45,7 → 45,7 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
|
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
59,9 → 59,9 |
if [ $? -eq 0 ]; |
then |
ipset save not_filtered > $TMP_users_set_save |
ipset save havp >> $TMP_users_set_save |
ipset save havp_bl >> $TMP_users_set_save |
ipset save havp_wl >> $TMP_users_set_save |
ipset save av >> $TMP_users_set_save |
ipset save av_bl >> $TMP_users_set_save |
ipset save av_wl >> $TMP_users_set_save |
ipset save proto_0 >> $TMP_users_set_save |
ipset save proto_1 >> $TMP_users_set_save |
ipset save proto_2 >> $TMP_users_set_save |
122,7 → 122,7 |
ipset -q del bl_ip_blocked $ip |
done |
|
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés |
# ipset for exception web sites (usefull for filtered users = av_bl) |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
do |
150,9 → 150,9 |
rm -f $TMP_users_set_save |
else |
ipset create not_filtered hash:ip hashsize 1024 |
ipset create havp hash:ip hashsize 1024 |
ipset create havp_bl hash:ip hashsize 1024 |
ipset create havp_wl hash:ip hashsize 1024 |
ipset create av hash:ip hashsize 1024 |
ipset create av_bl hash:ip hashsize 1024 |
ipset create av_wl hash:ip hashsize 1024 |
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user |
ipset create proto_0 hash:ip hashsize 1024 |
ipset create proto_1 hash:ip hashsize 1024 |
166,22 → 166,22 |
|
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset havp_bl |
# 8080 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# 8090 = ipset havp_wl + havp |
# 8090 = ipset av_wl + av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp |
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6 |
|
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules |
# 54 = ipset havp_bl |
# 54 = ipset av_bl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3 |
# 55 = ipset havp_wl |
# 55 = ipset av_wl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4 |
# 56 = blackall |
190,12 → 190,12 |
|
# redirection DNS des usagers |
# users DNS redirection |
# 54 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54 |
# 55 = ipset havp_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# 54 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54 |
# 55 = ipset av_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# 53 = all other users |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
202,29 → 202,29 |
|
# Redirection des requêtes HTTP des usagers vers E2guardian |
# Redirect outbound users HTTP requests to E2guardian |
# 8080 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset havp_wl & havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# 8080 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset av_wl & av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
|
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian |
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian |
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
|
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
# Journalisation HTTP_Internet des usagers 'av_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'av_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
|
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
265,9 → 265,9 |
|
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av |
|
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian |
# Allow HTTP connections to E2Guardian |
286,10 → 286,10 |
|
# On autorise les connexion DNS légitime |
# Allow DNS connections |
# ipset = havp_bl |
# ipset = av_bl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
# ipset = havp_wl |
# ipset = av_wl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
# blackall |
342,11 → 342,11 |
# FORWARD # |
############################# |
|
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
# Deny IPs of the SET bl_ip_blocked for the set av_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Active le suivi de session |
# Allow Conntrack |
420,9 → 420,9 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable |
fi |
|
# Blocage des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL |
# Block 'havp_wl' users who want IP not in the WL |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -j DROP |
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL |
# Block 'av_wl' users who want IP not in the WL |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP |
|
# journalisation et autorisation des connections sortant du LAN |
# Allow forward connections with log |