| 30,10 → 30,8 |
|---|
| DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
| DNS_FILTERING=${DNS_FILTERING:=off} |
| BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
| WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
| BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
| WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist |
| WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist |
| TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
| TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
| QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
| 117,20 → 115,10 |
|---|
| ipset del blacklist_ip_blocked $ip |
| done |
| |
| # Calcul de la taille du set de la whitelist |
| # Compute the whitelist set length |
| cd $WL_IP_CAT |
| set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}'))) |
| |
| # Création du fichier set temporaire, remplissage, chargement et suppression |
| # Creating the temporary set file, filling, loading and deleting |
| echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save |
| for category in `ls -1 | cut -d '@' -f1` |
| do |
| cat $WL_IP_CAT/$category >> $TMP_set_save |
| done |
| echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save |
| cat $WL_IP_OSSI >> $TMP_set_save |
| cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save |
| ipset -! restore < $TMP_set_save |
| rm -f $TMP_set_save |
| |
| 184,9 → 172,6 |
|---|
| # Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
| |
| # Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
| |
| # Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
| ## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |