| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
#
|
2 |
#
|
| 3 |
# $Id: alcasar-iptables-local.sh 2538 2018-04-30 04:26:41Z tom.houdayer $
|
3 |
# $Id: alcasar-iptables-local.sh 2547 2018-05-06 01:49:28Z tom.houdayer $
|
| 4 |
#
|
4 |
#
|
| 5 |
# Custom rules for ALCASAR firewall
|
5 |
# Custom rules for ALCASAR firewall
|
| 6 |
#
|
6 |
#
|
| 7 |
# Examples:
|
7 |
# Examples:
|
| 8 |
# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
|
8 |
# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
|
| 9 |
# - allow ICMP from an Internet IP address (Admin_from) to EXTIF
|
9 |
# - allow ICMP from an Internet IP address (Admin_from) to EXTIF
|
| 10 |
# - allow SMTP from aLCASAR to an Internet server (SMTP_IP)
|
10 |
# - allow SMTP from aLCASAR to an Internet server (SMTP_IP)
|
| 11 |
# - PAT rules from Internet
|
11 |
# - PAT rules from Internet
|
| 12 |
# - Deny access to protected networks from internal LAN
|
12 |
# - Deny access to protected networks from internal LAN
|
| 13 |
# - Allow managers to access ACC from the external network
|
13 |
# - Allow managers to access ACC from the external network
|
| 14 |
# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc
|
14 |
# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc
|
| 15 |
|
15 |
|
| 16 |
# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
|
16 |
# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
|
| 17 |
if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then
|
17 |
if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then
|
| 18 |
while read mac_line
|
18 |
while read mac_line
|
| 19 |
do
|
19 |
do
|
| 20 |
ip_on=`echo $mac_line|cut -b1`
|
20 |
ip_on=`echo $mac_line|cut -b1`
|
| 21 |
if [ $ip_on != "#" ]
|
21 |
if [ $ip_on != "#" ]
|
| 22 |
then
|
22 |
then
|
| 23 |
mac_filtered=`echo $mac_line|cut -d" " -f1`
|
23 |
mac_filtered=`echo $mac_line|cut -d" " -f1`
|
| 24 |
echo "MAC filtered = $mac_filtered"
|
24 |
echo "MAC filtered = $mac_filtered"
|
| 25 |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"
|
25 |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"
|
| 26 |
$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP
|
26 |
$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP
|
| 27 |
$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP
|
27 |
$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP
|
| 28 |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP
|
28 |
$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP
|
| 29 |
fi
|
29 |
fi
|
| 30 |
done < /usr/local/etc/alcasar-iptables-local-mac-filtered
|
30 |
done < /usr/local/etc/alcasar-iptables-local-mac-filtered
|
| 31 |
fi
|
31 |
fi
|
| 32 |
|
32 |
|
| 33 |
# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR
|
33 |
# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR
|
| 34 |
# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF
|
34 |
# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF
|
| 35 |
#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT
|
35 |
#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT
|
| 36 |
#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT
|
36 |
#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT
|
| 37 |
|
37 |
|
| 38 |
# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)
|
38 |
# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)
|
| 39 |
# Allow access to a mail server (SMTP)
|
39 |
# Allow access to a mail server (SMTP)
|
| 40 |
#SMTP_IP=0.0.0.0 # renseigner l'@IP du serveur SMTP
|
40 |
#SMTP_IP=0.0.0.0 # renseigner l'@IP du serveur SMTP
|
| 41 |
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport smtp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
41 |
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport smtp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
| 42 |
#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport smtp -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
42 |
#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport smtp -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
| 43 |
|
43 |
|
| 44 |
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet
|
44 |
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet
|
| 45 |
# Allow PAT (Port Adresse Translation)
|
45 |
# Allow PAT (Port Adresse Translation)
|
| 46 |
#m_ports=5000,5001
|
46 |
#m_ports=5000,5001
|
| 47 |
#to_ip=192.168.182.3
|
47 |
#to_ip=192.168.182.3
|
| 48 |
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP -m multiport --dports $m_ports -j DNAT --to $to_ip
|
48 |
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP -m multiport --dports $m_ports -j DNAT --to $to_ip
|
| 49 |
#$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $to_ip -m multiport --dports $m_ports -j ACCEPT
|
49 |
#$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $to_ip -m multiport --dports $m_ports -j ACCEPT
|
| 50 |
#$IPTABLES -A FORWARD -o $EXTIF -p tcp -s $to_ip -m multiport --sports $m_ports -j ACCEPT
|
50 |
#$IPTABLES -A FORWARD -o $EXTIF -p tcp -s $to_ip -m multiport --sports $m_ports -j ACCEPT
|
| 51 |
|
51 |
|
| 52 |
# Deny access to protected networks from internal LAN
|
52 |
# Deny access to protected networks from internal LAN
|
| 53 |
#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)
|
53 |
#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)
|
| - |
|
54 |
#[ -n "$TUNIF" ] && consultationIF=$TUNIF || consultationIF=$INTIF
|
| 54 |
#$IPTABLES -A FORWARD -i $TUNIF -d $protectedNetworks -j DROP
|
55 |
#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP
|
| - |
|
56 |
#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP
|
| 55 |
|
57 |
|
| 56 |
# Allow managers to access ACC from the external network
|
58 |
# Allow managers to access ACC from the external network
|
| 57 |
#managerIPs='192.168.111.10'
|
59 |
#managerIPs='192.168.111.10'
|
| 58 |
#externalPort='34443'
|
60 |
#externalPort='34443'
|
| 59 |
#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport 443 -j MARK --set-mark 1
|
61 |
#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport 443 -j MARK --set-mark 1
|
| 60 |
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443
|
62 |
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443
|
| 61 |
#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 1 -j DROP
|
63 |
#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 1 -j DROP
|
| 62 |
#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -j ACCEPT
|
64 |
#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -j ACCEPT
|
| 63 |
|
65 |
|
| 64 |
|
66 |
|
| 65 |
Generated by GNU Enscript 1.6.6.
|
67 |
Generated by GNU Enscript 1.6.6.
|
| 66 |
|
68 |
|
| 67 |
|
69 |
|
| 68 |
|
70 |
|