| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables-bypass.sh 1469 2014-10-30 21:58:47Z richard $
|
2 |
# $Id: alcasar-iptables-bypass.sh 1523 2014-12-20 18:30:19Z franck $
|
| 3 |
|
3 |
|
| 4 |
# alcasar-iptables-bypass.sh
|
4 |
# alcasar-iptables-bypass.sh
|
| 5 |
# by Rexy - 3abtux
|
5 |
# by Rexy - 3abtux
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
7 |
|
| 8 |
# applique les regles du parefeu en mode ByPass
|
8 |
# applique les regles du parefeu en mode ByPass
|
| 9 |
# put the firewall rules in 'ByPass' mode
|
9 |
# put the firewall rules in 'ByPass' mode
|
| 10 |
|
10 |
|
| 11 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
11 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
| 12 |
private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
|
12 |
private_ip_mask=`grep PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
|
| 13 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
13 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
| 14 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
14 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
| 15 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
15 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
| 16 |
IPTABLES="/sbin/iptables"
|
16 |
IPTABLES="/sbin/iptables"
|
| 17 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
17 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
| 18 |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
|
18 |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
|
| 19 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
19 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
| 20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
| 21 |
public_ip_mask=`grep PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
21 |
public_ip_mask=`grep PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
| 22 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
22 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
| 23 |
SSH=`grep SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
23 |
SSH=`grep SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
| 24 |
SSH=${SSH:=off}
|
24 |
SSH=${SSH:=off}
|
| 25 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
25 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
| 26 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
26 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
| - |
|
27 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
| - |
|
28 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 27 |
|
29 |
|
| 28 |
|
30 |
|
| 29 |
# On vide (flush) toutes les règles existantes
|
31 |
# On vide (flush) toutes les règles existantes
|
| 30 |
# Flush all existing rules
|
32 |
# Flush all existing rules
|
| 31 |
$IPTABLES -F
|
33 |
$IPTABLES -F
|
| 32 |
$IPTABLES -t nat -F
|
34 |
$IPTABLES -t nat -F
|
| 33 |
$IPTABLES -F INPUT
|
35 |
$IPTABLES -F INPUT
|
| 34 |
$IPTABLES -F FORWARD
|
36 |
$IPTABLES -F FORWARD
|
| 35 |
$IPTABLES -F OUTPUT
|
37 |
$IPTABLES -F OUTPUT
|
| 36 |
|
38 |
|
| 37 |
# On indique les politiques par défaut
|
39 |
# On indique les politiques par défaut
|
| 38 |
# Default policies
|
40 |
# Default policies
|
| 39 |
$IPTABLES -P INPUT DROP
|
41 |
$IPTABLES -P INPUT DROP
|
| 40 |
$IPTABLES -P FORWARD DROP
|
42 |
$IPTABLES -P FORWARD DROP
|
| 41 |
$IPTABLES -P OUTPUT ACCEPT
|
43 |
$IPTABLES -P OUTPUT ACCEPT
|
| 42 |
$IPTABLES -t nat -P PREROUTING ACCEPT
|
44 |
$IPTABLES -t nat -P PREROUTING ACCEPT
|
| 43 |
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
45 |
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
| 44 |
$IPTABLES -t nat -P OUTPUT ACCEPT
|
46 |
$IPTABLES -t nat -P OUTPUT ACCEPT
|
| 45 |
|
47 |
|
| 46 |
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat
|
48 |
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat
|
| 47 |
# Flush non default rules on filter and nat tables
|
49 |
# Flush non default rules on filter and nat tables
|
| 48 |
$IPTABLES -X
|
50 |
$IPTABLES -X
|
| 49 |
$IPTABLES -t nat -X
|
51 |
$IPTABLES -t nat -X
|
| 50 |
|
52 |
|
| 51 |
# On autorise tout sur loopback
|
53 |
# On autorise tout sur loopback
|
| 52 |
# accept all on loopback
|
54 |
# accept all on loopback
|
| 53 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
55 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
| 54 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
56 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
| 55 |
|
57 |
|
| 56 |
# Insertion de règles de blocage (Devel)
|
58 |
# Insertion de règles de blocage (Devel)
|
| 57 |
# Here, we add block rules (Devel)
|
59 |
# Here, we add block rules (Devel)
|
| 58 |
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
|
60 |
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
|
| 59 |
while read ip_line
|
61 |
while read ip_line
|
| 60 |
do
|
62 |
do
|
| 61 |
ip_on=`echo $ip_line|cut -b1`
|
63 |
ip_on=`echo $ip_line|cut -b1`
|
| 62 |
if [ $ip_on != "#" ]
|
64 |
if [ $ip_on != "#" ]
|
| 63 |
then
|
65 |
then
|
| 64 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
66 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
| 65 |
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
|
67 |
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
|
| 66 |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
|
68 |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
|
| 67 |
fi
|
69 |
fi
|
| 68 |
done < /usr/local/etc/alcasar-iptables-block
|
70 |
done < /usr/local/etc/alcasar-iptables-block
|
| 69 |
fi
|
71 |
fi
|
| 70 |
|
72 |
|
| 71 |
# SSHD rules if activate
|
73 |
# SSHD rules if activate
|
| 72 |
if [ $SSH = on ]
|
74 |
if [ $SSH = on ]
|
| 73 |
then
|
75 |
then
|
| 74 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
76 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
| 75 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
77 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
| 76 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
78 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
| 77 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
79 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
| 78 |
fi
|
80 |
fi
|
| 79 |
|
81 |
|
| 80 |
# Insertion de règles locales
|
82 |
# Insertion de règles locales
|
| 81 |
# Here, we add local rules (i.e. VPN from Internet)
|
83 |
# Here, we add local rules (i.e. VPN from Internet)
|
| 82 |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
|
84 |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
|
| 83 |
. /usr/local/etc/alcasar-iptables-local.sh
|
85 |
. /usr/local/etc/alcasar-iptables-local.sh
|
| 84 |
fi
|
86 |
fi
|
| 85 |
|
87 |
|
| - |
|
88 |
# If protocols filter is activate
|
| - |
|
89 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
| - |
|
90 |
echo "PROTOCOL FILTERING = On"
|
| - |
|
91 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
| - |
|
92 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
| - |
|
93 |
if [ $nb_exceptions != "0" ]
|
| - |
|
94 |
then
|
| - |
|
95 |
while read ip_exception
|
| - |
|
96 |
do
|
| - |
|
97 |
$IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
| - |
|
98 |
# $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j NETFLOW
|
| - |
|
99 |
$IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j ACCEPT
|
| - |
|
100 |
done < /usr/local/etc/alcasar-filter-exceptions
|
| - |
|
101 |
fi
|
| - |
|
102 |
# # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
|
| - |
|
103 |
# nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
| - |
|
104 |
# if [ $nb_uamallowed != "0" ]
|
| - |
|
105 |
# then
|
| - |
|
106 |
# while read ip_allowed_line
|
| - |
|
107 |
# do
|
| - |
|
108 |
# ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
| - |
|
109 |
# $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
| - |
|
110 |
## $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j NETFLOW
|
| - |
|
111 |
# $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j ACCEPT
|
| - |
|
112 |
# done < /usr/local/etc/alcasar-uamallowed
|
| - |
|
113 |
# fi
|
| - |
|
114 |
# Autorisation des protocoles non commentés
|
| - |
|
115 |
# Allow non comment protocols
|
| - |
|
116 |
while read svc_line
|
| - |
|
117 |
do
|
| - |
|
118 |
svc_on=`echo $svc_line|cut -b1`
|
| - |
|
119 |
if [ $svc_on != "#" ]
|
| - |
|
120 |
then
|
| - |
|
121 |
svc_name=`echo $svc_line|cut -d" " -f1`
|
| - |
|
122 |
svc_port=`echo $svc_line|cut -d" " -f2`
|
| - |
|
123 |
if [ $svc_name = "icmp" ]
|
| - |
|
124 |
then
|
| - |
|
125 |
# $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
|
| - |
|
126 |
$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
|
| - |
|
127 |
else
|
| - |
|
128 |
echo "Service = $svc_port pour $svc_name"
|
| - |
|
129 |
$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
|
| - |
|
130 |
# $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
|
| - |
|
131 |
$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
|
| - |
|
132 |
# $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
|
| - |
|
133 |
## $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
|
| - |
|
134 |
# $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
|
| - |
|
135 |
fi
|
| - |
|
136 |
fi
|
| - |
|
137 |
done < /usr/local/etc/alcasar-services
|
| - |
|
138 |
# Don't forget the HTTP port
|
| - |
|
139 |
$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-http -- ACCEPT "
|
| - |
|
140 |
# $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j NETFLOW
|
| - |
|
141 |
$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j ACCEPT
|
| - |
|
142 |
|
| - |
|
143 |
# Rejet explicite des autres protocoles
|
| - |
|
144 |
# reject the others protocols
|
| - |
|
145 |
$IPTABLES -A FORWARD -i $INTIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
|
| - |
|
146 |
$IPTABLES -A FORWARD -i $INTIF -p tcp -j REJECT --reject-with tcp-reset
|
| - |
|
147 |
$IPTABLES -A FORWARD -i $INTIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
| - |
|
148 |
$IPTABLES -A FORWARD -i $INTIF -p icmp -j REJECT
|
| - |
|
149 |
|
| - |
|
150 |
else
|
| - |
|
151 |
## On autorise les demandes de connexions sortantes
|
| - |
|
152 |
echo "PROTOCOL FILTERING = Off"
|
| - |
|
153 |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
|
| - |
|
154 |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
|
| - |
|
155 |
fi
|
| - |
|
156 |
|
| 86 |
# on autorise les requêtes dhcp
|
157 |
# on autorise les requêtes dhcp
|
| 87 |
# accept dhcp
|
158 |
# accept dhcp
|
| 88 |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
|
159 |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
|
| 89 |
|
160 |
|
| 90 |
# On drop le broadcast et le multicast sur les interfaces (sans Log)
|
161 |
# On drop le broadcast et le multicast sur les interfaces (sans Log)
|
| 91 |
# Drop broadcast & multicast
|
162 |
# Drop broadcast & multicast
|
| 92 |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
163 |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
| 93 |
|
164 |
|
| 94 |
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
|
165 |
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
|
| 95 |
# Allow ping (icmp N°0 & 8) from LAN
|
166 |
# Allow ping (icmp N°0 & 8) from LAN
|
| 96 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
|
167 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
|
| 97 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
|
168 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
|
| 98 |
|
169 |
|
| 99 |
# On ajoute ici les règles spécifiques de filtrage réseau (accès exterieur ...)
|
- |
|
| 100 |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
|
- |
|
| 101 |
. /usr/local/etc/alcasar-iptables-local.sh
|
- |
|
| 102 |
fi
|
- |
|
| 103 |
|
- |
|
| 104 |
# On autorise les retours de connexions légitimes par FORWARD
|
170 |
# On autorise les retours de connexions légitimes par FORWARD
|
| 105 |
# Conntrack on forward
|
171 |
# Conntrack on forward
|
| 106 |
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
172 |
$IPTABLES -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
|
| 107 |
|
- |
|
| 108 |
# On autorise les demandes de connexions sortantes
|
- |
|
| 109 |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
|
- |
|
| 110 |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
|
173 |
$IPTABLES -A FORWARD -p udp -j DROP
|
| 111 |
|
174 |
|
| 112 |
# On autorise les flux entrant ntp et dns via INTIF
|
175 |
# On autorise les flux entrant ntp et dns via INTIF
|
| 113 |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
|
176 |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
|
| 114 |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
|
177 |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
|
| 115 |
|
178 |
|
| 116 |
# On autorise le retour des connexions entrante déjà acceptées
|
179 |
# On autorise le retour des connexions entrante déjà acceptées
|
| 117 |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
180 |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
| 118 |
|
181 |
|
| 119 |
# On interdit et on log le reste sur les 2 interfaces d'accès
|
182 |
# On interdit et on log le reste sur les 2 interfaces d'accès
|
| 120 |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
|
183 |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
|
| 121 |
$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT "
|
184 |
$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT "
|
| 122 |
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
185 |
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
| 123 |
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
|
186 |
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
|
| 124 |
|
187 |
|
| 125 |
# On active le masquage d'adresse par translation (NAT)
|
188 |
# On active le masquage d'adresse par translation (NAT)
|
| 126 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
189 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
| 127 |
|
190 |
|
| 128 |
# on ne sauvegarde pas les règles. En cas de reboot, on repasse ainsi automatiquement en mode normal (bypass -off)
|
191 |
# on ne sauvegarde pas les règles. En cas de reboot, on repasse ainsi automatiquement en mode normal (bypass -off)
|
| 129 |
# Fin du script des regles du parefeu
|
192 |
# Fin du script des regles du parefeu
|
| 130 |
|
193 |
|
| 131 |
|
194 |
|
| 132 |
Generated by GNU Enscript 1.6.6.
|
195 |
Generated by GNU Enscript 1.6.6.
|
| 133 |
|
196 |
|
| 134 |
|
197 |
|
| 135 |
|
198 |
|