Subversion Repositories ALCASAR

Rev

Rev 1629 | Rev 1705 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1629 Rev 1704
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1629 2015-05-22 22:34:19Z richard $
2
# $Id: alcasar-iptables.sh 1704 2015-10-19 12:50:17Z richard $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 148... Line 148...
148
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
148
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
149
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
149
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
150
 
150
 
151
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
151
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
152
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
152
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
153
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
153
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nfog-prefix "RULE direct-proxy -- DENY "
154
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
154
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
155
 
155
 
156
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
156
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
157
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
157
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
158
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
158
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "
159
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
159
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
160
 
160
 
161
# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
161
# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
162
# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules
162
# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules
163
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
163
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
Line 178... Line 178...
178
# redirect DNS of 'havp_bl' users to port 55
178
# redirect DNS of 'havp_bl' users to port 55
179
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
179
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
180
 
180
 
181
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. 
181
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. 
182
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
182
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
183
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
183
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
184
 
184
 
185
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
185
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
186
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
186
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
187
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
187
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
188
 
188
 
Line 287... Line 287...
287
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
287
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
288
 
288
 
289
# SSHD rules if activate 
289
# SSHD rules if activate 
290
if [ $SSH = on ]
290
if [ $SSH = on ]
291
	then
291
	then
292
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
292
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
293
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
293
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
294
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
294
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
295
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
295
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
296
fi
296
fi
297
 
297
 
298
# Insertion de règles locales
298
# Insertion de règles locales
299
# Here, we add local rules (i.e. VPN from Internet)
299
# Here, we add local rules (i.e. VPN from Internet)
Line 301... Line 301...
301
        . /usr/local/etc/alcasar-iptables-local.sh
301
        . /usr/local/etc/alcasar-iptables-local.sh
302
fi
302
fi
303
 
303
 
304
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
304
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
305
# Deny and log on INPUT from the LAN
305
# Deny and log on INPUT from the LAN
306
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
306
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "
307
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
307
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
308
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
308
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
309
 
309
 
310
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
310
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
311
# Reject INTIF access (only when chilli is down)
311
# Reject INTIF access (only when chilli is down)
312
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
312
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "
313
$IPTABLES -A INPUT -i $INTIF -j REJECT
313
$IPTABLES -A INPUT -i $INTIF -j REJECT
314
 
314
 
315
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
315
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
316
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
316
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
317
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
317
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-nlgroup 3 --nflog-qthreshold 10 --nflog-prefix "RULE rej-ext -- DROP"
318
 
318
 
319
#############################
319
#############################
320
#        FORWARD            #
320
#        FORWARD            #
321
#############################
321
#############################
322
 
322
 
Line 341... Line 341...
341
	if [ $nb_uamallowed != "0" ]
341
	if [ $nb_uamallowed != "0" ]
342
	then
342
	then
343
		while read ip_allowed_line 
343
		while read ip_allowed_line 
344
		do
344
		do
345
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
345
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
346
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
346
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
347
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
347
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
348
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
348
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
349
		done < /usr/local/etc/alcasar-uamallowed
349
		done < /usr/local/etc/alcasar-uamallowed
350
	fi
350
	fi
351
	# Autorisation du HTTP et des protocoles non commentés
351
	# Autorisation du HTTP et des protocoles non commentés
352
	# Allow HTTP and non comment protocols
352
	# Allow HTTP and non comment protocols
353
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
353
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
354
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
354
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
355
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
355
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
356
	while read svc_line
356
	while read svc_line
357
	do
357
	do
358
		svc_on=`echo $svc_line|cut -b1`
358
		svc_on=`echo $svc_line|cut -b1`
Line 364... Line 364...
364
			then
364
			then
365
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
365
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
366
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
366
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
367
			else
367
			else
368
 
368
 
369
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
369
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
370
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
370
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
371
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
371
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
372
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
372
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
373
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
373
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
374
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
374
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
375
			fi
375
			fi
376
		fi
376
		fi
377
	done < /usr/local/etc/alcasar-services
377
	done < /usr/local/etc/alcasar-services
378
	# Rejet explicite des autres protocoles
378
	# Rejet explicite des autres protocoles
379
	# reject the others protocols
379
	# reject the others protocols
380
	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
380
	$IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT "
381
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
381
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
382
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
382
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
383
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
383
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
384
fi
384
fi
385
 
385