| 1,17 → 1,16 |
|---|
| #!/bin/bash |
| #!/bin/sh |
| # $Id$ |
| |
| # alcasar-iptables.sh |
| # by Rexy - 3abtux - CPN |
| # This script is distributed under the Gnu General Public License (GPL) |
| |
| # Mise en place des regles du parefeu d'Alcasar (mode normal) |
| # Script de mise en place des regles du parefeu d'Alcasar (mode normal) |
| # This script write the netfilter rules for ALCASAR |
| # Rexy - 3abtux - CPN |
| # |
| # Reminders |
| # There are three channels for log : |
| # 1 (default) for tracability; |
| # 2 for secure admin (ssh); |
| # 3 for exterior access attempts. |
| # The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
| # The bootps/dhcp (67) port is always open on tun0/eth1 by coova |
| |
| conf_file="/usr/local/etc/alcasar.conf" |
| private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2` |
| 35,7 → 34,7 |
|---|
| PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
| PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
| DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
| EXTIF="eth0" |
| EXTIF="eth0" |
| INTIF="eth1" |
| TUNIF="tun0" # listen card for chilli daemon |
| IPTABLES="/sbin/iptables" |
| 66,20 → 65,12 |
|---|
| # Tout passe sur loopback |
| # accept all on loopback |
| $IPTABLES -A INPUT -i lo -j ACCEPT |
| |
| # On élimine les paquets "NEW not SYN" |
| # Ensure that TCP connections start with syn packets |
| $IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
| |
| ############################# |
| # INTIF rules # |
| ############################# |
| # les requètes dhcp entrantes sont acceptées |
| # accept dhcp |
| $IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
| |
| # La règle suivante interdit la sortie par INTIF. Elle n'est utile que lorsque chilli est arrêté. |
| # INTIF is closed (all by TUNIF) |
| # interdit l'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
| # Reject INTIF access (only when chilli is down) |
| $IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
| $IPTABLES -A INPUT -i $INTIF -j REJECT |
| |
| 86,14 → 77,15 |
|---|
| ############################# |
| # Local protection rules # |
| ############################# |
| # On stoppe les tentatives de NULLSCAN et XMAS (tous flags à 1) |
| # Drop XMAS & NULLscans |
| # On stoppe les demande de connexions non conformes (NullScan, XMAS (tous flags à 1), NEW not SYN, etc.) |
| # Drop non standard connexions (NULLscans, XMAS, "NEW not SYN", etc.) |
| $IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
| $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
| $IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
| |
| # On stoppe les broadcasts et multicast |
| # On ne traite pas les broadcasts et multicast |
| # Drop broadcast & multicast |
| $IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
| |