Subversion Repositories ALCASAR

Rev

Rev 1147 | Rev 1157 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1147 Rev 1154
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1147 2013-07-02 22:00:21Z richard $
2
# $Id: alcasar-iptables.sh 1154 2013-07-15 14:27:10Z crox53 $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script write the netfilter rules for ALCASAR
4
# This script write the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 43... Line 43...
43
EXTIF="eth0"
43
EXTIF="eth0"
44
INTIF="eth1"
44
INTIF="eth1"
45
TUNIF="tun0"								# listen device for chilli daemon
45
TUNIF="tun0"								# listen device for chilli daemon
46
IPTABLES="/sbin/iptables"
46
IPTABLES="/sbin/iptables"
47
 
47
 
-
 
48
#lancement du module kernel ipt_NETFLOW (module iptables)
-
 
49
modprobe ipt_NETFLOW destination=127.0.0.1:2055
-
 
50
 
48
# Effacement des règles existantes
51
# Effacement des règles existantes
49
# Flush all existing rules
52
# Flush all existing rules
50
$IPTABLES -F
53
$IPTABLES -F
51
$IPTABLES -t nat -F
54
$IPTABLES -t nat -F
52
$IPTABLES -t mangle -F
55
$IPTABLES -t mangle -F
Line 130... Line 133...
130
# Drop broadcast & multicast on EXTIF to avoid log 
133
# Drop broadcast & multicast on EXTIF to avoid log 
131
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
134
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
132
 
135
 
133
# On autorise les retours de connexions légitimes par INPUT
136
# On autorise les retours de connexions légitimes par INPUT
134
# Conntrack on INPUT
137
# Conntrack on INPUT
-
 
138
#$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j NETFLOW
135
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
139
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
136
 
140
 
137
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
141
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
138
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
142
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
139
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
143
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
Line 152... Line 156...
152
		fi
156
		fi
153
	done < /usr/local/etc/alcasar-ip-blocked
157
	done < /usr/local/etc/alcasar-ip-blocked
154
fi
158
fi
155
# Autorisation des connexions légitimes à DansGuardian 
159
# Autorisation des connexions légitimes à DansGuardian 
156
# Allow connections for DansGuardian
160
# Allow connections for DansGuardian
-
 
161
#Flux netflow des requêtes HTTP à destination de DansGuardian
-
 
162
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -j NETFLOW
157
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
163
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
158
 
164
 
159
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
165
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
160
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
166
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
161
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
167
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
Line 247... Line 253...
247
#		done < $BL_IP_CAT/$category
253
#		done < $BL_IP_CAT/$category
248
#	done
254
#	done
249
#fi
255
#fi
250
 
256
 
251
# Autorisation des retours de connexions légitimes
257
# Autorisation des retours de connexions légitimes
252
# Allow conntrack
-
 
253
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
258
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
254
 
259
 
255
#  If protocols filter is activate 
260
#  If protocols filter is activate 
256
if [ $PROTOCOLS_FILTERING = on ]; then
261
if [ $PROTOCOLS_FILTERING = on ]; then
257
	# Compute exception IP (IP addresses that shouldn't be filtered)
262
	# Compute exception IP (IP addresses that shouldn't be filtered)
Line 259... Line 264...
259
	if [ $nb_exceptions != "0" ]
264
	if [ $nb_exceptions != "0" ]
260
	then
265
	then
261
		while read ip_exception 
266
		while read ip_exception 
262
		do
267
		do
263
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
268
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
-
 
269
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
264
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
270
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
265
		done < /usr/local/etc/alcasar-filter-exceptions
271
		done < /usr/local/etc/alcasar-filter-exceptions
266
	fi
272
	fi
267
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
273
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
268
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
274
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
Line 270... Line 276...
270
	then
276
	then
271
		while read ip_allowed_line 
277
		while read ip_allowed_line 
272
		do
278
		do
273
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
279
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
274
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
280
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
-
 
281
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
275
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
282
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
276
		done < /usr/local/etc/alcasar-uamallowed
283
		done < /usr/local/etc/alcasar-uamallowed
277
	fi
284
	fi
278
	# Autorisation des protocoles non commentés
285
	# Autorisation des protocoles non commentés
279
	# Allow non comment protocols
286
	# Allow non comment protocols
Line 284... Line 291...
284
		then	
291
		then	
285
			svc_name=`echo $svc_line|cut -d" " -f1`
292
			svc_name=`echo $svc_line|cut -d" " -f1`
286
			svc_port=`echo $svc_line|cut -d" " -f2`
293
			svc_port=`echo $svc_line|cut -d" " -f2`
287
			if [ $svc_name = "icmp" ]
294
			if [ $svc_name = "icmp" ]
288
			then
295
			then
-
 
296
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
289
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
297
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
290
			else
298
			else
-
 
299
 
291
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
300
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
-
 
301
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
292
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
302
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
293
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
303
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
-
 
304
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
294
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
305
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
295
			fi
306
			fi
296
		fi
307
		fi
297
	done < /usr/local/etc/alcasar-services
308
	done < /usr/local/etc/alcasar-services
298
	# Rejet explicite des autres protocoles
309
	# Rejet explicite des autres protocoles
Line 309... Line 320...
309
fi
320
fi
310
 
321
 
311
# Autorisation des connections sortant du LAN  
322
# Autorisation des connections sortant du LAN  
312
# Allow forward connections with log
323
# Allow forward connections with log
313
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
324
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
-
 
325
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
314
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
326
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
315
 
327
 
316
#############################
328
#############################
317
#         OUTPUT            #
329
#         OUTPUT            #
318
#############################
330
#############################
319
 
-
 
320
# On autorise les retours de connexions légitimes par OUTPUT
331
# SSHD rules if activate 
321
# Conntrack on OUTPUT
332
if [ $SSH = on ]
-
 
333
	then
322
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
334
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
323
 
335
fi
324
# On laisse tout sortir sur INTIF
336
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
325
# Everything is allowed only on INTIF
337
# Everything is allowed but traffic through outside network interface
326
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
338
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
327
 
339
 
328
# On autorise les requêtes DNS vers les serveurs DNS identifiés 
340
# On autorise les requêtes DNS vers les serveurs DNS identifiés 
329
# Allow DNS requests to identified DNS servers
341
# Allow DNS requests to identified DNS servers
330
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
342
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
331
 
343
 
332
# On autorise les requêtes HTTP sortantes
344
# On autorise les requêtes HTTP sortantes
333
# HTTP requests are allowed
345
# HTTP requests are allowed
-
 
346
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
334
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
347
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
335
 
348
 
336
# On autorise les requêtes FTP 
349
# On autorise les requêtes FTP 
337
# FTP requests are allowed
350
# FTP requests are allowed
338
modprobe ip_conntrack_ftp
351
modprobe ip_conntrack_ftp
339
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
352
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
-
 
353
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
340
 
354
 
341
# On autorise les requêtes NTP 
355
# On autorise les requêtes NTP 
342
# NTP requests are allowed
356
# NTP requests are allowed
343
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
357
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
344
 
358
 
Line 354... Line 368...
354
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
368
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
355
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
369
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
356
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
370
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
357
fi
371
fi
358
 
372
 
-
 
373
 
359
#############################
374
#############################
360
#       POSTROUTING         #
375
#       POSTROUTING         #
361
#############################
376
#############################
362
# Traduction dynamique d'adresse en sortie
377
# Traduction dynamique d'adresse en sortie
363
# Dynamic NAT on EXTIF
378
# Dynamic NAT on EXTIF