Subversion Repositories ALCASAR

Rev

Rev 2674 | Rev 2841 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2674 Rev 2688
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 2674 2018-12-13 18:15:20Z lucas.echard $
 2 
# $Id: alcasar-iptables.sh 2688 2019-01-18 23:15:49Z lucas.echard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 31... Line 31...
31 
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
 31 
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
32 
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
 32 
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
33 
dns1=${dns1:=208.67.220.220}
 33 
dns1=${dns1:=208.67.220.220}
34 
dns2=${dns2:=208.67.222.222}
 34 
dns2=${dns2:=208.67.222.222}
35 
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
 35 
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
- 
 
 36 
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2`			# Adresse du serveur DNS interne
- 
 
 37 
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2`	# Activation de la redirection DNS interne
36 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 38 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
37 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
 39 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
38 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
 40 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
39 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 41 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
40 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
 42 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
Line 43... Line 45...
43 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 45 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
44 
IPTABLES="/sbin/iptables"
 46 
IPTABLES="/sbin/iptables"
45 
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
 47 
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
46 
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# Site Direct (no havp and no filtrage) for user BL
 48 
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# Site Direct (no havp and no filtrage) for user BL
47 
 
 49 
 
- 
 
 50 
# Allow requests to internal DNS if activated
- 
 
 51 
if [ "$INT_DNS_ACTIVE" = "on" ]
- 
 
 52 
then
- 
 
 53 
	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
- 
 
 54 
fi
- 
 
 55 
 
48 
# Sauvegarde des SET des utilisateurs connectés si ils existent
 56 
# Sauvegarde des SET des utilisateurs connectés si ils existent
49 
# Saving SET of connected users if it exists
 57 
# Saving SET of connected users if it exists
50 
ipset list not_filtered 1>/dev/null 2>&1
 58 
ipset list not_filtered 1>/dev/null 2>&1
51 
if [ $? -eq 0 ];
 59 
if [ $? -eq 0 ];
52 
then
 60 
then
Line 109... Line 117...
109 
ipset -! restore < $TMP_set_save
 117 
ipset -! restore < $TMP_set_save
110 
rm -f $TMP_set_save
 118 
rm -f $TMP_set_save
111 
# Suppression des ip réhabilitées / Removing of rehabilitated ip
 119 
# Suppression des ip réhabilitées / Removing of rehabilitated ip
112 
for ip in $(cat $IP_REHABILITEES)
 120 
for ip in $(cat $IP_REHABILITEES)
113 
do
 121 
do
114 
	ipset del bl_ip_blocked $ip
 122 
	ipset -q del bl_ip_blocked $ip
115 
done
 123 
done
116 
 
 124 
 
117 
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
 125 
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
118 
ipset create site_direct hash:net hashsize 1024
 126 
ipset create site_direct hash:net hashsize 1024
119 
for site in $(cat $SITE_DIRECT)
 127 
for site in $(cat $SITE_DIRECT)
120 
do
 128 
do
121 
        ipset add site_direct $site
 129 
    ipset add site_direct $site
122 
done
 130 
done
123 
 
 131 
 
124 
###### WL set  ###########
 132 
###### WL set  ###########
125 
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading
 133 
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading
126 
wl_set_length=65536
 134 
wl_set_length=65536
127 
# Chargement Loading
 135 
# Chargement Loading
128 
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
 136 
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
129 
#get ip-wl files from ACC
 137 
#get ip-wl files from ACC
130 
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
 138 
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
Line 283... Line 291...
283 
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
 291 
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
284 
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)
 292 
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)
285 
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
 293 
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
286 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
 294 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset
287 
 
 295 
 
288 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
 296 
# autorisation des connexion légitime à Unbound (avec blacklist)
289 
# Allow connections for DNSMASQ (with blacklist)
 297 
# Allow connections for Unbound (with blacklist)
290 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
 298 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
291 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
 299 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT
292 
 
 300 
 
293 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
 301 
# autorisation des connexion légitime à Unbound (avec whitelist)
294 
# Allow connections for DNSMASQ (with whitelist)
 302 
# Allow connections for Unbound (with whitelist)
295 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
 303 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
296 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
 304 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT
297 
 
 305 
 
298 
# autorisation des connexion légitime à DNSMASQ (mode blackhole)
 306 
# autorisation des connexion légitime à Unbound (mode blackhole)
299 
# Allow connections for DNSMASQ (blackhole mode)
 307 
# Allow connections for Unbound (blackhole mode)
300 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
 308 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
301 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
 309 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
302 
 
 310 
 
303 
# Accès direct aux services internes
 311 
# Accès direct aux services internes
304 
# Internal services access
 312 
# Internal services access
Line 384... Line 392...
384 
custom_tcp_protocols_list='';custom_udp_protocols_list=''
 392 
custom_tcp_protocols_list='';custom_udp_protocols_list=''
385 
while read svc_line
 393 
while read svc_line
386 
do
 394 
do
387 
	svc_on=`echo $svc_line|cut -b1`
 395 
	svc_on=`echo $svc_line|cut -b1`
388 
	if [ $svc_on != "#" ]
 396 
	if [ $svc_on != "#" ]
389 
	then
397 
	then
390 
		svc_name=`echo $svc_line|cut -d" " -f1`
 398 
		svc_name=`echo $svc_line|cut -d" " -f1`
391 
		svc_port=`echo $svc_line|cut -d" " -f2`
 399 
		svc_port=`echo $svc_line|cut -d" " -f2`
392 
		if [ $svc_name = "icmp" ]
 400 
		if [ $svc_name = "icmp" ]
393 
		then
 401 
		then
394 
			svc_icmp="on"
 402 
			svc_icmp="on"