| 150,12 → 150,12 |
|---|
| |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT |
| # mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nfog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
| |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
| |
| # Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
| 180,7 → 180,7 |
|---|
| |
| # Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
| # Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT " |
| |
| # Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
| 289,9 → 289,9 |
|---|
| # SSHD rules if activate |
| if [ $SSH = on ] |
| then |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
| $IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
| $IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
| $IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT |
| fi |
| |
| 303,18 → 303,18 |
|---|
| |
| # Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN |
| # Deny and log on INPUT from the LAN |
| $IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT " |
| $IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT " |
| $IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
| $IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
| |
| # Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
| # Reject INTIF access (only when chilli is down) |
| $IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j REJECT |
| |
| # Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours) |
| # On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service) |
| $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP" |
| $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-nlgroup 3 --nflog-qthreshold 10 --nflog-prefix "RULE rej-ext -- DROP" |
| |
| ############################# |
| # FORWARD # |
| 343,7 → 343,7 |
|---|
| while read ip_allowed_line |
| do |
| ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
| done < /usr/local/etc/alcasar-uamallowed |
| 350,7 → 350,7 |
|---|
| fi |
| # Autorisation du HTTP et des protocoles non commentés |
| # Allow HTTP and non comment protocols |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT |
| while read svc_line |
| 366,10 → 366,10 |
|---|
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
| else |
| |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
| fi |
| 377,7 → 377,7 |
|---|
| done < /usr/local/etc/alcasar-services |
| # Rejet explicite des autres protocoles |
| # reject the others protocols |
| $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT " |
| $IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT " |
| $IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
| $IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |