| 45,9 → 45,6 |
|---|
| TUNIF="tun0" # listen device for chilli daemon |
| IPTABLES="/sbin/iptables" |
| |
| #lancement du module kernel ipt_NETFLOW (module iptables) |
| modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
| |
| # Effacement des règles existantes |
| # Flush all existing rules |
| $IPTABLES -F |
| 135,7 → 132,6 |
|---|
| |
| # On autorise les retours de connexions légitimes par INPUT |
| # Conntrack on INPUT |
| #$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j NETFLOW |
| $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| |
| # On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| 158,8 → 154,6 |
|---|
| fi |
| # Autorisation des connexions légitimes à DansGuardian |
| # Allow connections for DansGuardian |
| #Flux netflow des requêtes HTTP à destination de DansGuardian |
| #$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -j NETFLOW |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
| |
| # On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| 255,6 → 249,7 |
|---|
| #fi |
| |
| # Autorisation des retours de connexions légitimes |
| # Allow conntrack |
| $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| # If protocols filter is activate |
| 266,7 → 261,6 |
|---|
| while read ip_exception |
| do |
| $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
| done < /usr/local/etc/alcasar-filter-exceptions |
| fi |
| 278,7 → 272,6 |
|---|
| do |
| ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
| done < /usr/local/etc/alcasar-uamallowed |
| fi |
| 293,15 → 286,11 |
|---|
| svc_port=`echo $svc_line|cut -d" " -f2` |
| if [ $svc_name = "icmp" ] |
| then |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
| else |
| |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
| fi |
| fi |
| 322,19 → 311,18 |
|---|
| # Autorisation des connections sortant du LAN |
| # Allow forward connections with log |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
| $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
| |
| ############################# |
| # OUTPUT # |
| ############################# |
| # SSHD rules if activate |
| if [ $SSH = on ] |
| then |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
| fi |
| # On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur |
| # Everything is allowed but traffic through outside network interface |
| |
| # On autorise les retours de connexions légitimes par OUTPUT |
| # Conntrack on OUTPUT |
| $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| # On laisse tout sortir sur INTIF |
| # Everything is allowed only on INTIF |
| $IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
| |
| # On autorise les requêtes DNS vers les serveurs DNS identifiés |
| 343,7 → 331,6 |
|---|
| |
| # On autorise les requêtes HTTP sortantes |
| # HTTP requests are allowed |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
| |
| # On autorise les requêtes FTP |
| 350,7 → 337,6 |
|---|
| # FTP requests are allowed |
| modprobe ip_conntrack_ftp |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT |
| $IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT |
| |
| # On autorise les requêtes NTP |
| # NTP requests are allowed |
| 370,7 → 356,6 |
|---|
| # $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
| fi |
| |
| |
| ############################# |
| # POSTROUTING # |
| ############################# |