WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables-bypass.sh



#!/bin/bash
# $Id: alcasar-iptables-bypass.sh 2355 2017-07-26 22:11:27Z tom.houdayer $
 
# alcasar-iptables-bypass.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
 

	do
		ip_on=`echo $ip_line|cut -b1`
		if [ $ip_on != "#" ]
		then	
			ip_blocked=`echo $ip_line|cut -d" " -f1`
			$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT "
			$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
		fi
	done < /usr/local/etc/alcasar-ip-blocked
fi
 

# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On autorise les demandes de connexions sortantes
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 
# On autorise les flux entrant ntp et dns via INTIF
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
 
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit et on log le reste sur les 2 interfaces d'accès
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-ext -- REJECT "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables-bypass.sh – Rev 2353 → 2355

Rev 2353		Rev 2355
Line 1...		Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables-bypass.sh 2353 2017-07-25 21:39:16Z tom.houdayer $`	2	`# $Id: alcasar-iptables-bypass.sh 2355 2017-07-26 22:11:27Z tom.houdayer $`
3		3
4	`# alcasar-iptables-bypass.sh`	4	`# alcasar-iptables-bypass.sh`
5	`# by Rexy - 3abtux`	5	`# by Rexy - 3abtux`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7		7
Line 60...		Line 60...
60	`do`	60	`do`
61	ip_on=`echo $ip_line\|cut -b1`	61	ip_on=`echo $ip_line\|cut -b1`
62	`if [ $ip_on != "#" ]`	62	`if [ $ip_on != "#" ]`
63	`then`	63	`then`
64	ip_blocked=`echo $ip_line\|cut -d" " -f1`	64	ip_blocked=`echo $ip_line\|cut -d" " -f1`
65	`$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-prefix "RULE IP-blocked -- REJECT "`	65	`$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT "`
66	`$IPTABLES -A FORWARD -d $ip_blocked -j REJECT`	66	`$IPTABLES -A FORWARD -d $ip_blocked -j REJECT`
67	`fi`	67	`fi`
68	`done < /usr/local/etc/alcasar-ip-blocked`	68	`done < /usr/local/etc/alcasar-ip-blocked`
69	`fi`	69	`fi`
70		70
Line 98...		Line 98...
98	`# On autorise les retours de connexions légitimes par FORWARD`	98	`# On autorise les retours de connexions légitimes par FORWARD`
99	`# Conntrack on forward`	99	`# Conntrack on forward`
100	`$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT`	100	`$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT`
101		101
102	`# On autorise les demandes de connexions sortantes`	102	`# On autorise les demandes de connexions sortantes`
103	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-prefix "RULE Transfert -- ACCEPT "`	103	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT "`
104	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT`	104	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT`
105		105
106	`# On autorise les flux entrant ntp et dns via INTIF`	106	`# On autorise les flux entrant ntp et dns via INTIF`
107	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`	107	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`
108	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`	108	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`
109		109
110	`# On autorise le retour des connexions entrante déjà acceptées`	110	`# On autorise le retour des connexions entrante déjà acceptées`
111	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`	111	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
112		112
113	`# On interdit et on log le reste sur les 2 interfaces d'accès`	113	`# On interdit et on log le reste sur les 2 interfaces d'accès`
114	`$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "`	114	`$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT "`
115	`$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-prefix "RULE rej-ext -- REJECT "`	115	`$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-ext -- REJECT "`
116	`$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset`	116	`$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset`
117	`$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable`	117	`$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable`
118		118
119	`# On active le masquage d'adresse par translation (NAT)`	119	`# On active le masquage d'adresse par translation (NAT)`
120	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`	120	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`