WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/bash
-# $Id: alcasar-iptables.sh 2841 2020-06-28 21:49:00Z rexy $
+# $Id: alcasar-iptables.sh 2844 2020-07-04 15:21:55Z rexy $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script writes the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
+#
 # Reminders
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 # 8090 = ipset av_wl + av
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
-# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av
+# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version)
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
+#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
-$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
+#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
 # Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
 # Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
 # 54 = ipset av_bl
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
 # 53 = all other users
 $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
 $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
-# Redirection des requêtes HTTP des usagers vers E2guardian
-# Redirect outbound users HTTP requests to E2guardian
-# 8080 = ipset av_bl
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
-# 8090 = ipset av_wl & av
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
-# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian
-# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
-# Journalisation HTTP_Internet des usagers 'av_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
-# Log Internet HTTP of 'av_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
 # Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
 # Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 # Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
 # Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
+# Journalisation des usagers "av_bl + av_wl + av" (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
+# accounting of "av_bl + av_wl + av"  users (only syn packets). Other protocols are logged in FORWARD by netflow
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
+# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
+# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
+# 8080 = ipset av_bl
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
+# 8090 = ipset av_wl & av
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
+# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy)
+# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
+#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
+#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
+#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport https -j REDIRECT --to-port 8443
 # Redirection des requêtes NTP vers le serveur NTP local
 # Redirect NTP request in local NTP server
 $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 #############################
 # On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
 # Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
 $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
 $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
-$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av
+#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version)
 # On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
 # Allow HTTP connections to E2Guardian
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT
-$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT
+#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version)
 # On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
 # Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING)
 $IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
 $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset
 	. /usr/local/etc/alcasar-iptables-local.sh
 fi
 # Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
 # Deny and log on INPUT from the LAN
-$IPTABLES -A INPUT -i $TUNIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE rej-int -- REJECT "
+$IPTABLES -A INPUT -i $TUNIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-prefix "RULE rej-int -- REJECT "
 $IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
 $IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 # Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
 # Reject INTIF access (only when chilli is down)
-$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 1 --nflog-prefix "RULE Protect1 -- REJECT "
+$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 3 --nflog-prefix "RULE Protect1 -- REJECT "
 $IPTABLES -A INPUT -i $INTIF -j REJECT
 # Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
 # On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
 $IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT
 #############################
 #         OUTPUT            #
 #############################
-# On laisse tout sortir à l'exception de la carte externe (cf ci-dessous)
+# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
-# Everything is allowed apart from outside network interface (see bellow)
+# We let everything out on INTIF (see following rules for the EXTIF)
 $IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 # Si configuré, on autorise les requêtes DHCP
 # Allow DHCP requests if configured
 public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
 # On autorise les requêtes DNS vers les serveurs DNS identifiés
 # Allow DNS requests to identified DNS servers
 $IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
-# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)
+# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
-# HTTP requests are allowed with netflow log (from E2guardian)
+# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
 $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
 $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
-# On autorise les requêtes HTTPS sortantes
+#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
-# HTTPS requests are allowed
 $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
 # On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
 # RSYNC requests are allowed (update of Toulouse BL)
 $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 2841 → 2844