Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 597 → Rev 604

/scripts/alcasar-iptables-bypass.sh
3,22 → 3,19
 
# script d'initialisation des regles du parefeu en mode ByPass
# Rexy - 3abtux
# version 2.0 - 12/2010
# changelog :
# + Prise en compte de regles locales
# + prise en compte optionnelle d'un fichier iptables 'personnel' permettant de bloquer certains flux/services
# + suppression du broadcast et du multicast sur les interfaces
# + adaptation dnsmasq
 
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
 
IPTABLES="/sbin/iptables"
 
EXTIF="eth0"
INTIF="eth1"
PRIVATE_NETWORK_MASK="192.168.182.0/24"
PRIVATE_IP="192.168.182.1"
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
 
# On vide (flush) toutes les règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -F INPUT
26,6 → 23,7
$IPTABLES -F OUTPUT
 
# On indique les politiques par défaut
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
34,25 → 32,24
$IPTABLES -t nat -P OUTPUT ACCEPT
 
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
 
# On autorise tout sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# on autorise les requêtes dhcp
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
 
# Règles d'antispoofing
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j DROP
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP
 
# On drop le broadcast et le multicasat sur les interfaces (sans Log)
# On drop le broadcast et le multicast sur les interfaces (sans Log)
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On autorise le ping dans les deux sens (icmp N°0 & 8) en provenance du LAN
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
# Allow ping (icmp N°0 & 8) from LAN
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
61,7 → 58,8
. /usr/local/etc/alcasar-iptables-local.sh
fi
 
# On autorise en FORWARD les connexions déjà établies
# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On autorise les demandes de connexions sortantes
/scripts/alcasar-iptables.sh
9,16 → 9,22
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
 
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server
 
IPTABLES="/sbin/iptables"
PROTO_FILTERING="no"
DNS_FILTERING="no"
QOS="no"
EXTIF="eth0"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0"
PRIVATE_NETWORK_MASK="192.168.182.0/24"
PRIVATE_IP="192.168.182.1"
DNSSERVERS="208.67.220.220,208.67.222.222"
TUNIF="tun0" # listen card for chilli daemon
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
 
# Effacement des règles existantes
# Flush all existing rules
77,17 → 83,6
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
# Allow ping (icmp N°0 & 8) from LAN
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
# Insertion de règles locales
# Here, we add local rules (i.e. ssh from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
 
# Rejet des tentatives de création de tunnels DNS (même pour les utilisateurs authentifiés)
# Deny forward DNS (even for authenticated users ...)
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
166,18 → 161,36
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT
 
###########################################################################################
# Direct input from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #
###########################################################################################
#################################################################################################
# Direct input from local network (icmp, dns, ntp, https, http, ssh and 3990 (user disconnect) #
#################################################################################################
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT # ping reply
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # ping request
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # dnsmasq without forward
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
 
# SSHD rules if activate
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2`
if [ $ssh_active = "on" ]
then
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. ssh from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
 
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/scripts/alcasar-conf.sh
38,7 → 38,7
/usr/local/sbin/alcasar-mysql.sh -dump
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE
# Sauvegarde du nom d'organisme
echo `cat /root/ALCASAR-parameters.txt|grep Organisme|cut -d":" -f2|tr -d " "` > $DIR_UPDATE/organisme
echo `cat /root/ALCASAR-parameters.txt|grep Organism|cut -d":" -f2|tr -d " "` > $DIR_UPDATE/organisme
# Sauvegarde du logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# Sauvegarde des fichiers exploités par dansguardian
116,6 → 116,8
# On active/désactive le filtrage de protocoles
active_filter=`cat $DIR_UPDATE/alcasar-iptables.sh|grep ^FILTERING|cut -d"=" -f2`
$SED "s/^FILTERING=.*/FILTERING=$active_filter/g" $DIR_BIN/alcasar-iptables.sh
# On applique les paramètres réseau
...
# Effacement du répertoire d'update
rm -rf $DIR_UPDATE
;;
/scripts/etc/alcasar-iptables-local.sh
7,18 → 7,10
# + autorisation de l'ICMP vers eth0
# + autorisation de SSH par eth0
 
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour affiner le filtrage : 192.168.1.0/24 { 0.0.0.0/0.0.0.0 } = de n'importe où !
 
# On autorise le ping dans les deux sens (echo & request) (icmp N°0 & 8) en provenance de l'extérieur
#$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
# Règles permettant d'autoriser l'administration à distance ( modifier également /etc/ssh/sshd_config et /etc/hosts.allow )
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
 
 
 
# Fin du script des règles du parefeu
 
/scripts/sbin/alcasar-network.sh
8,7 → 8,9
# Installation des paramètres réseau d'ALCASAR
 
# ******* Global *******
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf
DIR_DEST_ETC="/usr/local/etc" # alcasar conf files folder
DIR_DEST_BIN="/usr/local/bin/" # alcasar scripts folder
DIR_WEB="/var/www/html" # alcasar control center
FIC_PARAM="/root/ALCASAR-parameters.txt"
HOSTNAME="alcasar"
DOMAIN="localdomain" # domaine local
17,22 → 19,22
SED="/bin/sed -i"
 
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/[012]?[0-9]\b"
PRIVATE_IP_MASK=`cat $DIR_DEST_ETC/alcasar-network|grep PRIVATE_IP|cut -d"=" -f2`
PRIVATE_IP_MASK=`grep PRIVATE_IP $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2`
check=$(echo $PRIVATE_IP_MASK | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
echo "Syntax error for PRIVATE_IP ($PRIVATE_IP)"
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)"
exit 0
fi
PUBLIC_IP_MASK=`cat $DIR_DEST_ETC/alcasar-network|grep PUBLIC_IP|cut -d"=" -f2`
PUBLIC_IP_MASK=`grep PUBLIC_IP $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2`
check=$(echo $PUBLIC_IP_MASK | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
echo "Syntax error for PUBLIC_IP ($PUBLIC_IP)"
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)"
exit 0
fi
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b"
PUBLIC_GATEWAY=`cat $DIR_DEST_ETC/alcasar-network|grep GW|cut -d"=" -f2`
PUBLIC_GATEWAY=`grep GW $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2`
check=$(echo $PUBLIC_GATEWAY | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
39,18 → 41,18
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)"
exit 0
fi
DNS1=`cat $DIR_DEST_ETC/alcasar-network|grep DNS1|cut -d"=" -f2`
DNS1=`grep DNS1 $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2`
check=$(echo $PUBLIC_GATEWAY | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
echo "Syntax error for the IP address of the first DNS server ($EXT_GATEWAY)"
echo "Syntax error for the IP address of the first DNS server ($DNS1)"
exit 0
fi
DNS2=`cat $DIR_DEST_ETC/alcasar-network|grep DNS2|cut -d"=" -f2`
DNS2=`grep DNS2 $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2`
check=$(echo $PUBLIC_GATEWAY | egrep $PTN)
if [[ "$?" -ne 0 ]]
then
echo "Syntax error for the IP address of the second DNS server ($EXT_GATEWAY)"
echo "Syntax error for the IP address of the second DNS server ($DNS2)"
exit 0
fi
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0)
60,17 → 62,50
classe_sup=`expr $classe + 1`
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # dernier octet de l'@ de réseau
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
PRIVATE_MASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0)
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_IP_MASK | cut -d"=" -f2` # @ broadcast réseau de consultation (ex.: 192.168.182.255)
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # dernier octet de l'@ de broadcast
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation)
PRIVATE_DYN_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 2` # @ip du portail (côté réseau de consultation)
PRIVATE_DYN_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # @ip du portail (côté réseau de consultation)
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1` # @IP du portail (côté Internet)
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` # masque réseau côté Internet (ex.: 255.255.255.0)
 
# Change in ALCASAR-parameters
$SED "s?^- WAN IP.*?- WAN IP address ($EXTIF) :\t$PUBLIC_IP_MASK?g" $FIC_PARAM
$SED "s?^- Gateway.*?- Gateway IP addess :\t$PUBLIC_GATEWAY?g" $FIC_PARAM
$SED "s?^- DNS servers.*?- DNS servers :\t$DNS1 and $DNS2?g" $FIC_PARAM
$SED "s?^- Gateway.*?- Gateway IP addess :\t\t$PUBLIC_GATEWAY?g" $FIC_PARAM
$SED "s?^- DNS servers.*?- DNS servers :\t\t\t$DNS1 and $DNS2?g" $FIC_PARAM
$SED "s?^- LAN IP.*?- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK?g" $FIC_PARAM
$SED "s?^- Dynamic.*?- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP?g" $FIC_PARAM
# Change in ...
 
# Networt Cards config
$SED "s?^IPADDR=.*?IPADDR=$PUBLIC_IP?" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
$SED "s?^NETMASK=.*?NETMASK=$PUBLIC_NETMASK?" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
$SED "s?^GATEWAY=.*?GATEWAY=$PUBLIC_GATEWAY?" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/ifcfg-$INTIF
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/ifcfg-$INTIF
 
# NTP server
$SED "s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap\nrestrict 127.0.0.1?" /etc/ntp.conf
$SED "s?^ntpd:.*?ntpd: $PRIVATE_NETWORK_SHORT?" /etc/hosts.allow
 
# Alcasar control center
FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
$SED "s?^\$private_ip =.*?\$private_ip = \"$PRIVATE_IP\";?g" $DIR_WEB/index.php
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL
#...
 
 
# Start / Stop SSH Daemon
ssh_active=`grep SSH $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2`
if [ $ssh_active = "on" ]
then
/sbin/chkconfig --add sshd
else
/sbin/chkconfig --del sshd
fi
 
 
$DIR_DEST_BIN/alcasar-iptables.sh
 
/scripts/sbin/alcasar-uninstall.sh
114,11 → 114,6
fi
sleep 1
 
#firewall
echo -en "\n- firewall(1) : "
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "1"
sleep 1
 
#param_ulogd
echo -en "\n- ulogd(2) : "
if [ -e /etc/init.d/ulogd.default ]
178,7 → 173,7
sleep 1
 
# network
echo -en "\n- network(7) : "
echo -en "\n- network(8) : "
hostname localhost
/sbin/ifdown eth0
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth0 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 && echo -n "1, "
187,7 → 182,8
[ -e /etc/sysconfig/network-scripts/ifcfg-eth1 ] && rm -f /etc/sysconfig/network-scripts/ifcfg-eth1 && echo -n "4, "
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "5, "
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "6, "
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7"
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7, "
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8"
echo
/sbin/ifup eth0
sleep 1