Subversion Repositories ALCASAR

Rev

Rev 2674 | Rev 2841 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2674 Rev 2688
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 2674 2018-12-13 18:15:20Z lucas.echard $
2
# $Id: alcasar-iptables.sh 2688 2019-01-18 23:15:49Z lucas.echard $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 31... Line 31...
31
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
31
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
32
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
32
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
33
dns1=${dns1:=208.67.220.220}
33
dns1=${dns1:=208.67.220.220}
34
dns2=${dns2:=208.67.222.222}
34
dns2=${dns2:=208.67.222.222}
35
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
35
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
-
 
36
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2`			# Adresse du serveur DNS interne
-
 
37
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2`	# Activation de la redirection DNS interne
36
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
38
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
37
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
39
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
38
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
40
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
39
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
41
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
40
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
42
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
Line 43... Line 45...
43
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
45
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
44
IPTABLES="/sbin/iptables"
46
IPTABLES="/sbin/iptables"
45
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
47
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
46
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# Site Direct (no havp and no filtrage) for user BL
48
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# Site Direct (no havp and no filtrage) for user BL
47
 
49
 
-
 
50
# Allow requests to internal DNS if activated
-
 
51
if [ "$INT_DNS_ACTIVE" = "on" ]
-
 
52
then
-
 
53
	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
-
 
54
fi
-
 
55
 
48
# Sauvegarde des SET des utilisateurs connectés si ils existent
56
# Sauvegarde des SET des utilisateurs connectés si ils existent
49
# Saving SET of connected users if it exists
57
# Saving SET of connected users if it exists
50
ipset list not_filtered 1>/dev/null 2>&1
58
ipset list not_filtered 1>/dev/null 2>&1
51
if [ $? -eq 0 ];
59
if [ $? -eq 0 ];
52
then
60
then
Line 109... Line 117...
109
ipset -! restore < $TMP_set_save
117
ipset -! restore < $TMP_set_save
110
rm -f $TMP_set_save
118
rm -f $TMP_set_save
111
# Suppression des ip réhabilitées / Removing of rehabilitated ip
119
# Suppression des ip réhabilitées / Removing of rehabilitated ip
112
for ip in $(cat $IP_REHABILITEES)
120
for ip in $(cat $IP_REHABILITEES)
113
do
121
do
114
	ipset del bl_ip_blocked $ip
122
	ipset -q del bl_ip_blocked $ip
115
done
123
done
116
 
124
 
117
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
125
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
118
ipset create site_direct hash:net hashsize 1024
126
ipset create site_direct hash:net hashsize 1024
119
for site in $(cat $SITE_DIRECT)
127
for site in $(cat $SITE_DIRECT)
120
do
128
do
121
        ipset add site_direct $site
129
    ipset add site_direct $site
122
done
130
done
123
 
131
 
124
###### WL set  ###########
132
###### WL set  ###########
125
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading
133
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading
126
wl_set_length=65536
134
wl_set_length=65536
127
# Chargement Loading
135
# Chargement Loading
128
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
136
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
129
#get ip-wl files from ACC
137
#get ip-wl files from ACC
130
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
138
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
Line 283... Line 291...
283
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
291
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
284
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)
292
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)
285
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
293
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
286
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
294
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
287
 
295
 
288
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
296
# autorisation des connexion légitime à Unbound (avec blacklist)
289
# Allow connections for DNSMASQ (with blacklist)
297
# Allow connections for Unbound (with blacklist)
290
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
298
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
291
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
299
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
292
 
300
 
293
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
301
# autorisation des connexion légitime à Unbound (avec whitelist)
294
# Allow connections for DNSMASQ (with whitelist)
302
# Allow connections for Unbound (with whitelist)
295
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
303
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
296
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
304
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
297
 
305
 
298
# autorisation des connexion légitime à DNSMASQ (mode blackhole)
306
# autorisation des connexion légitime à Unbound (mode blackhole)
299
# Allow connections for DNSMASQ (blackhole mode)
307
# Allow connections for Unbound (blackhole mode)
300
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
308
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
301
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
309
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
302
 
310
 
303
# Accès direct aux services internes
311
# Accès direct aux services internes
304
# Internal services access
312
# Internal services access
Line 384... Line 392...
384
custom_tcp_protocols_list='';custom_udp_protocols_list=''
392
custom_tcp_protocols_list='';custom_udp_protocols_list=''
385
while read svc_line
393
while read svc_line
386
do
394
do
387
	svc_on=`echo $svc_line|cut -b1`
395
	svc_on=`echo $svc_line|cut -b1`
388
	if [ $svc_on != "#" ]
396
	if [ $svc_on != "#" ]
389
	then	
397
	then
390
		svc_name=`echo $svc_line|cut -d" " -f1`
398
		svc_name=`echo $svc_line|cut -d" " -f1`
391
		svc_port=`echo $svc_line|cut -d" " -f2`
399
		svc_port=`echo $svc_line|cut -d" " -f2`
392
		if [ $svc_name = "icmp" ]
400
		if [ $svc_name = "icmp" ]
393
		then
401
		then
394
			svc_icmp="on"
402
			svc_icmp="on"