Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1363 → Rev 1364

/scripts/alcasar-condown.sh
11,8 → 11,27
#echo "parse coova variables" > /tmp/debug-conup.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
# echo "$i : ${!i}" >> /tmp/debug-condown.txt
#done
 
# Exemple : Remove user IP from the set
# ipset del authenticated_ip $FRAMED_IP_ADDRESS
# Remove user from the SET (function of his filtering level)
 
case $FILTER_ID in
# HAVP
"00000001")
set="havp_set"
;;
# HAVP + Blacklist
"00000011")
set="havp_bl_set"
;;
# HAVP + Whitelist
"00000101")
set="havp_wl_set"
;;
# No filtering
*)
set="no_filtering_set"
;;
esac
ipset del $set $FRAMED_IP_ADDRESS
/scripts/alcasar-conup.sh
14,5 → 14,23
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
 
# Exemple add user to the SET
# ipset add authenticated_ip $FRAMED_IP_ADDRESS
# Add user to the SET (function of his filtering level)
case $FILTER_ID in
# HAVP
"00000001")
set="havp_set"
;;
# HAVP + Blacklist
"00000011")
set="havp_bl_set"
;;
# HAVP + Whitelist
"00000101")
set="havp_wl_set"
;;
# No filtering
*)
set="no_filtering_set"
;;
esac
ipset add $set $FRAMED_IP_ADDRESS
/scripts/alcasar-iptables.sh
31,6 → 31,9
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
FILE_IP_WL="/usr/local/share/ossi_wl" # ip of the whitelist
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
QOS=${QOS:=off}
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
46,7 → 49,19
TUNIF="tun0" # listen device for chilli daemon
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
SAVE_DIR="/etc/sysconfig" # Saving path
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list no_filtering_set 1>/dev/null 2>&1
if [ $? -eq 0 ];
then
ipset save no_filtering_set > $TMP_users_set_save
ipset save havp_set >> $TMP_users_set_save
ipset save havp_bl_set >> $TMP_users_set_save
ipset save havp_wl_set >> $TMP_users_set_save
fi
 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 
77,35 → 92,19
# destroy all SET
ipset destroy
 
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
ipset create authenticated_ip hash:net hashsize 1024
OLDIFS=$IFS
IFS=$'\n'
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
do
active_ip=`echo $equipment |cut -d" " -f2`
active_session=`echo $equipment |cut -d" " -f5`
if [[ $(expr $active_session) -eq 1 ]]
then
ipset add authenticated_ip $active_ip
fi
done
IFS=$OLDIFS
 
# Calcul de la taille de l'ipset
# Calcul de la taille du set
cd $BL_IP_CAT
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 
# Création du fichier set temporaire, remplissage, chargement et suppression
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save
for category in `ls -1 | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> /tmp/ipset_save
cat $BL_IP_CAT/$category >> $TMP_set_save
done
cat $BL_IP_OSSI >> /tmp/ipset_save
ipset -! restore < /tmp/ipset_save
rm -f /tmp/ipset_save
cat $BL_IP_OSSI >> $TMP_set_save
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
 
# Extraction des ip réhabilitées
for ip in $(cat $IP_REHABILITEES)
113,9 → 112,35
ipset del blacklist_ip_blocked $ip
done
 
# Sauvegarde de tous les set (pour restaurer après redémarrage)
ipset save > /etc/sysconfig/ipset_save
# Calcul de la taille du set de la whitelist
set_wl_length=$(wc -l $FILE_IP_WL | awk '{print $1}')
 
# Création du fichier set temporaire, remplissage, chargement et suppression
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
cat $FILE_IP_WL >> $TMP_set_save
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
 
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
if [ -e $TMP_users_set_save ];
then
ipset -! restore < $TMP_users_set_save
rm -f $TMP_users_set_save
else
ipset create no_filtering_set hash:net hashsize 1024
ipset create havp_set hash:net hashsize 1024
ipset create havp_bl_set hash:net hashsize 1024
ipset create havp_wl_set hash:net hashsize 1024
fi
 
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage)
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
echo "create havp_wl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
 
#############################
# PREROUTING #
#############################
126,40 → 151,45
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé
# Remark : this port is only open when filtering is on
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
 
# Si le filtrage DNS est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
# If DNS filter is on, redirect DNS request to udp 54 (dns+blackhole) except for exception IP addresses
if [ $DNS_FILTERING = on ]; then
# Compute exception IP
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
then
while read ip_exception
do
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
fi
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
fi
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 pour pouvoir les rejeter en INPUT
# Mark (and log) the udp 55 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3
 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
if [ $DNS_FILTERING = on ]; then
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
fi
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4
 
# Aiguillage des flux DNS
# Switching DNS streams
# havp_bl_set --> redirection vers le port 54
# havp_bl_set --> redirect to port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
# havp_wl_set --> redirection vers le port 55
# havp_wl_set --> redirect to port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent)
# Redirect outbound HTTP requests to DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_set
# Redirect outbound HTTP requests to HAVP for the set havp_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
199,15 → 229,31
 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
 
# autorisation des connexion légitime à DNSMASQ (avec blackhole)
# Allow connections for DNSMASQ (with blackhole)
# On interdit les connexions directes au port UDP 55. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 55. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
 
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset
 
# Autorisation des connexions légitimes à HAVP
# Allow connections for HAVP
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
# Allow connections for DNSMASQ (with blacklist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
# Allow connections for DNSMASQ (with whitelist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
 
# Accès direct aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blacklist
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
245,83 → 291,69
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
 
 
#############################
# FORWARD #
#############################
 
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Rejet des requêtes DNS vers Internet
# Deny forward DNS
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 
if [ $DNS_FILTERING = on ]; then
# Blocage des IPs du SET blacklist_ip_blocked
# Deny IPs of the SET blacklist_ip_blocked
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
fi
 
# Autorisation des retours de connexions légitimes
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# If protocols filter is activate
if [ $PROTOCOLS_FILTERING = on ]; then
# Compute exception IP (IP addresses that shouldn't be filtered)
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
then
while read ip_exception
do
# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
fi
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
if [ $nb_uamallowed != "0" ]
then
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
# If protocols filter is activate
#if [ $PROTOCOLS_FILTERING = on ]; then
# # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
# nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
# if [ $nb_uamallowed != "0" ]
# then
# while read ip_allowed_line
# do
# ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
fi
# Autorisation des protocoles non commentés
# Allow non comment protocols
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
else
 
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
# done < /usr/local/etc/alcasar-uamallowed
# fi
# # Autorisation des protocoles non commentés
# # Allow non comment protocols
# while read svc_line
# do
# svc_on=`echo $svc_line|cut -b1`
# if [ $svc_on != "#" ]
# then
# svc_name=`echo $svc_line|cut -d" " -f1`
# svc_port=`echo $svc_line|cut -d" " -f2`
# if [ $svc_name = "icmp" ]
# then
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
# else
#
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
fi
fi
done < /usr/local/etc/alcasar-services
# Rejet explicite des autres protocoles
# reject the others protocols
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
# fi
# fi
# done < /usr/local/etc/alcasar-services
# # Rejet explicite des autres protocoles
# # reject the others protocols
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
# $IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
#fi
 
# If QOS is activate #
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
372,7 → 404,6
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
fi
 
 
#############################
# POSTROUTING #
#############################