Subversion Repositories ALCASAR

Rev

Rev 2899 | Rev 2998 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2899 Rev 2956
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 2899 2020-12-14 23:21:01Z rexy $
2
# $Id: alcasar-iptables.sh 2956 2021-05-24 19:57:17Z rexy $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 37... Line 37...
37
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2`	# Activation de la redirection DNS interne
37
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2`	# Activation de la redirection DNS interne
38
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
38
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
39
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
39
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
40
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
40
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
41
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
41
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
-
 
42
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
42
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
43
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
43
SSH=${SSH:=off}
44
SSH=${SSH:=off}
44
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
45
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
45
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
46
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
46
IPTABLES="/sbin/iptables"
47
IPTABLES="/sbin/iptables"
47
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
48
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
48
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
49
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
-
 
50
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
-
 
51
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
-
 
52
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
-
 
53
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
49
 
54
 
50
# Allow requests to internal DNS if activated
55
# Allow requests to internal DNS if activated
51
if [ "$INT_DNS_ACTIVE" = "on" ]
56
if [ "$INT_DNS_ACTIVE" = "on" ]
52
then
57
then
53
	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
58
	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
54
fi
59
fi
55
 
60
 
-
 
61
#ipset name list for load_balancing
-
 
62
gw_list="gw0"
-
 
63
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
-
 
64
	for ((i=1 ; i<=$nb_gw ; i++)); do
-
 
65
		gw_list="${gw_list} gw$i"
-
 
66
	done
-
 
67
fi
-
 
68
 
-
 
69
 
56
# Sauvegarde des SET des utilisateurs connectés si ils existent
70
# Sauvegarde des SET des utilisateurs connectés si ils existent
57
# Saving SET of connected users if it exists
71
# Saving SET of connected users if it exists
58
ipset list not_filtered 1>/dev/null 2>&1
72
ipset list not_filtered 1>/dev/null 2>&1
59
if [ $? -eq 0 ];
73
if [ $? -eq 0 ];
60
then
74
then
Line 66... Line 80...
66
	ipset save proto_1 >> $TMP_users_set_save
80
	ipset save proto_1 >> $TMP_users_set_save
67
	ipset save proto_2 >> $TMP_users_set_save
81
	ipset save proto_2 >> $TMP_users_set_save
68
	ipset save proto_3 >> $TMP_users_set_save
82
	ipset save proto_3 >> $TMP_users_set_save
69
fi
83
fi
70
 
84
 
-
 
85
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing
-
 
86
# Saving all of the already connected IP in order to put them back in the load balancing after
-
 
87
if [ ! -f $TMP_ip_gw_save ];then
-
 
88
	# Save only if alcasar-network.sh --save has not been executed before
-
 
89
	for i in $gw_list;do
-
 
90
		ipset list $i 1>/dev/null 2>&1
-
 
91
		if [ $? -eq 0 ]
-
 
92
		then
-
 
93
			# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members
-
 
94
			ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save
-
 
95
		fi
-
 
96
	done
-
 
97
fi
-
 
98
 
71
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
99
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
72
# loading of NetFlow probe (ipt_NETFLOW kernel module)
100
# loading of NetFlow probe (ipt_NETFLOW kernel module)
73
modprobe ipt_NETFLOW destination=127.0.0.1:2055
101
modprobe ipt_NETFLOW destination=127.0.0.1:2055
74
 
102
 
75
# Effacement des règles existantes
103
# Effacement des règles existantes
Line 158... Line 186...
158
	ipset create proto_1 hash:ip hashsize 1024
186
	ipset create proto_1 hash:ip hashsize 1024
159
	ipset create proto_2 hash:ip hashsize 1024
187
	ipset create proto_2 hash:ip hashsize 1024
160
	ipset create proto_3 hash:ip hashsize 1024
188
	ipset create proto_3 hash:ip hashsize 1024
161
fi
189
fi
162
 
190
 
-
 
191
#ipsets for load balancing
-
 
192
for i in $gw_list; do
-
 
193
	ipset create $i hash:ip
-
 
194
done
-
 
195
cat $TMP_ip_gw_save | while read ip; do
-
 
196
	gw_min="gw0"
-
 
197
	weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
-
 
198
	already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
-
 
199
	#The *1000 is here to avoid working on floats in bash
-
 
200
	gw_min_value=$((1000 * $already / $weight))
-
 
201
	i=1
-
 
202
	for gw in $gw_list;do
-
 
203
		if [ "$gw" != "gw0" ]; then
-
 
204
			weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
-
 
205
			already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
-
 
206
			value=$((1000 * $already / $weight))
-
 
207
			if [ $value -lt $gw_min_value ]
-
 
208
			then
-
 
209
				gw_min_value=$value
-
 
210
				gw_min=$gw
-
 
211
			fi
-
 
212
			i=$(($i+1))
-
 
213
		fi
-
 
214
	done
-
 
215
	ipset add $gw_min $ip
-
 
216
done
-
 
217
rm -f $TMP_ip_gw_save
-
 
218
 
-
 
219
 
-
 
220
 
163
#############################
221
#############################
164
#       PREROUTING          #
222
#       PREROUTING          #
165
#############################
223
#############################
166
 
224
 
-
 
225
 
167
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
226
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
168
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
227
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
169
# 8080 = ipset av_bl
228
# 8080 = ipset av_bl
170
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
229
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
171
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
230
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
Line 194... Line 253...
194
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
253
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
195
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
254
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
196
# 55 = ipset av_wl
255
# 55 = ipset av_wl
197
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
256
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
198
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
257
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
199
# 53 = all other users 
258
# 53 = all other users
200
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
259
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
201
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
260
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
202
 
261
 
203
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
262
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
204
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
263
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
Line 215... Line 274...
215
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
274
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
216
 
275
 
217
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
276
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
218
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
277
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
219
# 8080 = ipset av_bl
278
# 8080 = ipset av_bl
-
 
279
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j MARK --set-mark 200
220
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
280
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
221
# 8090 = ipset av_wl & av
281
# 8090 = ipset av_wl & av
222
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
282
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
223
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
283
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
224
 
284
 
Line 230... Line 290...
230
 
290
 
231
# Redirection des requêtes NTP vers le serveur NTP local
291
# Redirection des requêtes NTP vers le serveur NTP local
232
# Redirect NTP request in local NTP server
292
# Redirect NTP request in local NTP server
233
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
293
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
234
 
294
 
-
 
295
#Récupération de la marque associée à une gw pour chaque connection
-
 
296
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
-
 
297
 
-
 
298
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then
-
 
299
	$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP
-
 
300
fi
-
 
301
 
-
 
302
#Marquage pour le load balancing
-
 
303
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
-
 
304
	temp_index=200
-
 
305
	for i in $gw_list; do
-
 
306
		$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
-
 
307
		temp_index=$(($temp_index+1))
-
 
308
	done
-
 
309
fi
-
 
310
 
-
 
311
 
235
#############################
312
#############################
236
#         INPUT             #
313
#         INPUT             #
237
#############################
314
#############################
238
 
315
 
239
# Tout passe sur loopback
316
# Tout passe sur loopback
240
# accept all on loopback
317
# accept all on loopback
241
$IPTABLES -A INPUT -i lo -j ACCEPT
318
$IPTABLES -A INPUT -i lo -j ACCEPT
242
$IPTABLES -A OUTPUT -o lo -j ACCEPT
319
$IPTABLES -A OUTPUT -o lo -j ACCEPT
243
 
320
 
244
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
321
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
245
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
322
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
246
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
323
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
247
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
324
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
248
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
325
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
249
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
326
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
250
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
327
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
Line 453... Line 530...
453
 
530
 
454
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
531
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
455
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
532
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
456
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
533
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
457
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
534
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
458
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)  
535
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
459
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
536
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
460
 
537
 
461
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
538
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
462
# RSYNC requests are allowed (update of Toulouse BL)
539
# RSYNC requests are allowed (update of Toulouse BL)
463
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
540
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
Line 487... Line 564...
487
#############################
564
#############################
488
# Traduction dynamique d'adresse en sortie
565
# Traduction dynamique d'adresse en sortie
489
# Dynamic NAT on EXTIF
566
# Dynamic NAT on EXTIF
490
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
567
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
491
 
568
 
-
 
569
#Sauvegarde de la marque associée à la connexion pour le load balancing
-
 
570
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark
-
 
571
 
492
#############################
572
#############################
493
#          FAIL2BAN         #
573
#          FAIL2BAN         #
494
#############################
574
#############################
495
# Reload Fail2Ban
575
# Reload Fail2Ban
496
if systemctl -q is-active fail2ban; then
576
if systemctl -q is-active fail2ban; then