Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1487 → Rev 1488

/scripts/alcasar-iptables.sh
320,51 → 320,54
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# If protocols filter is activate
#if [ $PROTOCOLS_FILTERING = on ]; then
# # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
# nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
# if [ $nb_uamallowed != "0" ]
# then
# while read ip_allowed_line
# do
# ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
# done < /usr/local/etc/alcasar-uamallowed
# fi
# # Autorisation des protocoles non commentés
# # Allow non comment protocols
# while read svc_line
# do
# svc_on=`echo $svc_line|cut -b1`
# if [ $svc_on != "#" ]
# then
# svc_name=`echo $svc_line|cut -d" " -f1`
# svc_port=`echo $svc_line|cut -d" " -f2`
# if [ $svc_name = "icmp" ]
# then
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
# else
#
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
# fi
# fi
# done < /usr/local/etc/alcasar-services
# # Rejet explicite des autres protocoles
# # reject the others protocols
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
# $IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
#fi
if [ $PROTOCOLS_FILTERING = on ]; then
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
if [ $nb_uamallowed != "0" ]
then
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
fi
# Autorisation du HTTP et des protocoles non commentés
# Allow HTTP and non comment protocols
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
else
 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
fi
fi
done < /usr/local/etc/alcasar-services
# Rejet explicite des autres protocoles
# reject the others protocols
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
 
# If QOS is activate #
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
. /usr/local/etc/alcasar-iptables-qos.sh
/scripts/sbin/alcasar-bl.sh
105,9 → 105,6
exit 0
;;
# Retrieve Toulouse BL
-cat_choice | --cat_choice)
cat_choice
;;
-download | --download)
rm -rf /tmp/con_ok.html
`/usr/bin/curl $BL_SERVER -# -o /tmp/con_ok.html`
122,6 → 119,10
chown -R apache:apache $DIR_tmp
fi
;;
# enable/disable categories (used only during the alcasar install process)
-cat_choice | --cat_choice)
cat_choice
;;
# Adapt Toulouse BL to ALCASAR architecture (dnsmasq + DG + iptables)
-adapt | --adapt)
echo -n "Toulouse BlackList migration process. Please wait : "
224,7 → 225,9
cp -f $DIR_DG_BL/ossi/domains $DIR_DNS_BL/ossi.conf
$SED "s?.*?address=/&/$PRIVATE_IP?g" $DIR_DNS_BL/ossi.conf
cp -f $DIR_DG_BL/ossi/domains_wl $DIR_DNS_WL/ossi.conf
bl_enable
systemctl restart dnsmasq-blacklist
systemctl restart dnsmasq-whitelist
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu :$1";
/scripts/sbin/alcasar-uninstall.sh
129,8 → 129,6
fi
sleep 1
 
 
 
#param_ulogd
echo -en "\n- ulogd(6) : "
i=0
154,7 → 152,7
then
[ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1, "
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "2, "
i=0
i=2
for list in blacklist whitelist blackhole
do
i=`expr $i + 1`
213,11 → 211,11
sleep 1
 
#network
echo -en "\n- network(9) : "
echo -en "\n- network(8) : "
hostname localhost
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
i=0
for nic in $EXTIF $INTIF
do
230,8 → 228,7
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "5, "
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "6, "
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7, "
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8, "
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9"
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "8"
 
/sbin/ifup $EXTIF
sleep 1
262,5 → 259,3
done
echo
 
#suppression des exceptions de mises à jours ( coova-chilli et freeradius)
sed -i '/coova.*/d' /etc/urpmi/skip.list