Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1338 → Rev 1339

/scripts/alcasar-iptables.sh
1,7 → 1,7
#!/bin/bash
# $Id$
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script write the netfilter rules for ALCASAR
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders
30,6 → 30,7
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
QOS=${QOS:=off}
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
44,8 → 45,8
INTIF="eth1"
TUNIF="tun0" # listen device for chilli daemon
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
 
 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 
76,21 → 77,6
# destroy all SET
ipset destroy
 
# Création et peuplement du SET alcasar_ip_blocked
# creation and first populating of alcasar_ip_blocked SET
ipset create alcasar_ip_blocked hash:net hashsize 1024
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
ipset add alcasar_ip_blocked $ip_blocked
fi
done < /usr/local/etc/alcasar-ip-blocked
fi
 
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
ipset create authenticated_ip hash:net hashsize 1024
107,25 → 93,27
done
IFS=$OLDIFS
 
# Calcul de la taille du SET blacklist_ip_blocked
# Computing the length of the blacklist_ip_blocked set
# Calcul de la taille de l'ipset
cd $BL_IP_CAT
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1)
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 
# Ajout du delta (ip entrées manuellement)
# Addition of the delta (ip entered manually)
((ipset_length=$ipset_length+10))
 
# Création du fichier ipset temporaire, remplissage, chargement et suppression
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save
# Création du fichier set temporaire, remplissage, chargement et suppression
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save
for category in `ls -1 | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> ipset_save
cat $BL_IP_CAT/$category >> /tmp/ipset_save
done
ipset -! restore < ipset_save
rm -f ipset_save
cat $BL_IP_OSSI >> /tmp/ipset_save
ipset -! restore < /tmp/ipset_save
rm -f /tmp/ipset_save
 
# Sauvegarde de tous les ipset (pour restaurer après redémarrage)
# Extraction des ip réhabilitées
for ip in $(cat $IP_REHABILITEES)
do
ipset del blacklist_ip_blocked $ip
done
 
# Sauvegarde de tous les set (pour restaurer après redémarrage)
ipset save > /etc/sysconfig/ipset_save
 
#############################
157,9 → 145,6
fi
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
fi
# Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http
 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
270,15 → 255,9
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 
# Blocage des IPs du SET alcasar_ip_blocked
# Deny IPs of the SET alcasar_ip_blocked
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Blocage des IPs du SET blacklist_ip_blocked
# Deny IPs of the SET blacklist_ip_blocked
if [ $DNS_FILTERING = on ]; then
# Blocage des IPs du SET blacklist_ip_blocked
# Deny IPs of the SET blacklist_ip_blocked
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
/scripts/sbin/alcasar-bl.sh
36,10 → 36,15
 
# enable/disable the BL & WL categories
function cat_choice (){
# saving ip files and ossi category
mkdir $DIR_tmp
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp
cp $DIR_IP_BL/ossi $DIR_tmp
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED
chown apache $DIR_IP_BL_ENABLED
# process the file $BL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
61,6 → 66,11
done
sort +0.0 -0.2 $WL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES
# restoring ip files and ossi category
mv $DIR_tmp/ossi $DIR_IP_BL
chown apache $DIR_IP_BL/ossi
mv $DIR_tmp/ossi-* $DIR_IP_BL_ENABLED
rm -rf $DIR_tmp
}
function bl_enable (){
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf
134,6 → 144,8
# Adapt Toulouse BL to ALCASAR architecture (dnsmasq + DG + iptables)
-adapt | --adapt)
echo -n "Toulouse BlackList migration process. Please wait : "
# Saving ossi category
cp $DIR_IP_BL/ossi $DIR_tmp
if [ -f $DIR_tmp/blacklists.tar.gz ]
then
[ -d $DIR_DG_BL/ossi ] && mv -f $DIR_DG_BL/ossi $DIR_tmp
141,7 → 153,6
mkdir $DIR_DG_BL
tar zxf $DIR_tmp/blacklists.tar.gz --directory=$DIR_DG/
[ -d $DIR_tmp/ossi ] && mv -f $DIR_tmp/ossi $DIR_DG_BL/
rm -rf $DIR_tmp
fi
rm -f $BL_CATEGORIES $WL_CATEGORIES $WL_CATEGORIES_ENABLED
rm -rf $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL
188,7 → 199,7
$SED "s/\.\{2,10\}/\./g" $PATH_FILE/domains $PATH_FILE/urls # correct some syntax errors
# retrieve the ip addresses for iptables
# create an ipset save for the selected category
# create an set save for the selected category
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add blacklist_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp
 
# for dnsmask, remove IP addesses, accented characters and commented lines.
207,6 → 218,9
done
done
rm -f $FILE_tmp $FILE_ip_tmp
# Restoring ossi category
mv $DIR_tmp/ossi $DIR_IP_BL
rm -rf $DIR_tmp
echo
;;
# reload when categories are changed