| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 2454 2017-12-09 18:59:31Z tom.houdayer $
|
2 |
# $Id: alcasar-iptables.sh 2465 2017-12-17 23:00:14Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 41... |
Line 41... |
| 41 |
SSH=${SSH:=off}
|
41 |
SSH=${SSH:=off}
|
| 42 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
42 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
| 43 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
43 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
| 44 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
44 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
| 45 |
LDAP=${LDAP:=off}
|
45 |
LDAP=${LDAP:=off}
|
| 46 |
LDAP_IP=`grep ^LDAP_IP= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
|
46 |
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
|
| 47 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
47 |
LDAP_SERVER=${LDAP_SERVER:="0.0.0.0/0.0.0.0"}
|
| 48 |
IPTABLES="/sbin/iptables"
|
48 |
IPTABLES="/sbin/iptables"
|
| 49 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
49 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
| 50 |
|
50 |
|
| 51 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
51 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
| 52 |
# Saving SET of connected users if it exists
|
52 |
# Saving SET of connected users if it exists
|
| Line 475... |
Line 475... |
| 475 |
|
475 |
|
| 476 |
# On autorise les requêtes LDAP si un serveur externe est configué
|
476 |
# On autorise les requêtes LDAP si un serveur externe est configué
|
| 477 |
# LDAP requests are allowed if an external server is declared
|
477 |
# LDAP requests are allowed if an external server is declared
|
| 478 |
if [ $LDAP = on ]
|
478 |
if [ $LDAP = on ]
|
| 479 |
then
|
479 |
then
|
| 480 |
$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
480 |
$IPTABLES -A OUTPUT -p tcp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
| 481 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
481 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
| 482 |
fi
|
482 |
fi
|
| 483 |
|
483 |
|
| 484 |
#############################
|
484 |
#############################
|
| 485 |
# POSTROUTING #
|
485 |
# POSTROUTING #
|
| 486 |
#############################
|
486 |
#############################
|