WebSVN – ALCASAR – Diff – /conf/etc/alcasar-iptables-local.sh


#!/bin/sh
#
# $Id: alcasar-iptables-local.sh 2740 2019-06-22 10:03:09Z rexy $
#
# Custom rules for ALCASAR firewall
#
# Examples:
# 	- Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
#	- allow ICMP from an Internet IP address (Admin_from) to EXTIF
#	- allow SMTP from aLCASAR to an Internet server (SMTP_IP)
#	- PAT rules from Internet
#	- Deny access to protected networks from internal LAN
#	- Allow managers to access ACC from the external network
# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc
# !!Beware, run the script "alcasar-iptables.sh" after changing this file. 
 
# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then
	while read mac_line
	do
		ip_on=`echo $mac_line|cut -b1`
		if [ $ip_on != "#" ]
		then
			mac_filtered=`echo $mac_line|cut -d" " -f1`
			echo "MAC filtered = $mac_filtered"
			$IPTABLES -A FORWARD -i $INTIF        -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"
			$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP
			$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP
			$IPTABLES -A FORWARD -i $INTIF        -m mac --mac-source $mac_filtered -j DROP
		fi
	done < /usr/local/etc/alcasar-iptables-local-mac-filtered
fi
 
# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR
# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF
#$IPTABLES -A INPUT  -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT
 
# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)
# Allow access to a mail server (SMTP)
#SMTP_IP='192.168.111.5'		# IP of mail server
#SMTP_PORT=587			# port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED     -j ACCEPT
 
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet
# Allow PAT (Port Adresse Translation)
# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22
#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT
 
# Deny access to protected networks from internal LAN
#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)
#[ -n "$TUNIF" ] && consultationIF=$TUNIF || consultationIF=$INTIF
#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP
#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP
 
# Allow managers to access ACC from the external network
#managerIPs='192.168.111.10'
#externalPort='34443'
#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j MARK --set-mark 100
#$IPTABLES -t nat    -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443
#$IPTABLES           -A INPUT      -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 100 -j ACCEPT
 
 
Generated by GNU Enscript 1.6.6.
 
 
 

Subversion Repositories ALCASAR

(root)/conf/etc/alcasar-iptables-local.sh – Rev 2716 → 2740

Rev 2716		Rev 2740
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`#`	2	`#`
3	`# $Id: alcasar-iptables-local.sh 2716 2019-03-11 21:21:45Z tom.houdayer $`	3	`# $Id: alcasar-iptables-local.sh 2740 2019-06-22 10:03:09Z rexy $`
4	`#`	4	`#`
5	`# Custom rules for ALCASAR firewall`	5	`# Custom rules for ALCASAR firewall`
6	`#`	6	`#`
7	`# Examples:`	7	`# Examples:`
8	`# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`	8	`# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`
9	`# - allow ICMP from an Internet IP address (Admin_from) to EXTIF`	9	`# - allow ICMP from an Internet IP address (Admin_from) to EXTIF`
10	`# - allow SMTP from aLCASAR to an Internet server (SMTP_IP)`	10	`# - allow SMTP from aLCASAR to an Internet server (SMTP_IP)`
11	`# - PAT rules from Internet`	11	`# - PAT rules from Internet`
12	`# - Deny access to protected networks from internal LAN`	12	`# - Deny access to protected networks from internal LAN`
13	`# - Allow managers to access ACC from the external network`	13	`# - Allow managers to access ACC from the external network`
14	`# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc`	14	`# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc`
-		15	`# !!Beware, run the script "alcasar-iptables.sh" after changing this file.`
15		16
16	`# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`	17	`# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`
17	`if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then`	18	`if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then`
18	`while read mac_line`	19	`while read mac_line`
19	`do`	20	`do`
20	ip_on=`echo $mac_line\|cut -b1`	21	ip_on=`echo $mac_line\|cut -b1`
21	`if [ $ip_on != "#" ]`	22	`if [ $ip_on != "#" ]`
22	`then`	23	`then`
23	mac_filtered=`echo $mac_line\|cut -d" " -f1`	24	mac_filtered=`echo $mac_line\|cut -d" " -f1`
24	`echo "MAC filtered = $mac_filtered"`	25	`echo "MAC filtered = $mac_filtered"`
25	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"`	26	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"`
26	`$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP`	27	`$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP`
27	`$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP`	28	`$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP`
28	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP`	29	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP`
29	`fi`	30	`fi`
30	`done < /usr/local/etc/alcasar-iptables-local-mac-filtered`	31	`done < /usr/local/etc/alcasar-iptables-local-mac-filtered`
31	`fi`	32	`fi`
32		33
33	`# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR`	34	`# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR`
34	`# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF`	35	`# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF`
35	`#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT`	36	`#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT`
36	`#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT`	37	`#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT`
37		38
38	`# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)`	39	`# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)`
39	`# Allow access to a mail server (SMTP)`	40	`# Allow access to a mail server (SMTP)`
40	`#SMTP_IP='192.168.111.5' # IP of mail server`	41	`#SMTP_IP='192.168.111.5' # IP of mail server`
41	`#SMTP_PORT=587 # port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)`	42	`#SMTP_PORT=587 # port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)`
42	`#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`	43	`#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
43	`#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT`	44	`#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT`
44		45
45	`# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet`	46	`# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet`
46	`# Allow PAT (Port Adresse Translation)`	47	`# Allow PAT (Port Adresse Translation)`
47	`# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22`	48	`# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22`
48	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`	49	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`
49	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`	50	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`
50	`#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT`	51	`#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT`
51	`#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT`	52	`#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT`
52		53
53	`# Deny access to protected networks from internal LAN`	54	`# Deny access to protected networks from internal LAN`
54	`#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)`	55	`#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)`
55	`#[ -n "$TUNIF" ] && consultationIF=$TUNIF \|\| consultationIF=$INTIF`	56	`#[ -n "$TUNIF" ] && consultationIF=$TUNIF \|\| consultationIF=$INTIF`
56	`#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP`	57	`#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP`
57	`#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP`	58	`#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP`
58		59
59	`# Allow managers to access ACC from the external network`	60	`# Allow managers to access ACC from the external network`
60	`#managerIPs='192.168.111.10'`	61	`#managerIPs='192.168.111.10'`
61	`#externalPort='34443'`	62	`#externalPort='34443'`
62	`#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j MARK --set-mark 100`	63	`#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j MARK --set-mark 100`
63	`#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443`	64	`#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443`
64	`#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 100 -j ACCEPT`	65	`#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 100 -j ACCEPT`
65		66
66		67
67	`Generated by GNU Enscript 1.6.6.`	68	`Generated by GNU Enscript 1.6.6.`
68		69
69		70
70		71