| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 2224 2017-05-14 14:42:05Z tom.houdayer $
|
2 |
# $Id: alcasar-iptables.sh 2234 2017-05-18 21:20:10Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 56... |
Line 56... |
| 56 |
then
|
56 |
then
|
| 57 |
ipset save not_filtered > $TMP_users_set_save
|
57 |
ipset save not_filtered > $TMP_users_set_save
|
| 58 |
ipset save havp >> $TMP_users_set_save
|
58 |
ipset save havp >> $TMP_users_set_save
|
| 59 |
ipset save havp_bl >> $TMP_users_set_save
|
59 |
ipset save havp_bl >> $TMP_users_set_save
|
| 60 |
ipset save havp_wl >> $TMP_users_set_save
|
60 |
ipset save havp_wl >> $TMP_users_set_save
|
| 61 |
ipset save not_auth_yet >> $TMP_users_set_save
|
- |
|
| 62 |
ipset save users_list >> $TMP_users_set_save
|
- |
|
| 63 |
ipset save proto_0 >> $TMP_users_set_save
|
61 |
ipset save proto_0 >> $TMP_users_set_save
|
| 64 |
ipset save proto_1 >> $TMP_users_set_save
|
62 |
ipset save proto_1 >> $TMP_users_set_save
|
| 65 |
ipset save proto_2 >> $TMP_users_set_save
|
63 |
ipset save proto_2 >> $TMP_users_set_save
|
| 66 |
ipset save proto_3 >> $TMP_users_set_save
|
64 |
ipset save proto_3 >> $TMP_users_set_save
|
| 67 |
fi
|
65 |
fi
|
| Line 141... |
Line 139... |
| 141 |
else
|
139 |
else
|
| 142 |
ipset create not_filtered hash:net hashsize 1024
|
140 |
ipset create not_filtered hash:net hashsize 1024
|
| 143 |
ipset create havp hash:net hashsize 1024
|
141 |
ipset create havp hash:net hashsize 1024
|
| 144 |
ipset create havp_bl hash:net hashsize 1024
|
142 |
ipset create havp_bl hash:net hashsize 1024
|
| 145 |
ipset create havp_wl hash:net hashsize 1024
|
143 |
ipset create havp_wl hash:net hashsize 1024
|
| 146 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
- |
|
| 147 |
#used for intercepting users not connected to the network
|
- |
|
| 148 |
ipset create not_auth_yet hash:net hashsize 1024
|
- |
|
| 149 |
ipset create users_list list:set
|
- |
|
| 150 |
ipset add users_list havp
|
- |
|
| 151 |
ipset add users_list havp_wl
|
- |
|
| 152 |
ipset add users_list havp_bl
|
- |
|
| 153 |
ipset add users_list not_filtered
|
- |
|
| 154 |
ipset add users_list not_auth_yet
|
- |
|
| 155 |
#pour les filtrages de protocole par utilisateur
|
144 |
#pour les filtrages de protocole par utilisateur
|
| 156 |
ipset create proto_0 hash:net hashsize 1024
|
145 |
ipset create proto_0 hash:net hashsize 1024
|
| 157 |
ipset create proto_1 hash:net hashsize 1024
|
146 |
ipset create proto_1 hash:net hashsize 1024
|
| 158 |
ipset create proto_2 hash:net hashsize 1024
|
147 |
ipset create proto_2 hash:net hashsize 1024
|
| 159 |
ipset create proto_3 hash:net hashsize 1024
|
148 |
ipset create proto_3 hash:net hashsize 1024
|
| Line 161... |
Line 150... |
| 161 |
|
150 |
|
| 162 |
#############################
|
151 |
#############################
|
| 163 |
# PREROUTING #
|
152 |
# PREROUTING #
|
| 164 |
#############################
|
153 |
#############################
|
| 165 |
|
154 |
|
| 166 |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
|
- |
|
| 167 |
# Redirect users not connected DNS requests in DNS-Blackhole
|
- |
|
| 168 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
|
- |
|
| 169 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
|
- |
|
| 170 |
|
- |
|
| 171 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
|
155 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
|
| 172 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
156 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
| 173 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
157 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
| 174 |
|
158 |
|
| 175 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
|
159 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
|