WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 1221 2013-09-22 20:39:20Z richard $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script write the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders
# There are four channels for log :
#	1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);
#	2 protection of ALCASAR with the Ulog group 1 (default group) 
#	3 SSH with the ulog group 2;
#	4 extern access attempts with the ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova 
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address

#############################
#       PREROUTING          #
#############################
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé

	fi
		$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
fi
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)
# Redirect HTTP requests in DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 
# Redirection des requêtes NTP vers le serveur NTP local

 
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
 
# Insertion des règles de blocage IP
# Here, we add IP block rules 
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then 

	do
		ip_on=`echo $ip_line|cut -b1`
		if [ $ip_on != "#" ]
		then	
			ip_blocked=`echo $ip_line|cut -d" " -f1`
#			$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
			$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT 
		fi
	done < /usr/local/etc/alcasar-ip-blocked
fi
# Autorisation des connexions légitimes à DansGuardian 

	do
		ip_on=`echo $ip_line|cut -b1`
		if [ $ip_on != "#" ]
		then	
			ip_blocked=`echo $ip_line|cut -d" " -f1`
 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
		fi
	done < /usr/local/etc/alcasar-ip-blocked

	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
	if [ $nb_exceptions != "0" ]
	then
		while read ip_exception 
		do
#			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-filter-exceptions
	fi
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 

	if [ $nb_uamallowed != "0" ]
	then
		while read ip_allowed_line 
		do
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-uamallowed
	fi
	# Autorisation des protocoles non commentés

			then
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
			else
 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
			fi
		fi
	done < /usr/local/etc/alcasar-services
	# Rejet explicite des autres protocoles
	# reject the others protocols
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
fi
 

	. /usr/local/etc/alcasar-iptables-qos.sh 	
fi
 
# Autorisation des connections sortant du LAN  
# Allow forward connections with log
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 
#############################
#         OUTPUT            #

# LDAP requests are allowed if an external server is declared
if [ $LDAP = on ]
	then
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 
 
fi
 
 
#############################
#       POSTROUTING         #

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 1161 → 1221

Rev 1161		Rev 1221
Line 1...		Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 1161 2013-07-17 20:16:26Z richard $`	2	`# $Id: alcasar-iptables.sh 1221 2013-09-22 20:39:20Z richard $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script write the netfilter rules for ALCASAR`	4	`# This script write the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
8	`# There are three channels for log :`	8	`# There are four channels for log :`
9	`# 1 (default) for tracability;`	9	`# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);`
10	`# 2 for secure admin (ssh);`	10	`# 2 protection of ALCASAR with the Ulog group 1 (default group)`
11	`# 3 for exterior access attempts.`	11	`# 3 SSH with the ulog group 2;`
12	`# The French Security Agency (ANSSI) rules was applied by 'this script`	12	`# 4 extern access attempts with the ulog group 3.`
13	`# The bootps/dhcp (67) port is always open on tun0/eth1 by coova`	13	`# The bootps/dhcp (67) port is always open on tun0/eth1 by coova`
14	`conf_file="/usr/local/etc/alcasar.conf"`	14	`conf_file="/usr/local/etc/alcasar.conf"`
15	private_ip_mask=`grep PRIVATE_IP= $conf_file\|cut -d"=" -f2`	15	private_ip_mask=`grep PRIVATE_IP= $conf_file\|cut -d"=" -f2`
16	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`	16	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
17	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address	17	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address
Line 74...		Line 74...
74	`#############################`	74	`#############################`
75	`# PREROUTING #`	75	`# PREROUTING #`
76	`#############################`	76	`#############################`
77	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT`	77	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT`
78	`# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules`	78	`# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules`
79	`# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`	79	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`
80	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`	80	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`
81		81
82	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT`	82	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT`
83	`# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules`	83	`# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules`
84	`# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé`	84	`# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé`
Line 100...		Line 100...
100	`fi`	100	`fi`
101	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54`	101	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54`
102	`fi`	102	`fi`
103		103
104	`# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD`	104	`# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD`
105	`# Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD`	105	`## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD`
106	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`	106	`## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`
-		107
107	`# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)`	108	`# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)`
108	`# Redirect HTTP requests in DansGuardian (transparent proxy)`	109	`# Redirect HTTP requests in DansGuardian (transparent proxy)`
109	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`	110	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`
110		111
111	`# Redirection des requêtes NTP vers le serveur NTP local`	112	`# Redirection des requêtes NTP vers le serveur NTP local`
Line 135...		Line 136...
135		136
136	`# On autorise les retours de connexions légitimes par INPUT`	137	`# On autorise les retours de connexions légitimes par INPUT`
137	`# Conntrack on INPUT`	138	`# Conntrack on INPUT`
138	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`	139	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
139		140
140	`# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`	141	`# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)`
141	`# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)`	142	`# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)`
142	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset`	143	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset`
143		144
144	`# Insertion des règles de blocage IP`	145	`# Insertion des règles de blocage IP`
145	`# Here, we add IP block rules`	146	`# Here, we add IP block rules`
146	`if [ -s /usr/local/etc/alcasar-ip-blocked ]; then`	147	`if [ -s /usr/local/etc/alcasar-ip-blocked ]; then`
Line 148...		Line 149...
148	`do`	149	`do`
149	ip_on=`echo $ip_line\|cut -b1`	150	ip_on=`echo $ip_line\|cut -b1`
150	`if [ $ip_on != "#" ]`	151	`if [ $ip_on != "#" ]`
151	`then`	152	`then`
152	ip_blocked=`echo $ip_line\|cut -d" " -f1`	153	ip_blocked=`echo $ip_line\|cut -d" " -f1`
153	`$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "`	154	`# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "`
154	`$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT`	155	`$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT`
155	`fi`	156	`fi`
156	`done < /usr/local/etc/alcasar-ip-blocked`	157	`done < /usr/local/etc/alcasar-ip-blocked`
157	`fi`	158	`fi`
158	`# Autorisation des connexions légitimes à DansGuardian`	159	`# Autorisation des connexions légitimes à DansGuardian`
Line 224...		Line 225...
224	`do`	225	`do`
225	ip_on=`echo $ip_line\|cut -b1`	226	ip_on=`echo $ip_line\|cut -b1`
226	`if [ $ip_on != "#" ]`	227	`if [ $ip_on != "#" ]`
227	`then`	228	`then`
228	ip_blocked=`echo $ip_line\|cut -d" " -f1`	229	ip_blocked=`echo $ip_line\|cut -d" " -f1`
229	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "`	-
230	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable`	230	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable`
231	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable`	231	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable`
232	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset`	232	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset`
233	`fi`	233	`fi`
234	`done < /usr/local/etc/alcasar-ip-blocked`	234	`done < /usr/local/etc/alcasar-ip-blocked`
Line 260...		Line 260...
260	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`	260	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`
261	`if [ $nb_exceptions != "0" ]`	261	`if [ $nb_exceptions != "0" ]`
262	`then`	262	`then`
263	`while read ip_exception`	263	`while read ip_exception`
264	`do`	264	`do`
265	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`	265	`# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`
266	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW`	266	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW`
267	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`	267	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`
268	`done < /usr/local/etc/alcasar-filter-exceptions`	268	`done < /usr/local/etc/alcasar-filter-exceptions`
269	`fi`	269	`fi`
270	`# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)`	270	`# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)`
Line 272...		Line 272...
272	`if [ $nb_uamallowed != "0" ]`	272	`if [ $nb_uamallowed != "0" ]`
273	`then`	273	`then`
274	`while read ip_allowed_line`	274	`while read ip_allowed_line`
275	`do`	275	`do`
276	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`	276	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`
277	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "`	277	`# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "`
278	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW`	278	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW`
279	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`	279	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`
280	`done < /usr/local/etc/alcasar-uamallowed`	280	`done < /usr/local/etc/alcasar-uamallowed`
281	`fi`	281	`fi`
282	`# Autorisation des protocoles non commentés`	282	`# Autorisation des protocoles non commentés`
Line 292...		Line 292...
292	`then`	292	`then`
293	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW`	293	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW`
294	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`	294	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`
295	`else`	295	`else`
296		296
297	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`	297	`# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`
298	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW`	298	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW`
299	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`	299	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`
300	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`	300	`# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`
301	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW`	301	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW`
302	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`	302	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`
303	`fi`	303	`fi`
304	`fi`	304	`fi`
305	`done < /usr/local/etc/alcasar-services`	305	`done < /usr/local/etc/alcasar-services`
306	`# Rejet explicite des autres protocoles`	306	`# Rejet explicite des autres protocoles`
307	`# reject the others protocols`	307	`# reject the others protocols`
308	`$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`	308	`# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`
309	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	309	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
310	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	310	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
311	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`	311	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`
312	`fi`	312	`fi`
313		313
Line 316...		Line 316...
316	`. /usr/local/etc/alcasar-iptables-qos.sh`	316	`. /usr/local/etc/alcasar-iptables-qos.sh`
317	`fi`	317	`fi`
318		318
319	`# Autorisation des connections sortant du LAN`	319	`# Autorisation des connections sortant du LAN`
320	`# Allow forward connections with log`	320	`# Allow forward connections with log`
321	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`	321	`#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`
322	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW`	322	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW`
323	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT`	323	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT`
324		324
325	`#############################`	325	`#############################`
326	`# OUTPUT #`	326	`# OUTPUT #`
Line 356...		Line 356...
356	`# LDAP requests are allowed if an external server is declared`	356	`# LDAP requests are allowed if an external server is declared`
357	`if [ $LDAP = on ]`	357	`if [ $LDAP = on ]`
358	`then`	358	`then`
359	`$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`	359	`$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
360	`$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`	360	`$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
361	`# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`	-
362	`# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`	-
363	`fi`	361	`fi`
364		362
365		363
366	`#############################`	364	`#############################`
367	`# POSTROUTING #`	365	`# POSTROUTING #`