1,7 → 1,7 |
#!/bin/bash |
# $Id$ |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal) |
# This script write the netfilter rules for ALCASAR |
# This script writes the netfilter rules for ALCASAR |
# Rexy - 3abtux - CPN |
# |
# Reminders |
30,6 → 30,7 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
44,8 → 45,8 |
INTIF="eth1" |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
|
|
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
|
76,21 → 77,6 |
# destroy all SET |
ipset destroy |
|
# Création et peuplement du SET alcasar_ip_blocked |
# creation and first populating of alcasar_ip_blocked SET |
ipset create alcasar_ip_blocked hash:net hashsize 1024 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
ipset add alcasar_ip_blocked $ip_blocked |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
|
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown) |
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts) |
ipset create authenticated_ip hash:net hashsize 1024 |
107,25 → 93,27 |
done |
IFS=$OLDIFS |
|
# Calcul de la taille du SET blacklist_ip_blocked |
# Computing the length of the blacklist_ip_blocked set |
# Calcul de la taille de l'ipset |
cd $BL_IP_CAT |
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1) |
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
|
# Ajout du delta (ip entrées manuellement) |
# Addition of the delta (ip entered manually) |
((ipset_length=$ipset_length+10)) |
|
# Création du fichier ipset temporaire, remplissage, chargement et suppression |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save |
# Création du fichier set temporaire, remplissage, chargement et suppression |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> ipset_save |
cat $BL_IP_CAT/$category >> /tmp/ipset_save |
done |
ipset -! restore < ipset_save |
rm -f ipset_save |
cat $BL_IP_OSSI >> /tmp/ipset_save |
ipset -! restore < /tmp/ipset_save |
rm -f /tmp/ipset_save |
|
# Sauvegarde de tous les ipset (pour restaurer après redémarrage) |
# Extraction des ip réhabilitées |
for ip in $(cat $IP_REHABILITEES) |
do |
ipset del blacklist_ip_blocked $ip |
done |
|
# Sauvegarde de tous les set (pour restaurer après redémarrage) |
ipset save > /etc/sysconfig/ipset_save |
|
############################# |
157,9 → 145,6 |
fi |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
fi |
# Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http |
|
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window) |
270,15 → 255,9 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
|
# Blocage des IPs du SET alcasar_ip_blocked |
# Deny IPs of the SET alcasar_ip_blocked |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Blocage des IPs du SET blacklist_ip_blocked |
# Deny IPs of the SET blacklist_ip_blocked |
if [ $DNS_FILTERING = on ]; then |
# Blocage des IPs du SET blacklist_ip_blocked |
# Deny IPs of the SET blacklist_ip_blocked |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |