Subversion Repositories ALCASAR

Rev

Rev 2465 | Rev 2485 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2465 Rev 2468
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 2465 2017-12-17 23:00:14Z richard $
 2 
# $Id: alcasar-iptables.sh 2468 2017-12-27 17:22:39Z richard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 39... Line 39...
39 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 39 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
40 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
 40 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
41 
SSH=${SSH:=off}
 41 
SSH=${SSH:=off}
42 
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
 42 
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
43 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 43 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
44 
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2`				# LDAP external server active (on/off)
 - 
 
45 
LDAP=${LDAP:=off}
 - 
 
46 
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
 - 
 
47 
LDAP_SERVER=${LDAP_SERVER:="0.0.0.0/0.0.0.0"}
 - 
 
48 
IPTABLES="/sbin/iptables"
 44 
IPTABLES="/sbin/iptables"
49 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
 45 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
50 
 
 46 
 
51 
# Sauvegarde des SET des utilisateurs connectés si ils existent
 47 
# Sauvegarde des SET des utilisateurs connectés si ils existent
52 
# Saving SET of connected users if it exists
 48 
# Saving SET of connected users if it exists
Line 427... Line 423...
427 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 423 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
428 
 
 424 
 
429 
#############################
 425 
#############################
430 
#         OUTPUT            #
 426 
#         OUTPUT            #
431 
#############################
 427 
#############################
432 
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
 428 
# On laisse tout sortir à l'exception de la carte externe (cf ci-dessous)
433 
# Everything is allowed but traffic through outside network interface
 429 
# Everything is allowed apart from outside network interface (see bellow)
434 
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 430 
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
435 
 
 431 
 
436 
# Si configéré, on autorise les requêtes DHCP
 432 
# Si configuré, on autorise les requêtes DHCP
437 
# Allow DHCP requests if configured
 433 
# Allow DHCP requests if configured
438 
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
 434 
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
439 
if [[ "$public_ip_mask" == "dhcp" ]]
 435 
if [[ "$public_ip_mask" == "dhcp" ]]
440 
then
 436 
then
441 
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
 437 
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
Line 444... Line 440...
444 
 
 440 
 
445 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
 441 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
446 
# Allow DNS requests to identified DNS servers
 442 
# Allow DNS requests to identified DNS servers
447 
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
 443 
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
448 
 
 444 
 
449 
# On autorise les requêtes HTTP sortantes
 445 
# On autorise les requêtes HTTP avec log Netflow (en provenance de Dansguardian)
450 
# HTTP requests are allowed
 446 
# HTTPS requests are allowed with netflow log (from Dansguardian)
451 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
 447 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
452 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
 448 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
453 
 
 449 
 
454 
# On autorise les requêtes HTTPS sortantes
 450 
# On autorise les requêtes HTTPS sortantes
455 
# HTTPS requests are allowed
 451 
# HTTPS requests are allowed
456 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
 452 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
457 
 
 453 
 
458 
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
 454 
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
459 
# RSYNC requests are allowed (to update BL of Toulouse)
 455 
# RSYNC requests are allowed (update of Toulouse BL)
460 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
 456 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
461 
 
 457 
 
462 
# On autorise les requêtes FTP
 458 
# On autorise les requêtes FTP
463 
# FTP requests are allowed
 459 
# FTP requests are allowed
464 
modprobe nf_conntrack_ftp
 460 
modprobe nf_conntrack_ftp
Line 471... Line 467...
471 
 
 467 
 
472 
# On autorise les requêtes ICMP (ping)
 468 
# On autorise les requêtes ICMP (ping)
473 
# ICMP (ping) requests are allowed
 469 
# ICMP (ping) requests are allowed
474 
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
 470 
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
475 
 
 471 
 
476 
# On autorise les requêtes LDAP si un serveur externe est configué
 472 
# On autorise les requêtes LDAP
477 
# LDAP requests are allowed if an external server is declared
 473 
# LDAP requests are allowed
478 
if [ $LDAP = on ]
 - 
 
479 
	then
 - 
 
480 
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 474 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
481 
	$IPTABLES -A OUTPUT -p udp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 475 
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
482 
fi
 - 
 
483 
 
 476 
 
484 
#############################
 477 
#############################
485 
#       POSTROUTING         #
 478 
#       POSTROUTING         #
486 
#############################
 479 
#############################
487 
# Traduction dynamique d'adresse en sortie
 480 
# Traduction dynamique d'adresse en sortie