| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables-bypass.sh 2355 2017-07-26 22:11:27Z tom.houdayer $
|
2 |
# $Id: alcasar-iptables-bypass.sh 2454 2017-12-09 18:59:31Z tom.houdayer $
|
| 3 |
|
3 |
|
| 4 |
# alcasar-iptables-bypass.sh
|
4 |
# alcasar-iptables-bypass.sh
|
| 5 |
# by Rexy - 3abtux
|
5 |
# by Rexy - 3abtux
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
7 |
|
| Line 53... |
Line 53... |
| 53 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
53 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
| 54 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
54 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
| 55 |
|
55 |
|
| 56 |
# Insertion de règles de blocage (Devel)
|
56 |
# Insertion de règles de blocage (Devel)
|
| 57 |
# Here, we add block rules (Devel)
|
57 |
# Here, we add block rules (Devel)
|
| 58 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
58 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
| 59 |
while read ip_line
|
59 |
while read ip_line
|
| 60 |
do
|
60 |
do
|
| 61 |
ip_on=`echo $ip_line|cut -b1`
|
61 |
ip_on=`echo $ip_line|cut -b1`
|
| 62 |
if [ $ip_on != "#" ]
|
62 |
if [ $ip_on != "#" ]
|
| 63 |
then
|
63 |
then
|
| Line 66... |
Line 66... |
| 66 |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
|
66 |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
|
| 67 |
fi
|
67 |
fi
|
| 68 |
done < /usr/local/etc/alcasar-ip-blocked
|
68 |
done < /usr/local/etc/alcasar-ip-blocked
|
| 69 |
fi
|
69 |
fi
|
| 70 |
|
70 |
|
| 71 |
# SSHD rules if activate
|
71 |
# SSHD rules if activate
|
| 72 |
if [ $SSH = on ]
|
72 |
if [ $SSH = on ]
|
| 73 |
then
|
73 |
then
|
| 74 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
74 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
| 75 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
75 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
| 76 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
76 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
| 77 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
77 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
| 78 |
fi
|
78 |
fi
|
| 79 |
# Insertion de règles locales
|
79 |
# Insertion de règles locales
|
| 80 |
# Here, we add local rules (i.e. VPN from Internet)
|
80 |
# Here, we add local rules (i.e. VPN from Internet)
|
| 81 |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
|
81 |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
|
| 82 |
. /usr/local/etc/alcasar-iptables-local.sh
|
82 |
. /usr/local/etc/alcasar-iptables-local.sh
|
| 83 |
fi
|
83 |
fi
|
| 84 |
|
84 |
|
| 85 |
# on autorise les requêtes dhcp
|
85 |
# on autorise les requêtes dhcp
|
| 86 |
# accept dhcp
|
86 |
# accept dhcp
|
| 87 |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
|
87 |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
|