WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/bash
-# $Id: alcasar-iptables.sh 2840 2020-06-27 22:35:40Z rexy $
+# $Id: alcasar-iptables.sh 2841 2020-06-28 21:49:00Z rexy $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script writes the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
+#
 # Reminders
 SSH=${SSH:=off}
 SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
 SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 IPTABLES="/sbin/iptables"
 IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
-SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# Site Direct (no havp and no filtrage) for user BL
+SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
 # Allow requests to internal DNS if activated
 if [ "$INT_DNS_ACTIVE" = "on" ]
 then
 	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
 # Saving SET of connected users if it exists
 ipset list not_filtered 1>/dev/null 2>&1
 if [ $? -eq 0 ];
 then
 	ipset save not_filtered > $TMP_users_set_save
-	ipset save havp >> $TMP_users_set_save
+	ipset save av >> $TMP_users_set_save
-	ipset save havp_bl >> $TMP_users_set_save
+	ipset save av_bl >> $TMP_users_set_save
-	ipset save havp_wl >> $TMP_users_set_save
+	ipset save av_wl >> $TMP_users_set_save
 	ipset save proto_0 >> $TMP_users_set_save
 	ipset save proto_1 >> $TMP_users_set_save
 	ipset save proto_2 >> $TMP_users_set_save
 	ipset save proto_3 >> $TMP_users_set_save
 fi
 for ip in $(cat $IP_REHABILITEES)
 do
 	ipset -q del bl_ip_blocked $ip
 done
-# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
+# ipset for exception web sites (usefull for filtered users = av_bl)
 ipset create site_direct hash:net hashsize 1024
 for site in $(cat $SITE_DIRECT)
 do
     ipset add site_direct $site
 done
 then
 	ipset -! restore < $TMP_users_set_save
 	rm -f $TMP_users_set_save
 else
 	ipset create not_filtered hash:ip hashsize 1024
-	ipset create havp hash:ip hashsize 1024
+	ipset create av hash:ip hashsize 1024
-	ipset create havp_bl hash:ip hashsize 1024
+	ipset create av_bl hash:ip hashsize 1024
-	ipset create havp_wl hash:ip hashsize 1024
+	ipset create av_wl hash:ip hashsize 1024
 	# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
 	ipset create proto_0 hash:ip hashsize 1024
 	ipset create proto_1 hash:ip hashsize 1024
 	ipset create proto_2 hash:ip hashsize 1024
 	ipset create proto_3 hash:ip hashsize 1024
 #       PREROUTING          #
 #############################
 # Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
 # Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
-# 8080 = ipset havp_bl
+# 8080 = ipset av_bl
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
-# 8090 = ipset havp_wl + havp
+# 8090 = ipset av_wl + av
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
-# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp
+# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
 # Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
 # Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
-# 54 = ipset havp_bl
+# 54 = ipset av_bl
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3
-# 55 = ipset havp_wl
+# 55 = ipset av_wl
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4
 # 56 = blackall
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5
 # redirection DNS des usagers
 # users DNS redirection
-# 54 = ipset havp_bl
+# 54 = ipset av_bl
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
-# 55 = ipset havp_wl
+# 55 = ipset av_wl
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
 # 53 = all other users
 $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
 $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
 # Redirection des requêtes HTTP des usagers vers E2guardian
 # Redirect outbound users HTTP requests to E2guardian
-# 8080 = ipset havp_bl
+# 8080 = ipset av_bl
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
-# 8090 = ipset havp_wl & havp
+# 8090 = ipset av_wl & av
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
-# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian
+# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian
-# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian
+# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
-# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
+# Journalisation HTTP_Internet des usagers 'av_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
-# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
+# Log Internet HTTP of 'av_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
-# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
+# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
-# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
+# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
-# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
+# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
-# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
+# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 # Redirection des requêtes NTP vers le serveur NTP local
 # Redirect NTP request in local NTP server
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 # Conntrack on INPUT
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
 # Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
-$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl
+$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
-$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp
+$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
-$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp
+$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av
 # On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
 # Allow HTTP connections to E2Guardian
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
 $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset
 # On autorise les connexion DNS légitime
 # Allow DNS connections
-# ipset = havp_bl
+# ipset = av_bl
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
-# ipset = havp_wl
+# ipset = av_wl
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
 # blackall
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
 #############################
 #        FORWARD            #
 #############################
-# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
+# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
-# Deny IPs of the SET bl_ip_blocked for the set havp_bl
+# Deny IPs of the SET bl_ip_blocked for the set av_bl
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
+$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
+$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
+$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 # Active le suivi de session
 # Allow Conntrack
 $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 		fi
 		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
 		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 	fi
-# Blocage des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL
+# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
-# Block 'havp_wl' users who want IP not in the WL
+# Block 'av_wl' users who want IP not in the WL
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
+$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
 # journalisation et autorisation des connections sortant du LAN
 # Allow forward connections with log
 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j NETFLOW
 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 2840 → 2841