.0/ |
- | -A INPUT -s 157.240.240.0/ | + | -A INPUT -s 31.13.64.0/ |
- | -A INPUT -s 157.240.24.0/ | + | -A INPUT -s 34.117.168.233/ |
- | -A INPUT -s 157.240.241.0/ | + | -A INPUT -s 37.9.175.187/ |
- | -A INPUT -s 157.240.242.0/ | + | -A INPUT -s 45.130.41.7/ |
- | -A INPUT -s 157.240.243.0/ | + | -A INPUT -s 45.64.40.0/ |
- | -A INPUT -s 157.240.244.0/ | + | -A INPUT -s 45.91.92.164/ |
- | -A INPUT -s 157.240.245.0/ | + | -A INPUT -s 54.81.116.232/ |
- | -A INPUT -s 157.240.247.0/ | + | -A INPUT -s 61.9.242.43/ |
- | -A INPUT -s 157.240.249.0/ | + | -A INPUT -s 64.225.91.73/ |
- | -A INPUT -s 157.240.250.0/ | + | -A INPUT -s 66.220.144.0/ |
- | -A INPUT -s 157.240.25.0/ | + | -A INPUT -s 69.171.224.0/ |
- | -A INPUT -s 157.240.251.0/ | + | -A INPUT -s 74.119.76.0/ |
- | -A INPUT -s 157.240.252.0/ | + | -A INPUT -s 89.223.68.248/ |
- | -A INPUT -s 157.240.253.0/ | + | -A FORWARD -i br2 -m comment --comment " |
- | -A INPUT -s 157.240.254.0/ | + | -A FORWARD -o br2 -m comment --comment " |
- | -A INPUT -s 157.240.26.0/ | + | |
- | -A INPUT -s 157.240.27.0/ | + | |
- | -A INPUT -s 157.240.28.0/ | + | |
- | -A INPUT -s 157.240.29.0/ | + | |
- | -A INPUT -s 157.240.30.0/ | + | |
- | -A INPUT -s 157.240.3.0/ | + | |
- | -A INPUT -s 157.240.31.0/ | + | |
- | -A INPUT -s 157.240.5.0/ | + | |
- | -A INPUT -s 157.240.6.0/ | + | |
- | -A INPUT -s 157.240.7.0/ | + | |
- | -A INPUT -s 157.240.8.0/ | + | |
- | -A INPUT -s 157.240.9.0/ | + | |
- | -A INPUT -s 162.254.207.51/ | + | |
- | -A INPUT -s 162.255.119.207/ | + | |
- | -A INPUT -s 172.67.135.213/ | + | |
- | -A INPUT -s 173.252.64.0/ | + | |
- | -A INPUT -s 179.60.192.0/ | + | |
- | -A INPUT -s 185.199.108.153/ | + | |
- | -A INPUT -s 185.199.111.153/ | + | |
- | -A INPUT -s 185.60.216.0/ | + | |
- | -A INPUT -s 198.54.117.211/ | + | |
- | -A INPUT -s 204.15.20.0/ | + | |
- | -A INPUT -s 27.124.125.189/ | + | |
- | -A INPUT -s 31.13.24.0/ | + | |
- | -A INPUT -s 31.13.64.0/ | + | |
- | -A INPUT -s 34.117.168.233/ | + | |
- | -A INPUT -s 37.9.175.187/ | + | |
- | -A INPUT -s 45.130.41.7/ | + | |
- | -A INPUT -s 45.64.40.0/ | + | |
- | -A INPUT -s 45.91.92.164/ | + | |
- | -A INPUT -s 54.81.116.232/ | + | |
- | -A INPUT -s 61.9.242.43/ | + | |
- | -A INPUT -s 64.225.91.73/ | + | |
- | -A INPUT -s 66.220.144.0/ | + | |
- | -A INPUT -s 69.171.224.0/ | + | |
- | -A INPUT -s 74.119.76.0/ | + | |
- | -A INPUT -s 89.223.68.248/ | + | |
- | + | ||
- | # Rejeter tout le reste : | + | |
- | -A FORWARD -i br2 -j REJECT --reject-with icmp-port-unreachable | + | |
- | -A FORWARD -o br2 -j REJECT --reject-with icmp-port-unreachable | + | |
COMMIT | COMMIT | ||
- | |||
</ | </ | ||
Ligne 337: | Ligne 328: | ||
<code bash> | <code bash> | ||
- | |||
- | *nat | ||
- | |||
- | # Router le Web vers le serveur web : | ||
- | -A PREROUTING -d 2a01: | ||
- | |||
- | # Router le mail envoi/ | ||
- | -A PREROUTING -d 2a01: | ||
- | |||
- | # Tests | ||
- | ## Router les ports des applications vers le serveur web : | ||
- | #-A PREROUTING -d 2a01: | ||
- | # | ||
- | ## Router le port 5868 pour Funkwhale vers le serveur audio : | ||
- | #-A PREROUTING -d 2a01: | ||
- | |||
- | ## Router le 8484 pour Zabbix vers le serveur monitoring (inactif, pas d'IPv6 pour l' | ||
- | #-A PREROUTING -d 2a01: | ||
- | |||
- | # Masquerading sur tous les ports dans le sens sortant (VM -> Internet) | ||
- | -A POSTROUTING -s :: | ||
- | -A POSTROUTING -s :: | ||
- | -A POSTROUTING -s :: | ||
- | |||
- | COMMIT | ||
- | |||
*filter | *filter | ||
- | + | -A INPUT -m conntrack --ctstate RELATED, | |
- | # Accepter le trafic basique : ICMP, boucle locale et connexionx | + | -A INPUT -i lo -m comment --comment " |
- | -A INPUT -m conntrack --ctstate RELATED, | + | -A INPUT ! -i lo -d :: |
- | -A INPUT -i lo -j ACCEPT | + | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -m comment --comment " |
- | -A INPUT ! -i lo -d ::1/128 -j REJECT | + | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 1984 -m comment --comment "Accepter le SSH" |
- | + | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 52365 -m comment --comment " | |
- | # Accepter le SSH : | + | -A INPUT -i br2 -p udp -m udp -m multiport --dports 53 -m comment --comment " |
- | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 22 -j ACCEPT | + | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -m comment --comment " |
- | -A INPUT -p tcp -m tcp --syn -m conntrack --ctstate NEW --dport 1984 -j ACCEPT | + | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -m comment --comment " |
- | + | -A INPUT -i br2 -p tcp -m multiport --dport 111 -m comment --comment " | |
- | # Accepter le tunnel | + | -A INPUT -p tcp -s :: |
- | -A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 52365 -j ACCEPT | + | -A INPUT -p udp --dport 111 -m comment --comment " |
- | + | -A INPUT -p tcp --dport 111 -m comment --comment " | |
- | # Accepter les requêtes DNS (port 53) depuis les VM : | + | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 10050 -m comment --comment " |
- | -A INPUT -i br2 -p udp -m udp -m multiport --dports 53 -j ACCEPT | + | -A INPUT -p icmpv6 --icmpv6-type parameter-problem |
- | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 53 -j ACCEPT | + | -A INPUT -p icmpv6 --icmpv6-type echo-request |
- | + | -A INPUT -p icmpv6 --icmpv6-type echo-reply | |
- | # Bloquer | + | -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -m comment --comment "On accepte l' |
- | -A INPUT -i br2 -p tcp -m multiport --dport 2049 -j ACCEPT | + | -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -m comment --comment "On accepte l' |
- | -A INPUT -i br2 -p tcp -m multiport --dport 111 -j ACCEPT | + | -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -m comment --comment "On accepte l' |
- | -A INPUT -p tcp -s :: | + | -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -m comment --comment "On accepte l' |
- | -A INPUT -p udp --dport 111 -j DROP | + | -A INPUT -p icmpv6 --icmpv6-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -m comment --comment "On refuse les trop nombreux ping" |
- | -A INPUT -p tcp --dport 111 -j DROP | + | -A INPUT -p icmpv6 --icmpv6-type echo-request -m comment --comment "On refuse |
- | + | -A INPUT -m conntrack --ctstate INVALID | |
- | # Accepter | + | -A INPUT -m comment --comment "On refuse tout le reste en entrée" |
- | -A INPUT -i br2 -p tcp -m tcp -m multiport --dports 10050 -j ACCEPT | + | -A FORWARD -d 2a01:4f8:231:aa6::/64 -o br2 -m conntrack --ctstate RELATED, |
- | + | -A FORWARD -s 2a01:4f8:231:aa6::/64 -i br2 -m comment --comment "Accepter le trafic | |
- | # On accepte l' | + | -A FORWARD -i br2 -o br2 -m comment --comment " |
- | -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT | + | -A FORWARD -d 2a01:4f8:231:aa6:: |
- | -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT | + | -A FORWARD -d 2a01:4f8:231:aa6:: |
- | -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT | + | -A FORWARD -d 2a01:4f8:231:aa6:: |
- | -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | + | -A INPUT -s 2620:0:1c00::/40 -m comment |
- | -A INPUT -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | + | -A INPUT -s 2620: |
- | -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT | + | -A INPUT -s 2a03: |
- | -A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # On refuse les trop nombreux ping : | + | -A INPUT -s 2a03: |
- | -A INPUT -p icmpv6 --icmpv6-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT | + | -A INPUT -s 2a03: |
- | -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # On refuse | + | -A INPUT -s 2a03: |
- | -A INPUT -m conntrack --ctstate INVALID -j DROP | + | -A INPUT -s 2a03: |
- | -A INPUT -j REJECT | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # Accepter les connexions établies sur le LAN : | + | -A INPUT -s 2a03: |
- | -A FORWARD -d ::ffff:c0a8:a00/64 -o br2 -m conntrack --ctstate RELATED, | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # Accepter | + | -A INPUT -s 2a03: |
- | -A FORWARD -s ::ffff:c0a8:a00/64 -i br2 -j ACCEPT | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # Accepter le trafic | + | -A INPUT -s 2a03: |
- | -A FORWARD -i br2 -o br2 -j ACCEPT | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # Accepter les paquets redirigés vers des ports particuliers pour le Web vers le serveur web : | + | -A INPUT -s 2a03: |
- | -A FORWARD -d ::ffff:c0a8:a05 -o br2 -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 80,443 -j ACCEPT | + | -A INPUT -s 2a03: |
- | + | -A INPUT -s 2a03: | |
- | # Accepter les paquets redirigés vers des ports particuliers pour le mail vers le serveur | + | -A INPUT -s 2a03: |
- | -A FORWARD -d ::ffff:c0a8:a05 -o br2 -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports 587,993,25 -j ACCEPT | + | -A INPUT -s 2c0f: |
- | + | -A INPUT -s 2c0f: | |
- | # Tests | + | -A INPUT -s 2c0f: |
- | ## Accepter les paquets redirigés vers des ports particuliers vers le serveur | + | -A INPUT -s 2c0f: |
- | #-A FORWARD -d :: | + | -A INPUT -s 2c0f: |
- | # | + | -A INPUT -s 2c0f: |
- | ## Accepter les paquets redirigés vers des ports particuliers pour funkwhale service 5868 vers le serveur audio : | + | -A INPUT -s 2c0f: |
- | #-A FORWARD -d ::ffff:c0a8:a09 -o br2 -p tcp -m tcp --syn -m conntrack --ctstate NEW -m multiport --dports | + | -A INPUT -s 2c0f: |
- | + | -A FORWARD -i br2 -m comment --comment " | |
- | # Pas d'IPv6 pour le moment, inactif : | + | -A FORWARD -o br2 -m comment --comment " |
- | ## Accepter les paquets redirigés vers des ports particuliers pour Zabbix tcp 8484 vers le serveur monitoring | + | |
- | #-A FORWARD | + | |
- | + | ||
- | # On bloque TOUT le trafic en provenance de Meta/ | + | |
- | -A INPUT -s 2620: | + | |
- | -A INPUT -s 2620: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2a03: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | -A INPUT -s 2c0f: | + | |
- | + | ||
- | # Rejeter tout le reste : | + | |
- | -A FORWARD -i br2 -j REJECT | + | |
- | -A FORWARD -o br2 -j REJECT | + | |
COMMIT | COMMIT | ||
- | |||
</ | </ | ||
==== Paquets installés ==== | ==== Paquets installés ==== | ||
Ligne 494: | Ligne 415: | ||
apt-utils | apt-utils | ||
at | at | ||
- | augeas-lenses | + | at-spi2-common |
base-files | base-files | ||
base-passwd | base-passwd | ||
Ligne 518: | Ligne 439: | ||
cpp | cpp | ||
cpp-10 | cpp-10 | ||
+ | cpp-12 | ||
cron | cron | ||
+ | cron-daemon-common | ||
cryptsetup | cryptsetup | ||
cryptsetup-bin | cryptsetup-bin | ||
Ligne 525: | Ligne 448: | ||
dash | dash | ||
dbus | dbus | ||
+ | dbus-bin | ||
+ | dbus-daemon | ||
+ | dbus-session-bus-common | ||
+ | dbus-system-bus-common | ||
dbus-user-session | dbus-user-session | ||
dconf-gsettings-backend: | dconf-gsettings-backend: | ||
dconf-service | dconf-service | ||
- | dctrl-tools | ||
debconf | debconf | ||
debconf-i18n | debconf-i18n | ||
Ligne 561: | Ligne 487: | ||
gcc-10 | gcc-10 | ||
gcc-10-base: | gcc-10-base: | ||
+ | gcc-11-base: | ||
+ | gcc-12 | ||
+ | gcc-12-base: | ||
gcc-9-base: | gcc-9-base: | ||
gdisk | gdisk | ||
gettext-base | gettext-base | ||
- | glib-networking: | ||
- | glib-networking-common | ||
- | glib-networking-services | ||
gpgv | gpgv | ||
grep | grep | ||
Ligne 575: | Ligne 501: | ||
grub-efi-amd64-bin | grub-efi-amd64-bin | ||
grub-pc-bin | grub-pc-bin | ||
- | gsettings-desktop-schemas | ||
gtk-update-icon-cache | gtk-update-icon-cache | ||
gzip | gzip | ||
Ligne 583: | Ligne 508: | ||
iftop | iftop | ||
ifupdown | ifupdown | ||
+ | inetutils-telnet | ||
init | init | ||
initramfs-tools | initramfs-tools | ||
Ligne 589: | Ligne 515: | ||
intel-microcode | intel-microcode | ||
iotop | iotop | ||
+ | ipcalc-ng | ||
iproute2 | iproute2 | ||
iptables | iptables | ||
Ligne 611: | Ligne 538: | ||
libargon2-1: | libargon2-1: | ||
libasan6: | libasan6: | ||
+ | libasan8: | ||
libasound2: | libasound2: | ||
libasound2-data | libasound2-data | ||
libasyncns0: | libasyncns0: | ||
libatk1.0-0: | libatk1.0-0: | ||
- | libatk1.0-data | ||
libatk-bridge2.0-0: | libatk-bridge2.0-0: | ||
libatomic1: | libatomic1: | ||
Ligne 622: | Ligne 549: | ||
libaudit1: | libaudit1: | ||
libaudit-common | libaudit-common | ||
- | libaugeas0: | ||
libavahi-client3: | libavahi-client3: | ||
libavahi-common3: | libavahi-common3: | ||
Ligne 630: | Ligne 556: | ||
libboost-iostreams1.74.0: | libboost-iostreams1.74.0: | ||
libbpf0: | libbpf0: | ||
+ | libbpf1: | ||
libbrlapi0.8: | libbrlapi0.8: | ||
libbrotli1: | libbrotli1: | ||
Ligne 644: | Ligne 571: | ||
libcapstone4: | libcapstone4: | ||
libc-bin | libc-bin | ||
- | libcbor0: | + | libcbor0.8:amd64 |
libcc1-0: | libcc1-0: | ||
libc-dev-bin | libc-dev-bin | ||
Ligne 665: | Ligne 592: | ||
libdconf1: | libdconf1: | ||
libdebconfclient0: | libdebconfclient0: | ||
+ | libdecor-0-0: | ||
libdeflate0: | libdeflate0: | ||
libdevmapper1.02.1: | libdevmapper1.02.1: | ||
Ligne 672: | Ligne 600: | ||
libdpkg-perl | libdpkg-perl | ||
libdrm2: | libdrm2: | ||
+ | libdrm-amdgpu1: | ||
libdrm-common | libdrm-common | ||
+ | libdrm-intel1: | ||
+ | libdrm-nouveau2: | ||
+ | libdrm-radeon1: | ||
+ | libduktape207: | ||
libdw1: | libdw1: | ||
libedit2: | libedit2: | ||
Ligne 680: | Ligne 613: | ||
libepoxy0: | libepoxy0: | ||
libestr0: | libestr0: | ||
- | libevent-2.1-7: | + | libevent-core-2.1-7: |
libexecs0: | libexecs0: | ||
libexpat1: | libexpat1: | ||
Ligne 688: | Ligne 621: | ||
libfdt1: | libfdt1: | ||
libffi7: | libffi7: | ||
+ | libffi8: | ||
libfido2-1: | libfido2-1: | ||
- | libfl2: | + | libfile-find-rule-perl |
- | libflac8:amd64 | + | libflac12:amd64 |
libfontconfig1: | libfontconfig1: | ||
libfreetype6: | libfreetype6: | ||
Ligne 696: | Ligne 630: | ||
libfstrm0: | libfstrm0: | ||
libfuse2: | libfuse2: | ||
+ | libfuse3-3: | ||
libgbm1: | libgbm1: | ||
libgcc-10-dev: | libgcc-10-dev: | ||
+ | libgcc-12-dev: | ||
libgcc-s1: | libgcc-s1: | ||
libgcrypt20: | libgcrypt20: | ||
Ligne 704: | Ligne 640: | ||
libgdk-pixbuf-2.0-0: | libgdk-pixbuf-2.0-0: | ||
libgdk-pixbuf2.0-common | libgdk-pixbuf2.0-common | ||
+ | libgl1: | ||
+ | libgl1-mesa-dri: | ||
+ | libglapi-mesa: | ||
libglib2.0-0: | libglib2.0-0: | ||
+ | libglvnd0: | ||
+ | libglx0: | ||
+ | libglx-mesa0: | ||
libgmp10: | libgmp10: | ||
libgnutls30: | libgnutls30: | ||
Ligne 710: | Ligne 652: | ||
libgpg-error0: | libgpg-error0: | ||
libgpm2: | libgpm2: | ||
+ | libgprofng0: | ||
libgraphite2-3: | libgraphite2-3: | ||
libgssapi-krb5-2: | libgssapi-krb5-2: | ||
Ligne 719: | Ligne 662: | ||
libhogweed6: | libhogweed6: | ||
libibverbs1: | libibverbs1: | ||
- | libicu67:amd64 | + | libicu72:amd64 |
libidn2-0: | libidn2-0: | ||
libinih1: | libinih1: | ||
Ligne 727: | Ligne 670: | ||
libisl23: | libisl23: | ||
libitm1: | libitm1: | ||
+ | libjack-jackd2-0: | ||
libjansson4: | libjansson4: | ||
libjbig0: | libjbig0: | ||
+ | libjemalloc2: | ||
libjpeg62-turbo: | libjpeg62-turbo: | ||
libjson-c5: | libjson-c5: | ||
- | libjson-glib-1.0-0: | ||
- | libjson-glib-1.0-common | ||
libk5crypto3: | libk5crypto3: | ||
libkeyutils1: | libkeyutils1: | ||
Ligne 740: | Ligne 683: | ||
libkrb5support0: | libkrb5support0: | ||
liblcms2-2: | liblcms2-2: | ||
- | libldap-2.4-2:amd64 | + | libldap-2.5-0:amd64 |
libldap-common | libldap-common | ||
+ | liblerc4: | ||
+ | libllvm15: | ||
liblmdb0: | liblmdb0: | ||
liblocale-gettext-perl | liblocale-gettext-perl | ||
Ligne 757: | Ligne 702: | ||
libmnl0: | libmnl0: | ||
libmount1: | libmount1: | ||
+ | libmp3lame0: | ||
libmpc3: | libmpc3: | ||
- | libmpdec3: | ||
libmpfr6: | libmpfr6: | ||
+ | libmpg123-0: | ||
libncurses6: | libncurses6: | ||
libncursesw6: | libncursesw6: | ||
libndctl6: | libndctl6: | ||
- | libnetcf1: | ||
libnetfilter-conntrack3: | libnetfilter-conntrack3: | ||
libnettle8: | libnettle8: | ||
libnewt0.52: | libnewt0.52: | ||
libnfnetlink0: | libnfnetlink0: | ||
- | libnfsidmap2:amd64 | + | libnfsidmap1:amd64 |
libnftables1: | libnftables1: | ||
libnftnl11: | libnftnl11: | ||
Ligne 781: | Ligne 726: | ||
libnss-systemd: | libnss-systemd: | ||
libnuma1: | libnuma1: | ||
+ | libnumber-compare-perl | ||
libnvpair3linux | libnvpair3linux | ||
libogg0: | libogg0: | ||
Ligne 801: | Ligne 747: | ||
libpcre3: | libpcre3: | ||
libpcsclite1: | libpcsclite1: | ||
- | libperl5.32:amd64 | + | libperl5.36:amd64 |
libpipeline1: | libpipeline1: | ||
libpixman-1-0: | libpixman-1-0: | ||
Ligne 809: | Ligne 755: | ||
libpolkit-gobject-1-0: | libpolkit-gobject-1-0: | ||
libpopt0: | libpopt0: | ||
+ | libproc2-0: | ||
libprocps8: | libprocps8: | ||
libprotobuf-c1: | libprotobuf-c1: | ||
- | libproxy1v5: | ||
libpsl5: | libpsl5: | ||
libpulse0: | libpulse0: | ||
- | libpython3.9-minimal: | + | libpython3.11-minimal: |
- | libpython3.9-stdlib: | + | libpython3.11-stdlib: |
libpython3-stdlib: | libpython3-stdlib: | ||
libquadmath0: | libquadmath0: | ||
librdmacm1: | librdmacm1: | ||
libreadline8: | libreadline8: | ||
- | librest-0.7-0: | ||
librtmp1: | librtmp1: | ||
+ | libsamplerate0: | ||
libsasl2-2: | libsasl2-2: | ||
libsasl2-modules: | libsasl2-modules: | ||
libsasl2-modules-db: | libsasl2-modules-db: | ||
+ | libsdl2-2.0-0: | ||
libseccomp2: | libseccomp2: | ||
libselinux1: | libselinux1: | ||
- | libsemanage1:amd64 | + | libsemanage2:amd64 |
libsemanage-common | libsemanage-common | ||
libsensors5: | libsensors5: | ||
libsensors-config | libsensors-config | ||
libsepol1: | libsepol1: | ||
+ | libsepol2: | ||
libsigc++-2.0-0v5: | libsigc++-2.0-0v5: | ||
libslang2: | libslang2: | ||
Ligne 837: | Ligne 785: | ||
libsmartcols1: | libsmartcols1: | ||
libsndfile1: | libsndfile1: | ||
- | libsoup2.4-1:amd64 | + | libsndio7.0:amd64 |
- | libsoup-gnome2.4-1:amd64 | + | libsodium23:amd64 |
libspice-server1: | libspice-server1: | ||
libsqlite3-0: | libsqlite3-0: | ||
libss2: | libss2: | ||
libssh2-1: | libssh2-1: | ||
+ | libssh-4: | ||
libssl1.1: | libssl1.1: | ||
+ | libssl3: | ||
libstdc++6: | libstdc++6: | ||
libsystemd0: | libsystemd0: | ||
+ | libsystemd-shared: | ||
libtasn1-6: | libtasn1-6: | ||
- | libtext-charwidth-perl | + | libtext-charwidth-perl: |
- | libtext-iconv-perl | + | libtext-glob-perl |
+ | libtext-iconv-perl:amd64 | ||
libtext-wrapi18n-perl | libtext-wrapi18n-perl | ||
libthai0: | libthai0: | ||
libthai-data | libthai-data | ||
- | libtiff5:amd64 | + | libtiff6:amd64 |
libtinfo6: | libtinfo6: | ||
libtirpc3: | libtirpc3: | ||
Ligne 858: | Ligne 810: | ||
libtirpc-dev: | libtirpc-dev: | ||
libtsan0: | libtsan0: | ||
+ | libtsan2: | ||
libubsan1: | libubsan1: | ||
libuchardet0: | libuchardet0: | ||
Ligne 863: | Ligne 816: | ||
libunistring2: | libunistring2: | ||
libunwind8: | libunwind8: | ||
- | liburing1:amd64 | + | liburcu8:amd64 |
- | libusb-0.1-4:amd64 | + | liburing2:amd64 |
libusb-1.0-0: | libusb-1.0-0: | ||
libusbredirparser1: | libusbredirparser1: | ||
Ligne 870: | Ligne 823: | ||
libuutil3linux | libuutil3linux | ||
libuv1: | libuv1: | ||
- | libvdeplug2 | + | libva2: |
+ | libva-drm2: | ||
+ | libvdeplug2:amd64 | ||
libvirglrenderer1: | libvirglrenderer1: | ||
libvirt0: | libvirt0: | ||
Ligne 884: | Ligne 839: | ||
libvte-2.91-0: | libvte-2.91-0: | ||
libvte-2.91-common | libvte-2.91-common | ||
+ | libvulkan1: | ||
libwayland-client0: | libwayland-client0: | ||
libwayland-cursor0: | libwayland-cursor0: | ||
libwayland-egl1: | libwayland-egl1: | ||
libwayland-server0: | libwayland-server0: | ||
- | libwebp6:amd64 | + | libwebp7:amd64 |
libwrap0: | libwrap0: | ||
libx11-6: | libx11-6: | ||
libx11-data | libx11-data | ||
+ | libx11-xcb1: | ||
libxapian30: | libxapian30: | ||
libxau6: | libxau6: | ||
libxcb1: | libxcb1: | ||
+ | libxcb-dri2-0: | ||
+ | libxcb-dri3-0: | ||
+ | libxcb-glx0: | ||
+ | libxcb-present0: | ||
+ | libxcb-randr0: | ||
libxcb-render0: | libxcb-render0: | ||
libxcb-shm0: | libxcb-shm0: | ||
+ | libxcb-sync1: | ||
+ | libxcb-xfixes0: | ||
libxcomposite1: | libxcomposite1: | ||
libxcursor1: | libxcursor1: | ||
libxdamage1: | libxdamage1: | ||
libxdmcp6: | libxdmcp6: | ||
- | libxencall1: | ||
- | libxendevicemodel1: | ||
- | libxenevtchn1: | ||
- | libxenforeignmemory1: | ||
- | libxengnttab1: | ||
- | libxenhypfs1: | ||
- | libxenmisc4.14: | ||
- | libxenstore3.0: | ||
- | libxentoolcore1: | ||
- | libxentoollog1: | ||
libxext6: | libxext6: | ||
libxfixes3: | libxfixes3: | ||
Ligne 919: | Ligne 873: | ||
libxrandr2: | libxrandr2: | ||
libxrender1: | libxrender1: | ||
- | libxslt1.1:amd64 | + | libxshmfence1: |
+ | libxss1:amd64 | ||
libxtables12: | libxtables12: | ||
+ | libxxf86vm1: | ||
libxxhash0: | libxxhash0: | ||
libyajl2: | libyajl2: | ||
+ | libz3-4: | ||
libzfs4linux | libzfs4linux | ||
- | libzpool4linux | + | libzpool5linux |
libzstd1: | libzstd1: | ||
linux-base | linux-base | ||
linux-compiler-gcc-10-x86 | linux-compiler-gcc-10-x86 | ||
+ | linux-compiler-gcc-12-x86 | ||
linux-headers-5.10.0-15-amd64 | linux-headers-5.10.0-15-amd64 | ||
linux-headers-5.10.0-15-common | linux-headers-5.10.0-15-common | ||
linux-headers-5.10.0-16-amd64 | linux-headers-5.10.0-16-amd64 | ||
linux-headers-5.10.0-16-common | linux-headers-5.10.0-16-common | ||
- | linux-image-5.10.0-15-amd64 | + | linux-headers-5.10.0-17-amd64 |
- | linux-image-5.10.0-16-amd64 | + | linux-headers-5.10.0-17-common |
- | linux-image-5.10.0-9-amd64 | + | linux-headers-5.10.0-18-amd64 |
+ | linux-headers-5.10.0-18-common | ||
+ | linux-headers-5.10.0-19-amd64 | ||
+ | linux-headers-5.10.0-19-common | ||
+ | linux-headers-5.10.0-25-amd64 | ||
+ | linux-headers-5.10.0-25-common | ||
+ | linux-headers-6.1.0-12-amd64 | ||
+ | linux-headers-6.1.0-12-common | ||
+ | linux-headers-amd64 | ||
+ | linux-image-5.10.0-25-amd64 | ||
+ | linux-image-6.1.0-12-amd64 | ||
linux-image-amd64 | linux-image-amd64 | ||
linux-kbuild-5.10 | linux-kbuild-5.10 | ||
+ | linux-kbuild-6.1 | ||
linux-libc-dev: | linux-libc-dev: | ||
lm-sensors | lm-sensors | ||
Ligne 980: | Ligne 949: | ||
perl | perl | ||
perl-base | perl-base | ||
- | perl-modules-5.32 | + | perl-modules-5.36 |
+ | pkexec | ||
policykit-1 | policykit-1 | ||
+ | polkitd | ||
procps | procps | ||
publicsuffix | publicsuffix | ||
python3 | python3 | ||
- | python3.9 | + | python3.11 |
- | python3.9-minimal | + | python3.11-minimal |
python3-apt | python3-apt | ||
python3-certifi | python3-certifi | ||
python3-chardet | python3-chardet | ||
+ | python3-charset-normalizer | ||
python3-debian | python3-debian | ||
python3-debianbts | python3-debianbts | ||
Ligne 999: | Ligne 971: | ||
python3-pkg-resources | python3-pkg-resources | ||
python3-pycurl | python3-pycurl | ||
+ | python3-pyparsing | ||
python3-pysimplesoap | python3-pysimplesoap | ||
python3-reportbug | python3-reportbug | ||
Ligne 1005: | Ligne 978: | ||
python3-urllib3 | python3-urllib3 | ||
python-apt-common | python-apt-common | ||
+ | python-is-python3 | ||
qemu-system-common | qemu-system-common | ||
qemu-system-data | qemu-system-data | ||
- | qemu-system-gui:amd64 | + | qemu-system-gui |
qemu-system-x86 | qemu-system-x86 | ||
qemu-utils | qemu-utils | ||
Ligne 1013: | Ligne 987: | ||
reportbug | reportbug | ||
rpcbind | rpcbind | ||
+ | rpcsvc-proto | ||
rsync | rsync | ||
rsyslog | rsyslog | ||
Ligne 1019: | Ligne 994: | ||
sed | sed | ||
sensible-utils | sensible-utils | ||
+ | sgml-base | ||
shared-mime-info | shared-mime-info | ||
shim-helpers-amd64-signed | shim-helpers-amd64-signed | ||
Ligne 1039: | Ligne 1015: | ||
task-ssh-server | task-ssh-server | ||
tcpdump | tcpdump | ||
- | telnet | ||
traceroute | traceroute | ||
+ | tree | ||
tzdata | tzdata | ||
ucf | ucf | ||
udev | udev | ||
+ | usrmerge | ||
util-linux | util-linux | ||
+ | util-linux-extra | ||
util-linux-locales | util-linux-locales | ||
vim | vim | ||
Ligne 1052: | Ligne 1030: | ||
wget | wget | ||
whiptail | whiptail | ||
+ | x11-common | ||
xfsprogs | xfsprogs | ||
xkb-data | xkb-data | ||
+ | xml-core | ||
xxd | xxd | ||
xz-utils | xz-utils | ||
+ | zabbix-agent2 | ||
zfs-dkms | zfs-dkms | ||
zfsutils-linux | zfsutils-linux | ||
zlib1g: | zlib1g: | ||
znapzend | znapzend | ||
+ | zstd | ||
</ | </ | ||
==== Stockage ZFS ==== | ==== Stockage ZFS ==== |