WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables-filter.sh


#!/bin/sh
# $Id: alcasar-iptables-filter.sh 64 2010-04-08 20:01:24Z franck $
# by rexy (version 1.9 du 12/2009)
 
# a voir la relation avec nf_nat_ftp
# modprobe ip_conntrack_irc
# modprobe ip_conntrack_ftp
 
 
################# FILTRAGE APPLICATIF ####################
## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage
## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins
if [ $FILTERING = "yes" ]
	then
# si le fichier d'exception est renseigné on le traite 
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
	if [ $nb_exceptions != "0" ]
		then
		while read ip_exception 
			do
			echo $ip_exception
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT
			done < /usr/local/etc/alcasar-filter-exceptions
		fi
# On autorise les protoles non commentés
	while read svc_line
		do
		svc_on=`echo $svc_line|cut -b1`
		if [ $svc_on != "#" ]
			then	
			svc_name=`echo $svc_line|cut -d" " -f1`
			svc_port=`echo $svc_line|cut -d" " -f2`
			if [ $svc_name = "icmp" ]
				then
				$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT 
#			else if [ $svc_name = "ftp-passif" ]
#				then
#					/sbin/modprobe nf_nat_ftp
#					$IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "
#					$IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "
#					$IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#				fi
			else
				$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT
			fi
		fi
	done < /usr/local/etc/alcasar-services
#tout le reste est bloqué
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
fi
 
 

Rev 49	Rev 64
1	`#!/bin/sh`	1	`#!/bin/sh`
-		2	`# $Id: alcasar-iptables-filter.sh 64 2010-04-08 20:01:24Z franck $`
2	`# by rexy (version 1.9 du 12/2009)`	3	`# by rexy (version 1.9 du 12/2009)`
3		4
4	`# a voir la relation avec nf_nat_ftp`	5	`# a voir la relation avec nf_nat_ftp`
5	`# modprobe ip_conntrack_irc`	6	`# modprobe ip_conntrack_irc`
6	`# modprobe ip_conntrack_ftp`	7	`# modprobe ip_conntrack_ftp`
7		8
8		9
9	`################# FILTRAGE APPLICATIF ####################`	10	`################# FILTRAGE APPLICATIF ####################`
10	`## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage`	11	`## Positionnez la variable "FILTERING" du fichier "alcasar-iptables.sh" à "yes" pour activer le filtrage`
11	`## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins`	12	`## Modifiez le fichier /usr/local/etc/alcasar-services pour l'adapter à vos besoins`
12	`if [ $FILTERING = "yes" ]`	13	`if [ $FILTERING = "yes" ]`
13	`then`	14	`then`
14	`# si le fichier d'exception est renseigné on le traite`	15	`# si le fichier d'exception est renseigné on le traite`
15	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`	16	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`
16	`if [ $nb_exceptions != "0" ]`	17	`if [ $nb_exceptions != "0" ]`
17	`then`	18	`then`
18	`while read ip_exception`	19	`while read ip_exception`
19	`do`	20	`do`
20	`echo $ip_exception`	21	`echo $ip_exception`
21	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`	22	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`
22	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT`	23	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW,ESTABLISHED -j ACCEPT`
23	`done < /usr/local/etc/alcasar-filter-exceptions`	24	`done < /usr/local/etc/alcasar-filter-exceptions`
24	`fi`	25	`fi`
25	`# On autorise les protoles non commentés`	26	`# On autorise les protoles non commentés`
26	`while read svc_line`	27	`while read svc_line`
27	`do`	28	`do`
28	svc_on=`echo $svc_line\|cut -b1`	29	svc_on=`echo $svc_line\|cut -b1`
29	`if [ $svc_on != "#" ]`	30	`if [ $svc_on != "#" ]`
30	`then`	31	`then`
31	svc_name=`echo $svc_line\|cut -d" " -f1`	32	svc_name=`echo $svc_line\|cut -d" " -f1`
32	svc_port=`echo $svc_line\|cut -d" " -f2`	33	svc_port=`echo $svc_line\|cut -d" " -f2`
33	`if [ $svc_name = "icmp" ]`	34	`if [ $svc_name = "icmp" ]`
34	`then`	35	`then`
35	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT`	36	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT`
36	`# else if [ $svc_name = "ftp-passif" ]`	37	`# else if [ $svc_name = "ftp-passif" ]`
37	`# then`	38	`# then`
38	`# /sbin/modprobe nf_nat_ftp`	39	`# /sbin/modprobe nf_nat_ftp`
39	`# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "`	40	`# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ULOG --ulog-prefix "RULE F_ftp-passifE -- ACCEPT "`
40	`# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "`	41	`# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state RELATED -j ULOG --ulog-prefix "RULE F_ftp-passifR -- ACCEPT "`
41	`# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT`	42	`# $IPTABLES -A FORWARD -i $TUNIF -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT`
42	`# fi`	43	`# fi`
43	`else`	44	`else`
44	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "`	45	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "`
45	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT`	46	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW,ESTABLISHED -j ACCEPT`
46	`fi`	47	`fi`
47	`fi`	48	`fi`
48	`done < /usr/local/etc/alcasar-services`	49	`done < /usr/local/etc/alcasar-services`
49	`#tout le reste est bloqué`	50	`#tout le reste est bloqué`
50	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	51	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
51	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	52	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
52	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`	53	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`
53	`fi`	54	`fi`
54		55
55		56

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables-filter.sh – Rev 49 → 64