45,7 → 45,8 |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
|
#lancement du module kernel ipt_NETFLOW (module iptables) |
|
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
|
# Effacement des règles existantes |
71,6 → 72,26 |
$IPTABLES -t nat -P POSTROUTING ACCEPT |
$IPTABLES -t nat -P OUTPUT ACCEPT |
|
# destruction de tous les SET |
# destroy all the SET |
ipset destroy |
|
# Création du SET alcasar_ip_blocked et premier peuplement |
# creation of alcasar_ip_blocked SET and first populating |
ipset create alcasar_ip_blocked hash:net hashsize 1024 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
echo $ip_blocked |
ipset add alcasar_ip_blocked $ip_blocked |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
|
############################# |
# PREROUTING # |
############################# |
100,13 → 121,16 |
fi |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
fi |
# Redirection des requêtes HTTP des IP bloquées vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of banned ip to ALCASAR (access deny window) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
|
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent) |
# Redirect HTTP requests in DansGuardian (transparent proxy) |
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) |
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
|
# Redirection des requêtes NTP vers le serveur NTP local |
142,20 → 166,6 |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
|
# Insertion des règles de blocage IP |
# Here, we add IP block rules |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
# Autorisation des connexions légitimes à DansGuardian |
# Allow connections for DansGuardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
218,21 → 228,12 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
|
# Insertion des règles de blocage IP |
# Here, we add local IP block rules |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
# Blocage des IPs du SET alcasar_ip_blocked |
# Deny IPs of the SET alcasar_ip_blocked |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Si le filtrage de domain est activé, blocage des IP de la BL |
# If DNS filter is on, reject IP of BL |