| 45,7 → 45,8 |
|---|
| TUNIF="tun0" # listen device for chilli daemon |
| IPTABLES="/sbin/iptables" |
| |
| #lancement du module kernel ipt_NETFLOW (module iptables) |
| |
| # loading of NetFlow probe (ipt_NETFLOW kernel module) |
| modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
| |
| # Effacement des règles existantes |
| 71,6 → 72,26 |
|---|
| $IPTABLES -t nat -P POSTROUTING ACCEPT |
| $IPTABLES -t nat -P OUTPUT ACCEPT |
| |
| # destruction de tous les SET |
| # destroy all the SET |
| ipset destroy |
| |
| # Création du SET alcasar_ip_blocked et premier peuplement |
| # creation of alcasar_ip_blocked SET and first populating |
| ipset create alcasar_ip_blocked hash:net hashsize 1024 |
| if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
| while read ip_line |
| do |
| ip_on=`echo $ip_line|cut -b1` |
| if [ $ip_on != "#" ] |
| then |
| ip_blocked=`echo $ip_line|cut -d" " -f1` |
| echo $ip_blocked |
| ipset add alcasar_ip_blocked $ip_blocked |
| fi |
| done < /usr/local/etc/alcasar-ip-blocked |
| fi |
| |
| ############################# |
| # PREROUTING # |
| ############################# |
| 100,13 → 121,16 |
|---|
| fi |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
| fi |
| # Redirection des requêtes HTTP des IP bloquées vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP requests of banned ip to ALCASAR (access deny window) |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
| |
| # Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD |
| ## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD |
| # Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
| ## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
| |
| # Redirection des requêtes HTTP vers DansGuardian (proxy transparent) |
| # Redirect HTTP requests in DansGuardian (transparent proxy) |
| # Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) |
| # Redirect outbound HTTP requests to DansGuardian (transparent proxy) |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
| |
| # Redirection des requêtes NTP vers le serveur NTP local |
| 142,20 → 166,6 |
|---|
| # Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING) |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
| |
| # Insertion des règles de blocage IP |
| # Here, we add IP block rules |
| if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
| while read ip_line |
| do |
| ip_on=`echo $ip_line|cut -b1` |
| if [ $ip_on != "#" ] |
| then |
| ip_blocked=`echo $ip_line|cut -d" " -f1` |
| # $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
| $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT |
| fi |
| done < /usr/local/etc/alcasar-ip-blocked |
| fi |
| # Autorisation des connexions légitimes à DansGuardian |
| # Allow connections for DansGuardian |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
| 218,21 → 228,12 |
|---|
| $IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
| |
| # Insertion des règles de blocage IP |
| # Here, we add local IP block rules |
| if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
| while read ip_line |
| do |
| ip_on=`echo $ip_line|cut -b1` |
| if [ $ip_on != "#" ] |
| then |
| ip_blocked=`echo $ip_line|cut -d" " -f1` |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
| fi |
| done < /usr/local/etc/alcasar-ip-blocked |
| fi |
| # Blocage des IPs du SET alcasar_ip_blocked |
| # Deny IPs of the SET alcasar_ip_blocked |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
| |
| # Si le filtrage de domain est activé, blocage des IP de la BL |
| # If DNS filter is on, reject IP of BL |