| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 2899 2020-12-14 23:21:01Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 2956 2021-05-24 19:57:17Z rexy $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 37... |
Line 37... |
| 37 |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
|
37 |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne
|
| 38 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
38 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
| 39 |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
|
39 |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
|
| 40 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
40 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
| 41 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
41 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
| - |
|
42 |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
|
| 42 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
43 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
| 43 |
SSH=${SSH:=off}
|
44 |
SSH=${SSH:=off}
|
| 44 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
45 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
| 45 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
46 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
| 46 |
IPTABLES="/sbin/iptables"
|
47 |
IPTABLES="/sbin/iptables"
|
| 47 |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
|
48 |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
|
| 48 |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
49 |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
| - |
|
50 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
| - |
|
51 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
| - |
|
52 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
| - |
|
53 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
| 49 |
|
54 |
|
| 50 |
# Allow requests to internal DNS if activated
|
55 |
# Allow requests to internal DNS if activated
|
| 51 |
if [ "$INT_DNS_ACTIVE" = "on" ]
|
56 |
if [ "$INT_DNS_ACTIVE" = "on" ]
|
| 52 |
then
|
57 |
then
|
| 53 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
|
58 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
|
| 54 |
fi
|
59 |
fi
|
| 55 |
|
60 |
|
| - |
|
61 |
#ipset name list for load_balancing
|
| - |
|
62 |
gw_list="gw0"
|
| - |
|
63 |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
|
| - |
|
64 |
for ((i=1 ; i<=$nb_gw ; i++)); do
|
| - |
|
65 |
gw_list="${gw_list} gw$i"
|
| - |
|
66 |
done
|
| - |
|
67 |
fi
|
| - |
|
68 |
|
| - |
|
69 |
|
| 56 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
70 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
| 57 |
# Saving SET of connected users if it exists
|
71 |
# Saving SET of connected users if it exists
|
| 58 |
ipset list not_filtered 1>/dev/null 2>&1
|
72 |
ipset list not_filtered 1>/dev/null 2>&1
|
| 59 |
if [ $? -eq 0 ];
|
73 |
if [ $? -eq 0 ];
|
| 60 |
then
|
74 |
then
|
| Line 66... |
Line 80... |
| 66 |
ipset save proto_1 >> $TMP_users_set_save
|
80 |
ipset save proto_1 >> $TMP_users_set_save
|
| 67 |
ipset save proto_2 >> $TMP_users_set_save
|
81 |
ipset save proto_2 >> $TMP_users_set_save
|
| 68 |
ipset save proto_3 >> $TMP_users_set_save
|
82 |
ipset save proto_3 >> $TMP_users_set_save
|
| 69 |
fi
|
83 |
fi
|
| 70 |
|
84 |
|
| - |
|
85 |
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing
|
| - |
|
86 |
# Saving all of the already connected IP in order to put them back in the load balancing after
|
| - |
|
87 |
if [ ! -f $TMP_ip_gw_save ];then
|
| - |
|
88 |
# Save only if alcasar-network.sh --save has not been executed before
|
| - |
|
89 |
for i in $gw_list;do
|
| - |
|
90 |
ipset list $i 1>/dev/null 2>&1
|
| - |
|
91 |
if [ $? -eq 0 ]
|
| - |
|
92 |
then
|
| - |
|
93 |
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members
|
| - |
|
94 |
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save
|
| - |
|
95 |
fi
|
| - |
|
96 |
done
|
| - |
|
97 |
fi
|
| - |
|
98 |
|
| 71 |
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
|
99 |
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
|
| 72 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
100 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
| 73 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
101 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
| 74 |
|
102 |
|
| 75 |
# Effacement des règles existantes
|
103 |
# Effacement des règles existantes
|
| Line 158... |
Line 186... |
| 158 |
ipset create proto_1 hash:ip hashsize 1024
|
186 |
ipset create proto_1 hash:ip hashsize 1024
|
| 159 |
ipset create proto_2 hash:ip hashsize 1024
|
187 |
ipset create proto_2 hash:ip hashsize 1024
|
| 160 |
ipset create proto_3 hash:ip hashsize 1024
|
188 |
ipset create proto_3 hash:ip hashsize 1024
|
| 161 |
fi
|
189 |
fi
|
| 162 |
|
190 |
|
| - |
|
191 |
#ipsets for load balancing
|
| - |
|
192 |
for i in $gw_list; do
|
| - |
|
193 |
ipset create $i hash:ip
|
| - |
|
194 |
done
|
| - |
|
195 |
cat $TMP_ip_gw_save | while read ip; do
|
| - |
|
196 |
gw_min="gw0"
|
| - |
|
197 |
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
|
| - |
|
198 |
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
|
| - |
|
199 |
#The *1000 is here to avoid working on floats in bash
|
| - |
|
200 |
gw_min_value=$((1000 * $already / $weight))
|
| - |
|
201 |
i=1
|
| - |
|
202 |
for gw in $gw_list;do
|
| - |
|
203 |
if [ "$gw" != "gw0" ]; then
|
| - |
|
204 |
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
|
| - |
|
205 |
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
|
| - |
|
206 |
value=$((1000 * $already / $weight))
|
| - |
|
207 |
if [ $value -lt $gw_min_value ]
|
| - |
|
208 |
then
|
| - |
|
209 |
gw_min_value=$value
|
| - |
|
210 |
gw_min=$gw
|
| - |
|
211 |
fi
|
| - |
|
212 |
i=$(($i+1))
|
| - |
|
213 |
fi
|
| - |
|
214 |
done
|
| - |
|
215 |
ipset add $gw_min $ip
|
| - |
|
216 |
done
|
| - |
|
217 |
rm -f $TMP_ip_gw_save
|
| - |
|
218 |
|
| - |
|
219 |
|
| - |
|
220 |
|
| 163 |
#############################
|
221 |
#############################
|
| 164 |
# PREROUTING #
|
222 |
# PREROUTING #
|
| 165 |
#############################
|
223 |
#############################
|
| 166 |
|
224 |
|
| - |
|
225 |
|
| 167 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
|
226 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
|
| 168 |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
|
227 |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
|
| 169 |
# 8080 = ipset av_bl
|
228 |
# 8080 = ipset av_bl
|
| 170 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
|
229 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
|
| 171 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
|
230 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
|
| Line 194... |
Line 253... |
| 194 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
|
253 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
|
| 195 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
|
254 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54
|
| 196 |
# 55 = ipset av_wl
|
255 |
# 55 = ipset av_wl
|
| 197 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
|
256 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
|
| 198 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
|
257 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
|
| 199 |
# 53 = all other users
|
258 |
# 53 = all other users
|
| 200 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
|
259 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
|
| 201 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
|
260 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
|
| 202 |
|
261 |
|
| 203 |
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
|
262 |
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
|
| 204 |
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
|
263 |
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
|
| Line 215... |
Line 274... |
| 215 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
|
274 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
|
| 216 |
|
275 |
|
| 217 |
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
|
276 |
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
|
| 218 |
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
|
277 |
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
|
| 219 |
# 8080 = ipset av_bl
|
278 |
# 8080 = ipset av_bl
|
| - |
|
279 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
|
| 220 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
280 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
| 221 |
# 8090 = ipset av_wl & av
|
281 |
# 8090 = ipset av_wl & av
|
| 222 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
282 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
| 223 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
283 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
| 224 |
|
284 |
|
| Line 230... |
Line 290... |
| 230 |
|
290 |
|
| 231 |
# Redirection des requêtes NTP vers le serveur NTP local
|
291 |
# Redirection des requêtes NTP vers le serveur NTP local
|
| 232 |
# Redirect NTP request in local NTP server
|
292 |
# Redirect NTP request in local NTP server
|
| 233 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
293 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
| 234 |
|
294 |
|
| - |
|
295 |
#Récupération de la marque associée à une gw pour chaque connection
|
| - |
|
296 |
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
|
| - |
|
297 |
|
| - |
|
298 |
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then
|
| - |
|
299 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP
|
| - |
|
300 |
fi
|
| - |
|
301 |
|
| - |
|
302 |
#Marquage pour le load balancing
|
| - |
|
303 |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
|
| - |
|
304 |
temp_index=200
|
| - |
|
305 |
for i in $gw_list; do
|
| - |
|
306 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
|
| - |
|
307 |
temp_index=$(($temp_index+1))
|
| - |
|
308 |
done
|
| - |
|
309 |
fi
|
| - |
|
310 |
|
| - |
|
311 |
|
| 235 |
#############################
|
312 |
#############################
|
| 236 |
# INPUT #
|
313 |
# INPUT #
|
| 237 |
#############################
|
314 |
#############################
|
| 238 |
|
315 |
|
| 239 |
# Tout passe sur loopback
|
316 |
# Tout passe sur loopback
|
| 240 |
# accept all on loopback
|
317 |
# accept all on loopback
|
| 241 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
318 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
| 242 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
319 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
| 243 |
|
320 |
|
| 244 |
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
321 |
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
| 245 |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
322 |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
|
| 246 |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
|
323 |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
|
| 247 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
324 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
| 248 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
325 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
| 249 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
326 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
| 250 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
327 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
| Line 453... |
Line 530... |
| 453 |
|
530 |
|
| 454 |
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
|
531 |
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
|
| 455 |
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
|
532 |
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
|
| 456 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
|
533 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
|
| 457 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
534 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
| 458 |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
|
535 |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
|
| 459 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
|
536 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
|
| 460 |
|
537 |
|
| 461 |
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
|
538 |
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
|
| 462 |
# RSYNC requests are allowed (update of Toulouse BL)
|
539 |
# RSYNC requests are allowed (update of Toulouse BL)
|
| 463 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
|
540 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
|
| Line 487... |
Line 564... |
| 487 |
#############################
|
564 |
#############################
|
| 488 |
# Traduction dynamique d'adresse en sortie
|
565 |
# Traduction dynamique d'adresse en sortie
|
| 489 |
# Dynamic NAT on EXTIF
|
566 |
# Dynamic NAT on EXTIF
|
| 490 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
567 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
| 491 |
|
568 |
|
| - |
|
569 |
#Sauvegarde de la marque associée à la connexion pour le load balancing
|
| - |
|
570 |
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark
|
| - |
|
571 |
|
| 492 |
#############################
|
572 |
#############################
|
| 493 |
# FAIL2BAN #
|
573 |
# FAIL2BAN #
|
| 494 |
#############################
|
574 |
#############################
|
| 495 |
# Reload Fail2Ban
|
575 |
# Reload Fail2Ban
|
| 496 |
if systemctl -q is-active fail2ban; then
|
576 |
if systemctl -q is-active fail2ban; then
|