WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/bash
-# $Id: alcasar-iptables.sh 2496 2018-02-26 01:47:02Z tom.houdayer $
+# $Id: alcasar-iptables.sh 2517 2018-03-20 23:05:55Z rexy $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script writes the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
+#
 # Reminders
 # Marquage des paquets qui tentent d'accéder directement au port 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT
 # Mark the direct attempts to port 56 (DNS-blackhole) in order to REJECT them in INPUT rules
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5
-# redirection DNS des usagers 'havp_bl' vers le port 54
+# redirection DNS des usagers 'havp_bl' vers le port local 54 (en évitant le contournement)
-# redirect DNS of 'havp_bl' users to port 54
+# redirect DNS of 'havp_bl' users to the local port 54 (avoiding bypass)
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54
-# redirection DNS des usagers 'havp_wl' vers le port 55
+# redirection DNS des usagers 'havp_wl' vers le port local 55 (en évitant le contournement)
-# redirect DNS of 'havp_wl' users to port 55
+# redirect DNS of 'havp_wl' users to the local port 55 (avoiding bypass)
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55
+# redirection des requêtes DNS de contournement vers le port local 53
+# redirect of bypass DNS requests to the local port 53
+$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
+$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
 # Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
 # Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
 # Deny IPs of the SET bl_ip_blocked for the set havp_bl
 $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
 $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
 $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
-# Rejet des requêtes DNS vers Internet
-# Deny forward DNS
-$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
-$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 # Active le suivi de session
 # Allow Conntrack
 $IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 2496 → 2517