1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
- |
|
2 |
# $Id: alcasar-iptables-filter.sh 64 2010-04-08 20:01:24Z franck $
|
2 |
# by rexy (version 1.9 du 12/2009)
|
3 |
# by rexy (version 1.9 du 12/2009)
|
3 |
|
4 |
|
4 |
# a voir la relation avec nf_nat_ftp
|
5 |
# a voir la relation avec nf_nat_ftp
|
5 |
# modprobe ip_conntrack_irc
|
6 |
# modprobe ip_conntrack_irc
|
6 |
# modprobe ip_conntrack_ftp
|
7 |
# modprobe ip_conntrack_ftp
|
7 |
|
8 |
|
8 |
|
9 |
|
9 |
################# FILTRAGE APPLICATIF ####################
|
10 |
################# FILTRAGE APPLICATIF ####################
|
10 |
## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage
|
11 |
## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage
|
11 |
## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins
|
12 |
## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins
|
12 |
if [ $FILTERING = "yes" ]
|
13 |
if [ $FILTERING = "yes" ]
|
13 |
then
|
14 |
then
|
14 |
# si le fichier d'exception est renseigné on le traite
|
15 |
# si le fichier d'exception est renseigné on le traite
|
15 |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
16 |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
16 |
if [ $nb_exceptions != "0" ]
|
17 |
if [ $nb_exceptions != "0" ]
|
17 |
then
|
18 |
then
|
18 |
while read ip_exception
|
19 |
while read ip_exception
|
19 |
do
|
20 |
do
|
20 |
echo $ip_exception
|
21 |
echo $ip_exception
|
21 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
22 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
22 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT
|
23 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT
|
23 |
done < /usr/local/etc/alcasar-filter-exceptions
|
24 |
done < /usr/local/etc/alcasar-filter-exceptions
|
24 |
fi
|
25 |
fi
|
25 |
# On autorise les protoles non commentés
|
26 |
# On autorise les protoles non commentés
|
26 |
while read svc_line
|
27 |
while read svc_line
|
27 |
do
|
28 |
do
|
28 |
svc_on=`echo $svc_line|cut -b1`
|
29 |
svc_on=`echo $svc_line|cut -b1`
|
29 |
if [ $svc_on != "#" ]
|
30 |
if [ $svc_on != "#" ]
|
30 |
then
|
31 |
then
|
31 |
svc_name=`echo $svc_line|cut -d" " -f1`
|
32 |
svc_name=`echo $svc_line|cut -d" " -f1`
|
32 |
svc_port=`echo $svc_line|cut -d" " -f2`
|
33 |
svc_port=`echo $svc_line|cut -d" " -f2`
|
33 |
if [ $svc_name = "icmp" ]
|
34 |
if [ $svc_name = "icmp" ]
|
34 |
then
|
35 |
then
|
35 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT
|
36 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT
|
36 |
# else if [ $svc_name = "ftp-passif" ]
|
37 |
# else if [ $svc_name = "ftp-passif" ]
|
37 |
# then
|
38 |
# then
|
38 |
# /sbin/modprobe nf_nat_ftp
|
39 |
# /sbin/modprobe nf_nat_ftp
|
39 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "
|
40 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "
|
40 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "
|
41 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "
|
41 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
42 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
|
42 |
# fi
|
43 |
# fi
|
43 |
else
|
44 |
else
|
44 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
|
45 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
|
45 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT
|
46 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT
|
46 |
fi
|
47 |
fi
|
47 |
fi
|
48 |
fi
|
48 |
done < /usr/local/etc/alcasar-services
|
49 |
done < /usr/local/etc/alcasar-services
|
49 |
#tout le reste est bloqué
|
50 |
#tout le reste est bloqué
|
50 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
51 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
51 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
52 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
52 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
53 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
53 |
fi
|
54 |
fi
|
54 |
|
55 |
|
55 |
|
56 |
|