| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 2956 2021-05-24 19:57:17Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 2998 2022-03-15 16:44:20Z rexy $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 446... |
Line 446... |
| 446 |
# filtrage protocole par utilisateur (profile 1 : http, https)
|
446 |
# filtrage protocole par utilisateur (profile 1 : http, https)
|
| 447 |
# protocols filtering for users (profil 1 : http, https)
|
447 |
# protocols filtering for users (profil 1 : http, https)
|
| 448 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
448 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
| 449 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
449 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
| 450 |
|
450 |
|
| 451 |
# filtrage protocole par utilisateur (profile 2 : http https pop3 pop3s imap imaps ftp sftp ssh)
|
451 |
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
|
| 452 |
# protocols filtering for users (profil 2 : http https pop3 pop3s imap imaps ftp sftp ssh)
|
452 |
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
|
| 453 |
|
453 |
|
| 454 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
454 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
| 455 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
455 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
| 456 |
|
456 |
|
| 457 |
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
|
457 |
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
|
| 458 |
# protocols filtering for users (profil 3 : customized with ACC)
|
458 |
# protocols filtering for users (profil 3 : customized with ACC)
|
| 459 |
custom_tcp_protocols_list='';custom_udp_protocols_list=''
|
459 |
custom_tcp_protocols_list='';custom_udp_protocols_list=''
|
| 460 |
while read svc_line
|
460 |
while read svc_line
|