Subversion Repositories ALCASAR

Rev

Rev 2998 | Rev 3041 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2998 Rev 3040
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 2998 2022-03-15 16:44:20Z rexy $
 2 
# $Id: alcasar-iptables.sh 3040 2022-07-17 22:31:53Z rexy $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 40... Line 40...
40 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
 40 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
41 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 41 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
42 
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
 42 
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
43 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
 43 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
44 
SSH=${SSH:=off}
 44 
SSH=${SSH:=off}
- 
 
 45 
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`		#ssh WAN port
- 
 
 46 
SSH_PORT=${SSH_PORT:=0}
45 
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
 47 
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
46 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 48 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
47 
IPTABLES="/sbin/iptables"
 49 
IPTABLES="/sbin/iptables"
48 
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
 50 
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
49 
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
 51 
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
50 
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
 52 
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
51 
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
 53 
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
52 
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
 54 
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
53 
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
 55 
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
- 
 
 56 
HOST=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
- 
 
 57 
DOM=`grep ^DOMAIN= $CONF_FILE|cut -d"=" -f2`
- 
 
 58 
DOMAIN="$HOST.$DOM"
54 
 
 59 
 
55 
# Allow requests to internal DNS if activated
 60 
# Allow requests to internal DNS if activated
56 
if [ "$INT_DNS_ACTIVE" = "on" ]
 61 
if [ "$INT_DNS_ACTIVE" = "on" ]
57 
then
 62 
then
58 
	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
 63 
	DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
Line 390... Line 395...
390 
# SSHD server access if enabled
 395 
# SSHD server access if enabled
391 
if [ $SSH = on ]
 396 
if [ $SSH = on ]
392 
	then
 397 
	then
393 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
 398 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
394 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 399 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
- 
 
 400 
	if [ $SSH_PORT -gt 0 ]
- 
 
 401 
		then
395 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
 402 
		$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
396 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j ACCEPT
 403 
		$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT
- 
 
 404 
	fi
397 
fi
 405 
fi
398 
 
 406 
 
399 
# Insertion de règles locales
 407 
# Insertion de règles locales
400 
# Here, we add local rules (i.e. VPN from Internet)
 408 
# Here, we add local rules (i.e. VPN from Internet)
401 
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
 409 
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then