Subversion Repositories ALCASAR

Rev

Rev 1339 | Rev 1370 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1339 Rev 1364
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 1339 2014-05-05 12:55:57Z richard $
 2 
# $Id: alcasar-iptables.sh 1364 2014-05-27 15:56:02Z richard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 29... Line 29...
29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
 30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
31 
DNS_FILTERING=${DNS_FILTERING:=off}
 31 
DNS_FILTERING=${DNS_FILTERING:=off}
32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
33 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
 33 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
- 
 
 34 
FILE_IP_WL="/usr/local/share/ossi_wl"					# ip of the whitelist
- 
 
 35 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
- 
 
 36 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
34 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
 37 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
35 
QOS=${QOS:=off}
 38 
QOS=${QOS:=off}
36 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
 39 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
37 
SSH=${SSH:=off}
 40 
SSH=${SSH:=off}
38 
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
 41 
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
Line 44... Line 47...
44 
EXTIF="eth0"
 47 
EXTIF="eth0"
45 
INTIF="eth1"
 48 
INTIF="eth1"
46 
TUNIF="tun0"								# listen device for chilli daemon
 49 
TUNIF="tun0"								# listen device for chilli daemon
47 
IPTABLES="/sbin/iptables"
 50 
IPTABLES="/sbin/iptables"
48 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
 51 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
- 
 
 52 
SAVE_DIR="/etc/sysconfig"						# Saving path
- 
 
 53 
 
- 
 
 54 
# Sauvegarde des SET des utilisateurs connectés si ils existent
- 
 
 55 
# Saving SET of connected users if it exists
- 
 
 56 
ipset list no_filtering_set 1>/dev/null 2>&1
- 
 
 57 
if [ $? -eq 0 ];
- 
 
 58 
then
- 
 
 59 
	ipset save no_filtering_set > $TMP_users_set_save
- 
 
 60 
	ipset save havp_set >> $TMP_users_set_save
- 
 
 61 
	ipset save havp_bl_set >> $TMP_users_set_save
- 
 
 62 
	ipset save havp_wl_set >> $TMP_users_set_save
- 
 
 63 
fi
49 
 
 64 
 
50 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
 65 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
51 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 66 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
52 
 
 67 
 
53 
# Effacement des règles existantes
 68 
# Effacement des règles existantes
Line 75... Line 90...
75 
 
 90 
 
76 
# destruction de tous les SET
 91 
# destruction de tous les SET
77 
# destroy all SET
 92 
# destroy all SET
78 
ipset destroy
 93 
ipset destroy
79 
 
 94 
 
80 
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
 - 
 
81 
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
 - 
 
82 
ipset create authenticated_ip hash:net hashsize 1024
 - 
 
83 
OLDIFS=$IFS
 - 
 
84 
IFS=$'\n'
 - 
 
85 
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
 - 
 
86 
do
 - 
 
87 
	active_ip=`echo $equipment |cut -d" " -f2`
 - 
 
88 
	active_session=`echo $equipment |cut -d" " -f5`
 - 
 
89 
	if [[ $(expr $active_session) -eq 1 ]]
 - 
 
90 
	then
 - 
 
91 
		ipset add authenticated_ip $active_ip
 - 
 
92 
	fi
 - 
 
93 
done
 - 
 
94 
IFS=$OLDIFS
 - 
 
95 
 
 - 
 
96 
# Calcul de la taille de l'ipset
 95 
# Calcul de la taille du set
97 
cd $BL_IP_CAT
 96 
cd $BL_IP_CAT
98 
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 97 
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
99 
 
 98 
 
100 
# Création du fichier set temporaire, remplissage, chargement et suppression
 99 
# Création du fichier set temporaire, remplissage, chargement et suppression
101 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save
 100 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save
102 
for category in `ls -1 | cut -d '@' -f1`
 101 
for category in `ls -1 | cut -d '@' -f1`
103 
do
 102 
do
104 
	cat $BL_IP_CAT/$category >> /tmp/ipset_save
 103 
	cat $BL_IP_CAT/$category >> $TMP_set_save
105 
done
 104 
done
106 
cat $BL_IP_OSSI >> /tmp/ipset_save
 105 
cat $BL_IP_OSSI >> $TMP_set_save
107 
ipset -! restore < /tmp/ipset_save
 106 
ipset -! restore < $TMP_set_save
108 
rm -f /tmp/ipset_save
 107 
rm -f $TMP_set_save
109 
 
 108 
 
110 
# Extraction des ip réhabilitées
 109 
# Extraction des ip réhabilitées
111 
for ip in $(cat $IP_REHABILITEES)
 110 
for ip in $(cat $IP_REHABILITEES)
112 
do
 111 
do
113 
	ipset del blacklist_ip_blocked $ip
 112 
	ipset del blacklist_ip_blocked $ip
114 
done
 113 
done
115 
 
 114 
 
- 
 
 115 
# Calcul de la taille du set de la whitelist
- 
 
 116 
set_wl_length=$(wc -l $FILE_IP_WL | awk '{print $1}')
- 
 
 117 
 
- 
 
 118 
# Création du fichier set temporaire, remplissage, chargement et suppression
- 
 
 119 
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
- 
 
 120 
cat $FILE_IP_WL >> $TMP_set_save
- 
 
 121 
ipset -! restore < $TMP_set_save
- 
 
 122 
rm -f $TMP_set_save
- 
 
 123 
 
- 
 
 124 
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
- 
 
 125 
if [ -e $TMP_users_set_save ];
- 
 
 126 
then
- 
 
 127 
	ipset -! restore < $TMP_users_set_save
- 
 
 128 
	rm -f $TMP_users_set_save
- 
 
 129 
else
- 
 
 130 
	ipset create no_filtering_set hash:net hashsize 1024
- 
 
 131 
	ipset create havp_set hash:net hashsize 1024
- 
 
 132 
	ipset create havp_bl_set hash:net hashsize 1024
- 
 
 133 
	ipset create havp_wl_set hash:net hashsize 1024
- 
 
 134 
fi
- 
 
 135 
 
116 
# Sauvegarde de tous les set (pour restaurer après redémarrage)
 136 
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage)
- 
 
 137 
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save
117 
ipset save > /etc/sysconfig/ipset_save
 138 
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save
- 
 
 139 
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
- 
 
 140 
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
- 
 
 141 
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
- 
 
 142 
echo "create havp_wl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
118 
 
 143 
 
119 
#############################
 144 
#############################
120 
#       PREROUTING          #
 145 
#       PREROUTING          #
121 
#############################
 146 
#############################
122 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
 147 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
Line 124... Line 149...
124 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
 149 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
125 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 150 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
126 
 
 151 
 
127 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
 152 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
128 
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
 153 
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
129 
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé
 - 
 
130 
# Remark : this port is only open when filtering is on
 - 
 
131 
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY "
 154 
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY "
132 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
 155 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
133 
 
 156 
 
134 
# Si le filtrage DNS est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
157 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 pour pouvoir les rejeter en INPUT
135 
# If DNS filter is on, redirect DNS request to udp 54 (dns+blackhole) except for exception IP addresses
 158 
# Mark (and log) the udp 55 direct attempts to REJECT them in INPUT rules
136 
if [ $DNS_FILTERING = on ]; then
 159 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3
- 
 
 160 
 
- 
 
 161 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT
137 
	# Compute exception IP
 162 
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
138 
	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 163 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4
- 
 
 164 
 
139 
	if [ $nb_exceptions != "0" ]
 165 
# Aiguillage des flux DNS
140 
	then
 166 
# Switching DNS streams
- 
 
 167 
# havp_bl_set --> redirection vers le port 54
141 
		while read ip_exception
168 
# havp_bl_set --> redirect to port 54
142 
		do
 - 
 
143 
			$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
 169 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
144 
		done < /usr/local/etc/alcasar-filter-exceptions
 170 
# havp_wl_set --> redirection vers le port 55
145 
	fi
 - 
 
- 
 
 171 
# havp_wl_set --> redirect to port 55
146 
		$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
 172 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
147 
fi
 - 
 
148 
 
 173 
 
149 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
 174 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
150 
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
 - 
 
151 
if [ $DNS_FILTERING = on ]; then
 - 
 
152 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 175 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
153 
fi
 - 
 
154 
 
 176 
 
155 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
 177 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
156 
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
 178 
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
157 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 179 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
158 
 
 180 
 
- 
 
 181 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_set
- 
 
 182 
# Redirect outbound HTTP requests to HAVP for the set havp_set
- 
 
 183 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
- 
 
 184 
 
159 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent)
 185 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set
160 
# Redirect outbound HTTP requests to DansGuardian (transparent proxy)
 186 
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set
161 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 187 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
- 
 
 188 
 
- 
 
 189 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set
- 
 
 190 
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set
- 
 
 191 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
162 
 
 192 
 
163 
# Redirection des requêtes NTP vers le serveur NTP local
 193 
# Redirection des requêtes NTP vers le serveur NTP local
164 
# Redirect NTP request in local NTP server
 194 
# Redirect NTP request in local NTP server
165 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 195 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
166 
 
 196 
 
Line 197... Line 227...
197 
# Allow connections for DansGuardian
 227 
# Allow connections for DansGuardian
198 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 228 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
199 
 
 229 
 
200 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
 230 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
201 
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
 231 
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
202 
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
 232 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
203 
 
 233 
 
- 
 
 234 
# On interdit les connexions directes au port UDP 55. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
- 
 
 235 
# Deny direct connections on UDP 55. The concerned paquets are marked in mangle table (PREROUTING)
- 
 
 236 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
- 
 
 237 
 
- 
 
 238 
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
- 
 
 239 
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING)
- 
 
 240 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset
- 
 
 241 
 
- 
 
 242 
# Autorisation des connexions légitimes à HAVP
- 
 
 243 
# Allow connections for HAVP
- 
 
 244 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
- 
 
 245 
 
204 
# autorisation des connexion légitime à DNSMASQ (avec blackhole)
 246 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
205 
# Allow connections for DNSMASQ (with blackhole)
 247 
# Allow connections for DNSMASQ (with blacklist)
206 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
 248 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
207 
 
 249 
 
- 
 
 250 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
- 
 
 251 
# Allow connections for DNSMASQ (with whitelist)
- 
 
 252 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
- 
 
 253 
 
208 
# Accès direct aux services internes
 254 
# Accès direct aux services internes
209 
# Internal services access
 255 
# Internal services access
210 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT	# DNS non filtré # DNS without blackhole
 256 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT	# DNS non filtré # DNS without blacklist
211 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT	# Réponse ping # ping responce
 257 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT	# Réponse ping # ping responce
212 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT	# Requête  ping # ping request
 258 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT	# Requête  ping # ping request
213 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
 259 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
214 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
 260 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
215 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
 261 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
Line 243... Line 289...
243 
 
 289 
 
244 
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
 290 
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
245 
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
 291 
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
246 
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
 292 
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
247 
 
 293 
 
248 
 
 - 
 
249 
#############################
 294 
#############################
250 
#        FORWARD            #
 295 
#        FORWARD            #
251 
#############################
 296 
#############################
252 
 
 297 
 
- 
 
 298 
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
- 
 
 299 
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
- 
 
 300 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
- 
 
 301 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
- 
 
 302 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
- 
 
 303 
 
253 
# Rejet des requêtes DNS vers Internet
 304 
# Rejet des requêtes DNS vers Internet
254 
# Deny forward DNS
 305 
# Deny forward DNS
255 
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 306 
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
256 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 307 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
257 
 
 308 
 
258 
if [ $DNS_FILTERING = on ]; then
 - 
 
259 
	# Blocage des IPs du SET blacklist_ip_blocked
 - 
 
260 
	# Deny IPs of the SET blacklist_ip_blocked
- 
 
261 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
 - 
 
262 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
 - 
 
263 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
 - 
 
264 
fi
 - 
 
265 
 
 - 
 
266 
# Autorisation des retours de connexions légitimes
 309 
# Autorisation des retours de connexions légitimes
267 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 310 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
268 
 
 311 
 
269 
#  If protocols filter is activate
312 
#  If protocols filter is activate
270 
if [ $PROTOCOLS_FILTERING = on ]; then
 313 
#if [ $PROTOCOLS_FILTERING = on ]; then
271 
	# Compute exception IP (IP addresses that shouldn't be filtered)
 - 
 
272 
	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 - 
 
273 
	if [ $nb_exceptions != "0" ]
 - 
 
274 
	then
 - 
 
275 
		while read ip_exception
- 
 
276 
		do
 - 
 
277 
#			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
 - 
 
278 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
 - 
 
279 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
 - 
 
280 
		done < /usr/local/etc/alcasar-filter-exceptions
 - 
 
281 
	fi
 - 
 
282 
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
314 
#	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
283 
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
 315 
#	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
284 
	if [ $nb_uamallowed != "0" ]
 316 
#	if [ $nb_uamallowed != "0" ]
285 
	then
 317 
#	then
286 
		while read ip_allowed_line
318 
#		while read ip_allowed_line
287 
		do
 319 
#		do
288 
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
 320 
#			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
289 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
 321 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
290 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
 322 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
291 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
 323 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
292 
		done < /usr/local/etc/alcasar-uamallowed
 324 
#		done < /usr/local/etc/alcasar-uamallowed
293 
	fi
 325 
#	fi
294 
	# Autorisation des protocoles non commentés
 326 
#	# Autorisation des protocoles non commentés
295 
	# Allow non comment protocols
 327 
#	# Allow non comment protocols
296 
	while read svc_line
 328 
#	while read svc_line
297 
	do
 329 
#	do
298 
		svc_on=`echo $svc_line|cut -b1`
 330 
#		svc_on=`echo $svc_line|cut -b1`
299 
		if [ $svc_on != "#" ]
 331 
#		if [ $svc_on != "#" ]
300 
		then
332 
#		then
301 
			svc_name=`echo $svc_line|cut -d" " -f1`
 333 
#			svc_name=`echo $svc_line|cut -d" " -f1`
302 
			svc_port=`echo $svc_line|cut -d" " -f2`
 334 
#			svc_port=`echo $svc_line|cut -d" " -f2`
303 
			if [ $svc_name = "icmp" ]
 335 
#			if [ $svc_name = "icmp" ]
304 
			then
 336 
#			then
305 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
 337 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
306 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
338 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
307 
			else
 339 
#			else
308 
 
 340 
#
309 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
 341 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
310 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
 342 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
311 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
 343 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
312 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
 344 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
313 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
 345 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
314 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
 346 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
315 
			fi
 347 
#			fi
316 
		fi
 348 
#		fi
317 
	done < /usr/local/etc/alcasar-services
 349 
#	done < /usr/local/etc/alcasar-services
318 
	# Rejet explicite des autres protocoles
 350 
#	# Rejet explicite des autres protocoles
319 
	# reject the others protocols
 351 
#	# reject the others protocols
320 
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
 352 
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
321 
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
 353 
#	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
322 
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 354 
#	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
323 
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
355 
#	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
324 
fi
 356 
#fi
325 
 
 357 
 
326 
#  If QOS is activate  #
 358 
#  If QOS is activate  #
327 
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
 359 
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
328 
	. /usr/local/etc/alcasar-iptables-qos.sh
360 
	. /usr/local/etc/alcasar-iptables-qos.sh
329 
fi
 361 
fi
Line 370... Line 402...
370 
	then
 402 
	then
371 
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 403 
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
372 
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 404 
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
373 
fi
 405 
fi
374 
 
 406 
 
375 
 
 - 
 
376 
#############################
 407 
#############################
377 
#       POSTROUTING         #
 408 
#       POSTROUTING         #
378 
#############################
 409 
#############################
379 
# Traduction dynamique d'adresse en sortie
 410 
# Traduction dynamique d'adresse en sortie
380 
# Dynamic NAT on EXTIF
 411 
# Dynamic NAT on EXTIF