Subversion Repositories ALCASAR

Rev

Rev 1469 | Rev 1551 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1469 Rev 1523
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables-bypass.sh 1469 2014-10-30 21:58:47Z richard $
2
# $Id: alcasar-iptables-bypass.sh 1523 2014-12-20 18:30:19Z franck $
3
 
3
 
4
# alcasar-iptables-bypass.sh
4
# alcasar-iptables-bypass.sh
5
# by Rexy - 3abtux
5
# by Rexy - 3abtux
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
 
7
 
Line 22... Line 22...
22
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
22
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
23
SSH=`grep SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
23
SSH=`grep SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
24
SSH=${SSH:=off}
24
SSH=${SSH:=off}
25
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
25
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
26
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}				# WAN IP address to reduce ssh access (all ip allowed on LAN side)
26
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}				# WAN IP address to reduce ssh access (all ip allowed on LAN side)
-
 
27
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`        # Network protocols filter (on/off)
-
 
28
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
27
 
29
 
28
 
30
 
29
# On vide (flush) toutes les règles existantes
31
# On vide (flush) toutes les règles existantes
30
# Flush all existing rules
32
# Flush all existing rules
31
$IPTABLES -F
33
$IPTABLES -F
Line 71... Line 73...
71
# SSHD rules if activate 
73
# SSHD rules if activate 
72
if [ $SSH = on ]
74
if [ $SSH = on ]
73
	then
75
	then
74
	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
76
	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
75
	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
77
	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
76
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
78
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
77
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
79
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
78
fi
80
fi
79
 
81
 
80
# Insertion de règles locales
82
# Insertion de règles locales
81
# Here, we add local rules (i.e. VPN from Internet)
83
# Here, we add local rules (i.e. VPN from Internet)
82
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
84
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
83
        . /usr/local/etc/alcasar-iptables-local.sh
85
        . /usr/local/etc/alcasar-iptables-local.sh
84
fi
86
fi
85
 
87
 
-
 
88
#  If protocols filter is activate 
-
 
89
if [ $PROTOCOLS_FILTERING = on ]; then
-
 
90
        echo "PROTOCOL FILTERING = On"
-
 
91
        # Compute exception IP (IP addresses that shouldn't be filtered)
-
 
92
       nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
-
 
93
       if [ $nb_exceptions != "0" ]
-
 
94
       then
-
 
95
               while read ip_exception 
-
 
96
               do
-
 
97
                       $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
-
 
98
#                       $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j NETFLOW
-
 
99
                       $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j ACCEPT
-
 
100
               done < /usr/local/etc/alcasar-filter-exceptions
-
 
101
       fi
-
 
102
#       # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
-
 
103
#       nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
-
 
104
#       if [ $nb_uamallowed != "0" ]
-
 
105
#       then
-
 
106
#               while read ip_allowed_line 
-
 
107
#               do
-
 
108
#                       ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
-
 
109
#                       $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
-
 
110
##                       $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j NETFLOW
-
 
111
#                       $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j ACCEPT
-
 
112
#               done < /usr/local/etc/alcasar-uamallowed
-
 
113
#       fi
-
 
114
        # Autorisation des protocoles non commentés
-
 
115
        # Allow non comment protocols
-
 
116
        while read svc_line
-
 
117
        do
-
 
118
                svc_on=`echo $svc_line|cut -b1`
-
 
119
                if [ $svc_on != "#" ]
-
 
120
                then
-
 
121
                        svc_name=`echo $svc_line|cut -d" " -f1`
-
 
122
                        svc_port=`echo $svc_line|cut -d" " -f2`
-
 
123
                        if [ $svc_name = "icmp" ]
-
 
124
                        then
-
 
125
#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
-
 
126
                                $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
-
 
127
                        else
-
 
128
                                echo "Service = $svc_port  pour $svc_name"
-
 
129
                                $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
-
 
130
#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
-
 
131
                                $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
-
 
132
#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
-
 
133
##                              $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
-
 
134
#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
-
 
135
                        fi
-
 
136
                fi
-
 
137
        done < /usr/local/etc/alcasar-services
-
 
138
        # Don't forget the HTTP port
-
 
139
	$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-http -- ACCEPT "
-
 
140
#       $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j NETFLOW
-
 
141
        $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j ACCEPT
-
 
142
 
-
 
143
        # Rejet explicite des autres protocoles
-
 
144
        # reject the others protocols
-
 
145
        $IPTABLES -A FORWARD -i $INTIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
-
 
146
        $IPTABLES -A FORWARD -i $INTIF -p tcp -j REJECT --reject-with tcp-reset
-
 
147
        $IPTABLES -A FORWARD -i $INTIF -p udp -j REJECT --reject-with icmp-port-unreachable
-
 
148
        $IPTABLES -A FORWARD -i $INTIF -p icmp -j REJECT
-
 
149
 
-
 
150
else
-
 
151
        ## On autorise les demandes de connexions sortantes
-
 
152
        echo "PROTOCOL FILTERING = Off"
-
 
153
        $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
-
 
154
        $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
-
 
155
fi
-
 
156
 
86
# on autorise les requêtes dhcp
157
# on autorise les requêtes dhcp
87
# accept dhcp
158
# accept dhcp
88
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
159
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
89
 
160
 
90
# On drop le broadcast et le multicast sur les interfaces (sans Log)
161
# On drop le broadcast et le multicast sur les interfaces (sans Log)
Line 94... Line 165...
94
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
165
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
95
# Allow ping (icmp N°0 & 8) from LAN
166
# Allow ping (icmp N°0 & 8) from LAN
96
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
167
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
97
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
168
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
98
 
169
 
99
#  On ajoute ici les règles spécifiques de filtrage réseau (accès exterieur ...)
-
 
100
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
-
 
101
        . /usr/local/etc/alcasar-iptables-local.sh
-
 
102
fi
-
 
103
 
-
 
104
# On autorise les retours de connexions légitimes par FORWARD
170
# On autorise les retours de connexions légitimes par FORWARD
105
# Conntrack on forward
171
# Conntrack on forward
106
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
172
$IPTABLES -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
107
 
-
 
108
# On autorise les demandes de connexions sortantes
-
 
109
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
-
 
110
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
173
$IPTABLES -A FORWARD -p udp -j DROP
111
 
174
 
112
# On autorise les flux entrant ntp et dns via INTIF
175
# On autorise les flux entrant ntp et dns via INTIF
113
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
176
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
114
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
177
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
115
 
178