Subversion Repositories ALCASAR

Rev

Rev 3170 | Rev 3190 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3170 Rev 3177
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 3170 2024-02-22 17:28:40Z rexy $
 2 
# $Id: alcasar-iptables.sh 3177 2024-03-01 18:32:19Z rexy $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 422... Line 422...
422 
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
 422 
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
423 
 
 423 
 
424 
#############################
 424 
#############################
425 
#        FORWARD            #
 425 
#        FORWARD            #
426 
#############################
 426 
#############################
427 
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
 - 
 
428 
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
 - 
 
429 
if [ "$interlan" != "on" ]
 - 
 
430 
then
 - 
 
431 
	$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
 - 
 
432 
fi
 - 
 
433 
 
 427 
 
434 
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
 428 
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
435 
# Deny IPs of the SET bl_ip_blocked for the set av_bl
 429 
# Deny IPs of the SET bl_ip_blocked for the set av_bl
436 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
 430 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
437 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
 431 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
Line 507... Line 501...
507 
		fi
 501 
		fi
508 
		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
 502 
		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
509 
		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 503 
		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
510 
	fi
 504 
	fi
511 
 
 505 
 
- 
 
 506 
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
- 
 
 507 
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
- 
 
 508 
if [ "$interlan" != "on" ]
- 
 
 509 
then
- 
 
 510 
	$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
- 
 
 511 
fi
- 
 
 512 
 
512 
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
 513 
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
513 
# Block 'av_wl' users who want IP not in the WL
 514 
# Block 'av_wl' users who want IP not in the WL
514 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
 515 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
515 
 
 516 
 
516 
# journalisation et autorisation des connections sortant du LAN
 517 
# journalisation et autorisation des connections sortant du LAN