WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 2187 2017-04-27 22:18:45Z richard $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders

#        FORWARD            #
#############################
 
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
# Deny IPs of the SET bl_ip_blocked for the set havp_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Rejet des requêtes DNS vers Internet
# Deny forward DNS
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable

Rev 2184	Rev 2187
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 2184 2017-04-26 17:15:13Z richard $`	2	`# $Id: alcasar-iptables.sh 2187 2017-04-27 22:18:45Z richard $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script writes the netfilter rules for ALCASAR`	4	`# This script writes the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
Line 354...	Line 354...
354	`# FORWARD #`	354	`# FORWARD #`
355	`#############################`	355	`#############################`
356		356
357	`# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl`	357	`# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl`
358	`# Deny IPs of the SET bl_ip_blocked for the set havp_bl`	358	`# Deny IPs of the SET bl_ip_blocked for the set havp_bl`
359	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-proto-unreachable`	359	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited`
360	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable`	360	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited`
361	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset`	361	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset`
362		362
363	`# Rejet des requêtes DNS vers Internet`	363	`# Rejet des requêtes DNS vers Internet`
364	`# Deny forward DNS`	364	`# Deny forward DNS`
365	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`	365	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh @ 2213 – Rev 2184 → 2187