| 1,7 → 1,7 |
|---|
| #!/bin/bash |
| # $Id$ |
| # Script de mise en place des regles du parefeu d'Alcasar (mode normal) |
| # This script write the netfilter rules for ALCASAR |
| # This script writes the netfilter rules for ALCASAR |
| # Rexy - 3abtux - CPN |
| # |
| # Reminders |
| 30,6 → 30,7 |
|---|
| DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
| DNS_FILTERING=${DNS_FILTERING:=off} |
| BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
| BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
| QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
| QOS=${QOS:=off} |
| SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
| 44,8 → 45,8 |
|---|
| INTIF="eth1" |
| TUNIF="tun0" # listen device for chilli daemon |
| IPTABLES="/sbin/iptables" |
| IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
| |
| |
| # loading of NetFlow probe (ipt_NETFLOW kernel module) |
| modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
| |
| 76,21 → 77,6 |
|---|
| # destroy all SET |
| ipset destroy |
| |
| # Création et peuplement du SET alcasar_ip_blocked |
| # creation and first populating of alcasar_ip_blocked SET |
| ipset create alcasar_ip_blocked hash:net hashsize 1024 |
| if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
| while read ip_line |
| do |
| ip_on=`echo $ip_line|cut -b1` |
| if [ $ip_on != "#" ] |
| then |
| ip_blocked=`echo $ip_line|cut -d" " -f1` |
| ipset add alcasar_ip_blocked $ip_blocked |
| fi |
| done < /usr/local/etc/alcasar-ip-blocked |
| fi |
| |
| # Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown) |
| # creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts) |
| ipset create authenticated_ip hash:net hashsize 1024 |
| 107,25 → 93,27 |
|---|
| done |
| IFS=$OLDIFS |
| |
| # Calcul de la taille du SET blacklist_ip_blocked |
| # Computing the length of the blacklist_ip_blocked set |
| # Calcul de la taille de l'ipset |
| cd $BL_IP_CAT |
| ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1) |
| ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
| |
| # Ajout du delta (ip entrées manuellement) |
| # Addition of the delta (ip entered manually) |
| ((ipset_length=$ipset_length+10)) |
| |
| # Création du fichier ipset temporaire, remplissage, chargement et suppression |
| echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save |
| # Création du fichier set temporaire, remplissage, chargement et suppression |
| echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save |
| for category in `ls -1 | cut -d '@' -f1` |
| do |
| cat $BL_IP_CAT/$category >> ipset_save |
| cat $BL_IP_CAT/$category >> /tmp/ipset_save |
| done |
| ipset -! restore < ipset_save |
| rm -f ipset_save |
| cat $BL_IP_OSSI >> /tmp/ipset_save |
| ipset -! restore < /tmp/ipset_save |
| rm -f /tmp/ipset_save |
| |
| # Sauvegarde de tous les ipset (pour restaurer après redémarrage) |
| # Extraction des ip réhabilitées |
| for ip in $(cat $IP_REHABILITEES) |
| do |
| ipset del blacklist_ip_blocked $ip |
| done |
| |
| # Sauvegarde de tous les set (pour restaurer après redémarrage) |
| ipset save > /etc/sysconfig/ipset_save |
| |
| ############################# |
| 157,9 → 145,6 |
|---|
| fi |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
| fi |
| # Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP requests of admin banned ip to ALCASAR (access deny window) |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http |
| |
| # Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP requests of blacklist ip to ALCASAR (access deny window) |
| 270,15 → 255,9 |
|---|
| $IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
| |
| # Blocage des IPs du SET alcasar_ip_blocked |
| # Deny IPs of the SET alcasar_ip_blocked |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
| |
| # Blocage des IPs du SET blacklist_ip_blocked |
| # Deny IPs of the SET blacklist_ip_blocked |
| if [ $DNS_FILTERING = on ]; then |
| # Blocage des IPs du SET blacklist_ip_blocked |
| # Deny IPs of the SET blacklist_ip_blocked |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |