Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2840 → Rev 2841

/scripts/alcasar-iptables.sh
45,7 → 45,7
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
 
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
59,9 → 59,9
if [ $? -eq 0 ];
then
ipset save not_filtered > $TMP_users_set_save
ipset save havp >> $TMP_users_set_save
ipset save havp_bl >> $TMP_users_set_save
ipset save havp_wl >> $TMP_users_set_save
ipset save av >> $TMP_users_set_save
ipset save av_bl >> $TMP_users_set_save
ipset save av_wl >> $TMP_users_set_save
ipset save proto_0 >> $TMP_users_set_save
ipset save proto_1 >> $TMP_users_set_save
ipset save proto_2 >> $TMP_users_set_save
122,7 → 122,7
ipset -q del bl_ip_blocked $ip
done
 
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
# ipset for exception web sites (usefull for filtered users = av_bl)
ipset create site_direct hash:net hashsize 1024
for site in $(cat $SITE_DIRECT)
do
150,9 → 150,9
rm -f $TMP_users_set_save
else
ipset create not_filtered hash:ip hashsize 1024
ipset create havp hash:ip hashsize 1024
ipset create havp_bl hash:ip hashsize 1024
ipset create havp_wl hash:ip hashsize 1024
ipset create av hash:ip hashsize 1024
ipset create av_bl hash:ip hashsize 1024
ipset create av_wl hash:ip hashsize 1024
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
ipset create proto_0 hash:ip hashsize 1024
ipset create proto_1 hash:ip hashsize 1024
166,22 → 166,22
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset havp_bl
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
# 8090 = ipset havp_wl + havp
# 8090 = ipset av_wl + av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
 
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
# 54 = ipset havp_bl
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3
# 55 = ipset havp_wl
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4
# 56 = blackall
190,12 → 190,12
 
# redirection DNS des usagers
# users DNS redirection
# 54 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54
# 55 = ipset havp_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 53 = all other users
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
202,29 → 202,29
 
# Redirection des requêtes HTTP des usagers vers E2guardian
# Redirect outbound users HTTP requests to E2guardian
# 8080 = ipset havp_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset havp_wl & havp
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset av_wl & av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
 
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
# Journalisation HTTP_Internet des usagers 'av_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# Log Internet HTTP of 'av_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
 
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
265,9 → 265,9
 
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av
 
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
286,10 → 286,10
 
# On autorise les connexion DNS légitime
# Allow DNS connections
# ipset = havp_bl
# ipset = av_bl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
# ipset = havp_wl
# ipset = av_wl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
# blackall
342,11 → 342,11
# FORWARD #
#############################
 
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
# Deny IPs of the SET bl_ip_blocked for the set havp_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Active le suivi de session
# Allow Conntrack
420,9 → 420,9
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
fi
 
# Blocage des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'havp_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'av_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
 
# journalisation et autorisation des connections sortant du LAN
# Allow forward connections with log