/CHANGELOG |
---|
16,6 → 16,7 |
- Fix ACC user/group editor where attributes were not changed. |
- Fix PHP errors in ACC user/groupe attributes editor. |
- Fix traceability log due to an omission during the migration from ulog to nflog (Fail2Ban, alcasar-iptables-local-mac-filtered & alcasar-ip-blocked). |
Fix all traceability NFLOG rules by specifying the nfgroup to 1 (since the default group of NFLOG is 1 instead of 0 for ULOG1). |
-------------------- 3.1.3 -------------------- |
NEWS |
/conf/etc/alcasar-iptables-local.sh |
---|
18,7 → 18,7 |
then |
mac_filtered=`echo $mac_line|cut -d" " -f1` |
echo "MAC filtered = $mac_filtered" |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-prefix "$mac_filtered -- Filt_DROP" |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP" |
$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP |
$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP |
/conf/fail2ban.sh |
---|
318,8 → 318,8 |
# <time> unix timestamp of the ban time |
# Values: CMD |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j NFLOG --nflog-prefix "Fail2Ban -- DROP" |
iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
# Option: actionunban |
# Notes.: command executed when unbanning an IP. Take care that the |
329,8 → 329,8 |
# <time> unix timestamp of the ban time |
# Values: CMD |
# |
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP |
iptables -D fail2ban-<name> -s <ip> -j NFLOG --nflog-prefix "Fail2Ban -- DROP" |
actionunban = iptables -D fail2ban-<name> -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
iptables -D fail2ban-<name> -s <ip> -j DROP |
[Init] |
/scripts/alcasar-iptables-bypass.sh |
---|
62,7 → 62,7 |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
100,7 → 100,7 |
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On autorise les demandes de connexions sortantes |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-prefix "RULE Transfert -- ACCEPT " |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT " |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT |
# On autorise les flux entrant ntp et dns via INTIF |
111,8 → 111,8 |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On interdit et on log le reste sur les 2 interfaces d'accès |
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE rej-int -- REJECT " |
$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-prefix "RULE rej-ext -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT " |
$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-ext -- REJECT " |
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
/scripts/alcasar-iptables.sh |
---|
158,12 → 158,12 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to TCP port 8090 (dansguardian) in order to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to TCP port 8090 (tinyproxy) in order to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# Marquage des paquets qui tentent d'accéder directement au port 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
191,7 → 191,7 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
321,13 → 321,13 |
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN |
# Deny and log on INPUT from the LAN |
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT " |
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT " |
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Reject INTIF access (only when chilli is down) |
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j REJECT |
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours) |