Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2687 → Rev 2688

/scripts/alcasar-iptables.sh
33,6 → 33,8
dns1=${dns1:=208.67.220.220}
dns2=${dns2:=208.67.222.222}
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
45,6 → 47,12
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL
 
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
then
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
fi
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
111,7 → 119,7
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $IP_REHABILITEES)
do
ipset del bl_ip_blocked $ip
ipset -q del bl_ip_blocked $ip
done
 
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
118,11 → 126,11
ipset create site_direct hash:net hashsize 1024
for site in $(cat $SITE_DIRECT)
do
ipset add site_direct $site
ipset add site_direct $site
done
 
###### WL set ###########
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading
wl_set_length=65536
# Chargement Loading
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
285,18 → 293,18
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
# Allow connections for DNSMASQ (with blacklist)
# autorisation des connexion légitime à Unbound (avec blacklist)
# Allow connections for Unbound (with blacklist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
# Allow connections for DNSMASQ (with whitelist)
# autorisation des connexion légitime à Unbound (avec whitelist)
# Allow connections for Unbound (with whitelist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
 
# autorisation des connexion légitime à DNSMASQ (mode blackhole)
# Allow connections for DNSMASQ (blackhole mode)
# autorisation des connexion légitime à Unbound (mode blackhole)
# Allow connections for Unbound (blackhole mode)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
 
386,7 → 394,7
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]