| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1459 2014-09-21 23:59:28Z franck $
|
2 |
# $Id: alcasar-iptables.sh 1469 2014-10-30 21:58:47Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| 8 |
# There are four channels for log :
|
8 |
# There are four channels for log :
|
| 9 |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
|
9 |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
|
| 10 |
# 2 protection of ALCASAR with the Ulog group 1 (default group)
|
10 |
# 2 protection of ALCASAR with the Ulog group 1 (default group)
|
| 11 |
# 3 SSH on ALCASAR with the Ulog group 2;
|
11 |
# 3 SSH on ALCASAR with the Ulog group 2;
|
| 12 |
# 4 extern access attempts on ALCASAR with the Ulog group 3.
|
12 |
# 4 extern access attempts on ALCASAR with the Ulog group 3.
|
| 13 |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
|
13 |
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova
|
| 14 |
conf_file="/usr/local/etc/alcasar.conf"
|
14 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
| 15 |
private_ip_mask=`grep ^PRIVATE_IP= $conf_file|cut -d"=" -f2`
|
15 |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
|
| 16 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
16 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
| 17 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
17 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
| 18 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
18 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
| 19 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
19 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
| 20 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
20 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
| 21 |
public_ip_mask=`grep ^PUBLIC_IP= $conf_file|cut -d"=" -f2` # ALCASAR WAN IP address
|
21 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
| 22 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
22 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
| 23 |
dns1=`grep ^DNS1= $conf_file|cut -d"=" -f2` # first public DNS server
|
23 |
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2` # first public DNS server
|
| 24 |
dns1=${dns1:=208.67.220.220}
|
24 |
dns1=${dns1:=208.67.220.220}
|
| 25 |
dns2=`grep ^DNS2= $conf_file|cut -d"=" -f2` # second public DNS server
|
25 |
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2` # second public DNS server
|
| 26 |
dns2=${dns2:=208.67.222.222}
|
26 |
dns2=${dns2:=208.67.222.222}
|
| 27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
| 28 |
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
28 |
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 30 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
30 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
| 31 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
31 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
| 32 |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
|
32 |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
|
| 33 |
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist
|
33 |
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist
|
| 34 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
34 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
| 35 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
35 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
| 36 |
QOS=`grep ^QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
36 |
QOS=`grep ^QOS= $CONF_FILE|cut -d"=" -f2` # QOS (on/off)
|
| 37 |
QOS=${QOS:=off}
|
37 |
QOS=${QOS:=off}
|
| 38 |
SSH=`grep ^SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
38 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
| 39 |
SSH=${SSH:=off}
|
39 |
SSH=${SSH:=off}
|
| 40 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
40 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
| 41 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
41 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
| 42 |
LDAP=`grep ^LDAP= $conf_file|cut -d"=" -f2` # LDAP external server active (on/off)
|
42 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
| 43 |
LDAP=${LDAP:=off}
|
43 |
LDAP=${LDAP:=off}
|
| 44 |
LDAP_IP=`grep ^LDAP_IP= $conf_file|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
|
44 |
LDAP_IP=`grep ^LDAP_IP= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
|
| 45 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
45 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
| 46 |
EXTIF="enp1s0"
|
46 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
| 47 |
INTIF="enp2s0"
|
47 |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
|
| 48 |
TUNIF="tun0" # listen device for chilli daemon
|
48 |
TUNIF="tun0" # listen device for chilli daemon
|
| 49 |
IPTABLES="/sbin/iptables"
|
49 |
IPTABLES="/sbin/iptables"
|
| 50 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
50 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
| 51 |
SAVE_DIR="/etc/sysconfig" # Saving path
|
51 |
SAVE_DIR="/etc/sysconfig" # Saving path
|
| 52 |
|
52 |
|