WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 1157 2013-07-16 10:48:11Z stephane $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script write the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders

EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0"								# listen device for chilli daemon
IPTABLES="/sbin/iptables"
 
 
 
 
# Effacement des règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Drop broadcast & multicast on EXTIF to avoid log 
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
 
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset

		fi
	done < /usr/local/etc/alcasar-ip-blocked
fi
# Autorisation des connexions légitimes à DansGuardian 
# Allow connections for DansGuardian
 
 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable

#		done < $BL_IP_CAT/$category
#	done
#fi
 
# Autorisation des retours de connexions légitimes
# Allow conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#  If protocols filter is activate 
if [ $PROTOCOLS_FILTERING = on ]; then
	# Compute exception IP (IP addresses that shouldn't be filtered)

	if [ $nb_exceptions != "0" ]
	then
		while read ip_exception 
		do
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-filter-exceptions
	fi
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`

	then
		while read ip_allowed_line 
		do
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-uamallowed
	fi
	# Autorisation des protocoles non commentés
	# Allow non comment protocols

		then	
			svc_name=`echo $svc_line|cut -d" " -f1`
			svc_port=`echo $svc_line|cut -d" " -f2`
			if [ $svc_name = "icmp" ]
			then
 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
			else
 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
			fi
		fi
	done < /usr/local/etc/alcasar-services
	# Rejet explicite des autres protocoles

fi
 
# Autorisation des connections sortant du LAN  
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 
#############################
#         OUTPUT            #
#############################
 
# On autorise les retours de connexions légitimes par OUTPUT
# Conntrack on OUTPUT
 
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# On laisse tout sortir sur INTIF
# Everything is allowed only on INTIF
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 
# On autorise les requêtes DNS vers les serveurs DNS identifiés 
# Allow DNS requests to identified DNS servers
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
 
# On autorise les requêtes HTTP sortantes
# HTTP requests are allowed
 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
 
# On autorise les requêtes FTP 
# FTP requests are allowed
modprobe ip_conntrack_ftp
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
 
 
# On autorise les requêtes NTP 
# NTP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
 

	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
fi
 
 
#############################
#       POSTROUTING         #
#############################
# Traduction dynamique d'adresse en sortie
# Dynamic NAT on EXTIF

Rev 1154	Rev 1157
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 1154 2013-07-15 14:27:10Z crox53 $`	2	`# $Id: alcasar-iptables.sh 1157 2013-07-16 10:48:11Z stephane $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script write the netfilter rules for ALCASAR`	4	`# This script write the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
Line 43...	Line 43...
43	`EXTIF="eth0"`	43	`EXTIF="eth0"`
44	`INTIF="eth1"`	44	`INTIF="eth1"`
45	`TUNIF="tun0" # listen device for chilli daemon`	45	`TUNIF="tun0" # listen device for chilli daemon`
46	`IPTABLES="/sbin/iptables"`	46	`IPTABLES="/sbin/iptables"`
47		47
48	`#lancement du module kernel ipt_NETFLOW (module iptables)`	-
49	`modprobe ipt_NETFLOW destination=127.0.0.1:2055`	-
50		-
51	`# Effacement des règles existantes`	48	`# Effacement des règles existantes`
52	`# Flush all existing rules`	49	`# Flush all existing rules`
53	`$IPTABLES -F`	50	`$IPTABLES -F`
54	`$IPTABLES -t nat -F`	51	`$IPTABLES -t nat -F`
55	`$IPTABLES -t mangle -F`	52	`$IPTABLES -t mangle -F`
Line 133...	Line 130...
133	`# Drop broadcast & multicast on EXTIF to avoid log`	130	`# Drop broadcast & multicast on EXTIF to avoid log`
134	`$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`	131	`$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`
135		132
136	`# On autorise les retours de connexions légitimes par INPUT`	133	`# On autorise les retours de connexions légitimes par INPUT`
137	`# Conntrack on INPUT`	134	`# Conntrack on INPUT`
138	`#$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j NETFLOW`	-
139	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`	135	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
140		136
141	`# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`	137	`# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`
142	`# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)`	138	`# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)`
143	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset`	139	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset`
Line 156...	Line 152...
156	`fi`	152	`fi`
157	`done < /usr/local/etc/alcasar-ip-blocked`	153	`done < /usr/local/etc/alcasar-ip-blocked`
158	`fi`	154	`fi`
159	`# Autorisation des connexions légitimes à DansGuardian`	155	`# Autorisation des connexions légitimes à DansGuardian`
160	`# Allow connections for DansGuardian`	156	`# Allow connections for DansGuardian`
161	`#Flux netflow des requêtes HTTP à destination de DansGuardian`	-
162	`#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -j NETFLOW`	-
163	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`	157	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`
164		158
165	`# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)`	159	`# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)`
166	`# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)`	160	`# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)`
167	`$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable`	161	`$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable`
Line 253...	Line 247...
253	`# done < $BL_IP_CAT/$category`	247	`# done < $BL_IP_CAT/$category`
254	`# done`	248	`# done`
255	`#fi`	249	`#fi`
256		250
257	`# Autorisation des retours de connexions légitimes`	251	`# Autorisation des retours de connexions légitimes`
-		252	`# Allow conntrack`
258	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`	253	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`
259		254
260	`# If protocols filter is activate`	255	`# If protocols filter is activate`
261	`if [ $PROTOCOLS_FILTERING = on ]; then`	256	`if [ $PROTOCOLS_FILTERING = on ]; then`
262	`# Compute exception IP (IP addresses that shouldn't be filtered)`	257	`# Compute exception IP (IP addresses that shouldn't be filtered)`
Line 264...	Line 259...
264	`if [ $nb_exceptions != "0" ]`	259	`if [ $nb_exceptions != "0" ]`
265	`then`	260	`then`
266	`while read ip_exception`	261	`while read ip_exception`
267	`do`	262	`do`
268	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`	263	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`
269	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW`	-
270	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`	264	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`
271	`done < /usr/local/etc/alcasar-filter-exceptions`	265	`done < /usr/local/etc/alcasar-filter-exceptions`
272	`fi`	266	`fi`
273	`# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)`	267	`# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)`
274	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed \| cut -d" " -f1`	268	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed \| cut -d" " -f1`
Line 276...	Line 270...
276	`then`	270	`then`
277	`while read ip_allowed_line`	271	`while read ip_allowed_line`
278	`do`	272	`do`
279	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`	273	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`
280	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "`	274	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "`
281	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW`	-
282	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`	275	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`
283	`done < /usr/local/etc/alcasar-uamallowed`	276	`done < /usr/local/etc/alcasar-uamallowed`
284	`fi`	277	`fi`
285	`# Autorisation des protocoles non commentés`	278	`# Autorisation des protocoles non commentés`
286	`# Allow non comment protocols`	279	`# Allow non comment protocols`
Line 291...	Line 284...
291	`then`	284	`then`
292	svc_name=`echo $svc_line\|cut -d" " -f1`	285	svc_name=`echo $svc_line\|cut -d" " -f1`
293	svc_port=`echo $svc_line\|cut -d" " -f2`	286	svc_port=`echo $svc_line\|cut -d" " -f2`
294	`if [ $svc_name = "icmp" ]`	287	`if [ $svc_name = "icmp" ]`
295	`then`	288	`then`
296	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW`	-
297	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`	289	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`
298	`else`	290	`else`
299		-
300	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`	291	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`
301	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW`	-
302	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`	292	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`
303	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`	293	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`
304	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW`	-
305	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`	294	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`
306	`fi`	295	`fi`
307	`fi`	296	`fi`
308	`done < /usr/local/etc/alcasar-services`	297	`done < /usr/local/etc/alcasar-services`
309	`# Rejet explicite des autres protocoles`	298	`# Rejet explicite des autres protocoles`
Line 320...	Line 309...
320	`fi`	309	`fi`
321		310
322	`# Autorisation des connections sortant du LAN`	311	`# Autorisation des connections sortant du LAN`
323	`# Allow forward connections with log`	312	`# Allow forward connections with log`
324	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`	313	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`
325	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW`	-
326	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT`	314	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT`
327		315
328	`#############################`	316	`#############################`
329	`# OUTPUT #`	317	`# OUTPUT #`
330	`#############################`	318	`#############################`
-		319
331	`# SSHD rules if activate`	320	`# On autorise les retours de connexions légitimes par OUTPUT`
332	`if [ $SSH = on ]`	321	`# Conntrack on OUTPUT`
333	`then`	-
334	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT`	322	`$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
335	`fi`	323
336	`# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur`	324	`# On laisse tout sortir sur INTIF`
337	`# Everything is allowed but traffic through outside network interface`	325	`# Everything is allowed only on INTIF`
338	`$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT`	326	`$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT`
339		327
340	`# On autorise les requêtes DNS vers les serveurs DNS identifiés`	328	`# On autorise les requêtes DNS vers les serveurs DNS identifiés`
341	`# Allow DNS requests to identified DNS servers`	329	`# Allow DNS requests to identified DNS servers`
342	`$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT`	330	`$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT`
343		331
344	`# On autorise les requêtes HTTP sortantes`	332	`# On autorise les requêtes HTTP sortantes`
345	`# HTTP requests are allowed`	333	`# HTTP requests are allowed`
346	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW`	-
347	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT`	334	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT`
348		335
349	`# On autorise les requêtes FTP`	336	`# On autorise les requêtes FTP`
350	`# FTP requests are allowed`	337	`# FTP requests are allowed`
351	`modprobe ip_conntrack_ftp`	338	`modprobe ip_conntrack_ftp`
352	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT`	339	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT`
353	`$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT`	-
354		340
355	`# On autorise les requêtes NTP`	341	`# On autorise les requêtes NTP`
356	`# NTP requests are allowed`	342	`# NTP requests are allowed`
357	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT`	343	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT`
358		344
Line 368...	Line 354...
368	`$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`	354	`$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
369	`# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`	355	`# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`
370	`# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`	356	`# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`
371	`fi`	357	`fi`
372		358
373		-
374	`#############################`	359	`#############################`
375	`# POSTROUTING #`	360	`# POSTROUTING #`
376	`#############################`	361	`#############################`
377	`# Traduction dynamique d'adresse en sortie`	362	`# Traduction dynamique d'adresse en sortie`
378	`# Dynamic NAT on EXTIF`	363	`# Dynamic NAT on EXTIF`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 1154 → 1157