41,10 → 41,6 |
SSH=${SSH:=off} |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off) |
LDAP=${LDAP:=off} |
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side) |
LDAP_SERVER=${LDAP_SERVER:="0.0.0.0/0.0.0.0"} |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
|
429,11 → 425,11 |
############################# |
# OUTPUT # |
############################# |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur |
# Everything is allowed but traffic through outside network interface |
# On laisse tout sortir à l'exception de la carte externe (cf ci-dessous) |
# Everything is allowed apart from outside network interface (see bellow) |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
|
# Si configéré, on autorise les requêtes DHCP |
# Si configuré, on autorise les requêtes DHCP |
# Allow DHCP requests if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
446,8 → 442,8 |
# Allow DNS requests to identified DNS servers |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT |
|
# On autorise les requêtes HTTP sortantes |
# HTTP requests are allowed |
# On autorise les requêtes HTTP avec log Netflow (en provenance de Dansguardian) |
# HTTPS requests are allowed with netflow log (from Dansguardian) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
|
456,7 → 452,7 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT |
|
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse) |
# RSYNC requests are allowed (to update BL of Toulouse) |
# RSYNC requests are allowed (update of Toulouse BL) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT |
|
# On autorise les requêtes FTP |
473,13 → 469,10 |
# ICMP (ping) requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT |
|
# On autorise les requêtes LDAP si un serveur externe est configué |
# LDAP requests are allowed if an external server is declared |
if [ $LDAP = on ] |
then |
$IPTABLES -A OUTPUT -p tcp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -p udp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
fi |
# On autorise les requêtes LDAP |
# LDAP requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
|
############################# |
# POSTROUTING # |