BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/alcasar-iptables-filter.sh @ 39

  → /scripts/alcasar-iptables-filter.sh @ 40

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

No changes between revisions

Ignore whitespace Rev 39 → Rev 40

/scripts/alcasar-iptables-filter.sh
0,0 → 1,62
#!/bin/sh
# by rexy (version 1.9 du 12/2009)
# a voir la relation avec nf_nat_ftp
# modprobe ip_conntrack_irc
# modprobe ip_conntrack_ftp
################## FILTRAGE PARTICULIER ##################
# Administration à distance par exemple :
## Autoriser SSH depuis l'extérieur sur le port 12222 ####
## Ne pas oublier la règle de PAT sur le modem/routeur (box ADSL) ! ainsi que l'adresse IP de votre machine distante dans /etc/hosts.allow
# $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 12222 -m state --state NEW -j ULOG --ulog-prefix "RULE Admin2 -- ACCEPT
# $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 12222 -j REDIRECT --to-port 22
# $IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -j ACCEPT
##########################################################
################# FILTRAGE APPLICATIF ####################
## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage
## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins
if [ $FILTERING = "yes" ]
then
# si le fichier d'exception est renseigné on le traite
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
then
while read ip_exception
do
echo $ip_exception
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
fi
# On autorise les protoles non commentés
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT
# else if [ $svc_name = "ftp-passif" ]
# then
# /sbin/modprobe nf_nat_ftp
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# fi
else
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT
fi
fi
done < /usr/local/etc/alcasar-services
#tout le reste est bloqué
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable