| 41,10 → 41,6 |
|---|
| SSH=${SSH:=off} |
| SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
| SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
| LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off) |
| LDAP=${LDAP:=off} |
| LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side) |
| LDAP_SERVER=${LDAP_SERVER:="0.0.0.0/0.0.0.0"} |
| IPTABLES="/sbin/iptables" |
| IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
| |
| 429,11 → 425,11 |
|---|
| ############################# |
| # OUTPUT # |
| ############################# |
| # On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur |
| # Everything is allowed but traffic through outside network interface |
| # On laisse tout sortir à l'exception de la carte externe (cf ci-dessous) |
| # Everything is allowed apart from outside network interface (see bellow) |
| $IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
| |
| # Si configéré, on autorise les requêtes DHCP |
| # Si configuré, on autorise les requêtes DHCP |
| # Allow DHCP requests if configured |
| public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
| if [[ "$public_ip_mask" == "dhcp" ]] |
| 446,8 → 442,8 |
|---|
| # Allow DNS requests to identified DNS servers |
| $IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT |
| |
| # On autorise les requêtes HTTP sortantes |
| # HTTP requests are allowed |
| # On autorise les requêtes HTTP avec log Netflow (en provenance de Dansguardian) |
| # HTTPS requests are allowed with netflow log (from Dansguardian) |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
| |
| 456,7 → 452,7 |
|---|
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT |
| |
| # On autorise les requêtes RSYNC sortantes (maj BL de Toulouse) |
| # RSYNC requests are allowed (to update BL of Toulouse) |
| # RSYNC requests are allowed (update of Toulouse BL) |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT |
| |
| # On autorise les requêtes FTP |
| 473,13 → 469,10 |
|---|
| # ICMP (ping) requests are allowed |
| $IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT |
| |
| # On autorise les requêtes LDAP si un serveur externe est configué |
| # LDAP requests are allowed if an external server is declared |
| if [ $LDAP = on ] |
| then |
| $IPTABLES -A OUTPUT -p tcp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
| $IPTABLES -A OUTPUT -p udp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
| fi |
| # On autorise les requêtes LDAP |
| # LDAP requests are allowed |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
| $IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
| |
| ############################# |
| # POSTROUTING # |