Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1298 → Rev 1299

/scripts/alcasar-iptables.sh
109,7 → 109,7
 
# Création et peuplement du SET blacklist_ip_blocked
# creation and first populating of blacklist_ip_blocked SET
# wait for a better blacklist adapt process
# It take a lot of time (try to do this during the blacklist import process)
#ipset create blacklist_ip_blocked hash:net hashsize 1024
#cd $BL_IP_CAT
#for category in `ls -1 | cut -d"@" -f1`
159,10 → 159,6
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
#fi
 
# Redirection des requêtes HTTPS des IP sans utilisateurs authentifiés vers ALCASAR (page d'interception)
# Redirect HTTPS requests of IP that don't have authenticate user to ALCASAR (intercept page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set ! --match-set authenticated_ip src ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port https
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
/scripts/alcasar-conup.sh
14,5 → 14,5
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
 
# user https flows are no more redirected to be intercepted (see alcasar-iptables.sh in 'prerouting')
ipset add authenticated_ip $FRAMED_IP_ADDRESS
# Exemple add user to the SET
# ipset add authenticated_ip $FRAMED_IP_ADDRESS
/scripts/alcasar-condown.sh
14,5 → 14,5
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
 
# user https flows are now redirected to be intercepted (see alcasar-iptables.sh in prerouting)
ipset del authenticated_ip $FRAMED_IP_ADDRESS
# Exemple : Remove user IP from the set
# ipset del authenticated_ip $FRAMED_IP_ADDRESS