| /CHANGELOG |
|---|
| 16,6 → 16,7 |
| - Fix ACC user/group editor where attributes were not changed. |
| - Fix PHP errors in ACC user/groupe attributes editor. |
| - Fix traceability log due to an omission during the migration from ulog to nflog (Fail2Ban, alcasar-iptables-local-mac-filtered & alcasar-ip-blocked). |
| Fix all traceability NFLOG rules by specifying the nfgroup to 1 (since the default group of NFLOG is 1 instead of 0 for ULOG1). |
| -------------------- 3.1.3 -------------------- |
| NEWS |
| /conf/etc/alcasar-iptables-local.sh |
|---|
| 18,7 → 18,7 |
| then |
| mac_filtered=`echo $mac_line|cut -d" " -f1` |
| echo "MAC filtered = $mac_filtered" |
| $IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-prefix "$mac_filtered -- Filt_DROP" |
| $IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP" |
| $IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP |
| $IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP |
| $IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP |
| /conf/fail2ban.sh |
|---|
| 318,8 → 318,8 |
| # <time> unix timestamp of the ban time |
| # Values: CMD |
| actionban = iptables -I fail2ban-<name> 1 -s <ip> -j NFLOG --nflog-prefix "Fail2Ban -- DROP" |
| iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
| actionban = iptables -I fail2ban-<name> 1 -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
| iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
| # Option: actionunban |
| # Notes.: command executed when unbanning an IP. Take care that the |
| 329,8 → 329,8 |
| # <time> unix timestamp of the ban time |
| # Values: CMD |
| # |
| actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP |
| iptables -D fail2ban-<name> -s <ip> -j NFLOG --nflog-prefix "Fail2Ban -- DROP" |
| actionunban = iptables -D fail2ban-<name> -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
| iptables -D fail2ban-<name> -s <ip> -j DROP |
| [Init] |
| /scripts/alcasar-iptables-bypass.sh |
|---|
| 62,7 → 62,7 |
| if [ $ip_on != "#" ] |
| then |
| ip_blocked=`echo $ip_line|cut -d" " -f1` |
| $IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-prefix "RULE IP-blocked -- REJECT " |
| $IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT " |
| $IPTABLES -A FORWARD -d $ip_blocked -j REJECT |
| fi |
| done < /usr/local/etc/alcasar-ip-blocked |
| 100,7 → 100,7 |
| $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
| # On autorise les demandes de connexions sortantes |
| $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-prefix "RULE Transfert -- ACCEPT " |
| $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT " |
| $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT |
| # On autorise les flux entrant ntp et dns via INTIF |
| 111,8 → 111,8 |
| $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| # On interdit et on log le reste sur les 2 interfaces d'accès |
| $IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE rej-int -- REJECT " |
| $IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-prefix "RULE rej-ext -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT " |
| $IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-ext -- REJECT " |
| $IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
| $IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
| /scripts/alcasar-iptables.sh |
|---|
| 158,12 → 158,12 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the direct attempts to TCP port 8090 (dansguardian) in order to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the direct attempts to TCP port 8090 (tinyproxy) in order to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
| # Marquage des paquets qui tentent d'accéder directement au port 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
| 191,7 → 191,7 |
| # Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
| # Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT " |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
| # Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
| 321,13 → 321,13 |
| # Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN |
| # Deny and log on INPUT from the LAN |
| $IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT " |
| $IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT " |
| $IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
| $IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
| # Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
| # Reject INTIF access (only when chilli is down) |
| $IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE Protect1 -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j REJECT |
| # Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours) |