WebSVN – ALCASAR – Blame – /scripts/alcasar-iptables.sh

Rev	Author	Line No.	Line
872	richard	1	`#!/bin/bash`
64	franck	2	`# $Id: alcasar-iptables.sh 1854 2016-05-02 08:15:14Z raphael.pion $`
675	richard	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
1339	richard	4	`# This script writes the netfilter rules for ALCASAR`
675	richard	5	`# Rexy - 3abtux - CPN`
		6	`#`
		7	`# Reminders`
1221	richard	8	`# There are four channels for log :`
1294	richard	9	`# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);`
1221	richard	10	`# 2 protection of ALCASAR with the Ulog group 1 (default group)`
1294	richard	11	`# 3 SSH on ALCASAR with the Ulog group 2;`
		12	`# 4 extern access attempts on ALCASAR with the Ulog group 3.`
1469	richard	13	`# The bootps/dhcp (67) port is always open on tun0/INTIF by coova`
		14	`CONF_FILE="/usr/local/etc/alcasar.conf"`
1587	richard	15	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
		16	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
		17	`TUNIF="tun0" # listen device for chilli daemon`
1469	richard	18	private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
615	richard	19	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
783	richard	20	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address
604	richard	21	private_network=`/bin/ipcalc -n $private_ip_mask\|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
		22	private_prefix=`/bin/ipcalc -p $private_ip_mask\|cut -d"=" -f2` # LAN prefix (ie. 24)
783	richard	23	`PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)`
1469	richard	24	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
1585	richard	25	`if [[ "$public_ip_mask" == "dhcp" ]]`
		26	`then`
		27	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/([012]?[0-9]\|3[0-2])\b"`
1587	richard	28	public_ip_mask=`ip addr show $EXTIF \| egrep -o $PTN`
1585	richard	29	`fi`
783	richard	30	PUBLIC_IP=`echo $public_ip_mask \| cut -d"/" -f1`
1588	richard	31	dns1=`grep ^DNS1= $CONF_FILE\|cut -d"=" -f2`
		32	dns2=`grep ^DNS2= $CONF_FILE\|cut -d"=" -f2`
615	richard	33	`dns1=${dns1:=208.67.220.220}`
		34	`dns2=${dns2:=208.67.222.222}`
1585	richard	35	`DNSSERVERS="$dns1,$dns2" # first and second public DNS servers`
1469	richard	36	PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE\|cut -d"=" -f2` # Network protocols filter (on/off)
615	richard	37	`PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}`
1332	richard	38	`BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP`
1339	richard	39	`BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty`
1852	raphael.pi	40	`DIR_WL_IP_ENABLED="/usr/local/share/iptables-wl-enabled/" # ip files repository of the WL (feature : imported wl file from ACC)`
1364	richard	41	`TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set`
		42	`TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation`
1469	richard	43	SSH=`grep ^SSH= $CONF_FILE\|cut -d"=" -f2` # sshd active (on/off)
615	richard	44	`SSH=${SSH:=off}`
1469	richard	45	SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE\|cut -d"=" -f2`
1063	richard	46	`SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)`
1469	richard	47	LDAP=`grep ^LDAP= $CONF_FILE\|cut -d"=" -f2` # LDAP external server active (on/off)
615	richard	48	`LDAP=${LDAP:=off}`
1469	richard	49	LDAP_IP=`grep ^LDAP_IP= $CONF_FILE\|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
768	richard	50	`LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}`
612	richard	51	`IPTABLES="/sbin/iptables"`
1339	richard	52	`IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP`
1364	richard	53	`SAVE_DIR="/etc/sysconfig" # Saving path`
1	root	54
1364	richard	55	`# Sauvegarde des SET des utilisateurs connectés si ils existent`
		56	`# Saving SET of connected users if it exists`
		57	`ipset list no_filtering_set 1>/dev/null 2>&1`
		58	`if [ $? -eq 0 ];`
		59	`then`
		60	`ipset save no_filtering_set > $TMP_users_set_save`
		61	`ipset save havp_set >> $TMP_users_set_save`
		62	`ipset save havp_bl_set >> $TMP_users_set_save`
		63	`ipset save havp_wl_set >> $TMP_users_set_save`
1818	raphael.pi	64	`ipset save user_not_connected_yet >> $TMP_users_set_save`
1822	raphael.pi	65	`ipset save ipset_users_list >> $TMP_users_set_save`
1364	richard	66	`fi`
		67
1291	richard	68	`# loading of NetFlow probe (ipt_NETFLOW kernel module)`
1159	crox53	69	`modprobe ipt_NETFLOW destination=127.0.0.1:2055`
		70
498	richard	71	`# Effacement des règles existantes`
476	richard	72	`# Flush all existing rules`
1	root	73	`$IPTABLES -F`
		74	`$IPTABLES -t nat -F`
		75	`$IPTABLES -t mangle -F`
		76	`$IPTABLES -F INPUT`
		77	`$IPTABLES -F FORWARD`
		78	`$IPTABLES -F OUTPUT`
		79
498	richard	80	`# Suppression des chaines utilisateurs sur les tables filter et nat`
		81	`# Flush non default rules on filter and nat tables`
		82	`$IPTABLES -X`
		83	`$IPTABLES -t nat -X`
		84
		85	`# Stratégies par défaut`
476	richard	86	`# Default policies`
1	root	87	`$IPTABLES -P INPUT DROP`
		88	`$IPTABLES -P FORWARD DROP`
498	richard	89	`$IPTABLES -P OUTPUT DROP`
1	root	90	`$IPTABLES -t nat -P PREROUTING ACCEPT`
		91	`$IPTABLES -t nat -P POSTROUTING ACCEPT`
		92	`$IPTABLES -t nat -P OUTPUT ACCEPT`
		93
1484	richard	94
		95	`#############################`
		96	`# IPSET #`
		97	`#############################`
		98
1291	richard	99	`# destruction de tous les SET`
1332	richard	100	`# destroy all SET`
1291	richard	101	`ipset destroy`
1854	raphael.pi	102	`ipset flush blacklist_ip_blocked`
		103	`ipset destroy blacklist_ip_blocked`
		104	`ipset flush whitelist_ip_allowed`
		105	`ipset destroy whitelist_ip_allowed`
1291	richard	106
1854	raphael.pi	107
1484	richard	108	`###### BL set ###########`
		109	`# Calcul de la taille / Compute the length`
1393	richard	110	`bl_set_length=$(($(wc -l $BL_IP_CAT/* \| awk '{print $1}' \| tail -n 1)+$(wc -l $BL_IP_OSSI \| awk '{print $1}')))`
1854	raphael.pi	111
		112
1484	richard	113	`# Chargement / loading`
1393	richard	114	`echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save`
		115	for category in `ls -1 $BL_IP_CAT \| cut -d '@' -f1`
1332	richard	116	`do`
1364	richard	117	`cat $BL_IP_CAT/$category >> $TMP_set_save`
1332	richard	118	`done`
1364	richard	119	`cat $BL_IP_OSSI >> $TMP_set_save`
		120	`ipset -! restore < $TMP_set_save`
		121	`rm -f $TMP_set_save`
1484	richard	122	`# Suppression des ip réhabilitées / Removing of rehabilitated ip`
1339	richard	123	`for ip in $(cat $IP_REHABILITEES)`
		124	`do`
		125	`ipset del blacklist_ip_blocked $ip`
		126	`done`
		127
1484	richard	128	`###### WL set ###########`
		129	`# Calcul de la taille / Compute the length`
1852	raphael.pi	130	`wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* \| awk '{print $1}' \| tail -n 1)*3))`
1484	richard	131	`# Chargement Loading`
1393	richard	132	`echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save`
1852	raphael.pi	133	`#get ip-wl files from ACC`
		134	for ossi in `ls -1 $DIR_WL_IP_ENABLED`
		135	`do`
		136	`echo $ossi`
		137	`cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save`
		138	`done`
1364	richard	139	`ipset -! restore < $TMP_set_save`
		140	`rm -f $TMP_set_save`
		141
		142	`# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET`
1377	richard	143	`# Restoring the connected users SETs if available, otherwise creating SETs`
1364	richard	144	`if [ -e $TMP_users_set_save ];`
		145	`then`
		146	`ipset -! restore < $TMP_users_set_save`
		147	`rm -f $TMP_users_set_save`
		148	`else`
		149	`ipset create no_filtering_set hash:net hashsize 1024`
		150	`ipset create havp_set hash:net hashsize 1024`
		151	`ipset create havp_bl_set hash:net hashsize 1024`
		152	`ipset create havp_wl_set hash:net hashsize 1024`
1818	raphael.pi	153	`#utilisé pour l'interception des utilisateurs non authentifiés au réseau`
		154	`#used for intercepting users not connected to the network`
		155	`ipset create user_not_connected_yet hash:net hashsize 1024`
		156	`ipset create ipset_users_list list:set`
		157	`ipset add ipset_users_list havp_set`
		158	`ipset add ipset_users_list havp_wl_set`
		159	`ipset add ipset_users_list havp_bl_set`
		160	`ipset add ipset_users_list no_filtering_set`
		161	`ipset add ipset_users_list user_not_connected_yet`
1364	richard	162	`fi`
		163
472	richard	164	`#############################`
783	richard	165	`# PREROUTING #`
472	richard	166	`#############################`
1827	raphael.pi	167
		168	`# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole`
		169	`# Redirect users not connected DNS requests in DNS-Blackhole`
		170	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56`
		171	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56`
		172
		173
1453	franck	174	`# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT`
		175	`# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules`
1459	franck	176	`#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10`
1453	franck	177
1486	richard	178	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT`
783	richard	179	`# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules`
1731	richard	180	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "`
783	richard	181	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`
1	root	182
1486	richard	183	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT`
		184	`# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules`
1704	richard	185	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "`
1486	richard	186	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2`
		187
1484	richard	188	`# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT`
		189	`# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules`
1486	richard	190	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3`
783	richard	191
1484	richard	192	`# Marquage des paquets qui tentent d'accéder directement au port udp 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT`
		193	`# Mark the udp 55 direct attempts (DNS-whitelist) to REJECT them in INPUT rules`
1486	richard	194	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4`
783	richard	195
1484	richard	196	`# Marquage des paquets qui tentent d'accéder directement au port udp 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT`
		197	`# Mark the udp 56 direct attempts (DNS-blackhole) to REJECT them in INPUT rules`
1486	richard	198	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5`
1472	richard	199
1544	richard	200	`# redirection DNS des usagers 'havp_bl' vers le port 54`
		201	`# redirect DNS of 'havp_bl' users to port 54`
1364	richard	202	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54`
1393	richard	203
1544	richard	204	`# redirection DNS des usagers 'havp_wl' vers le port 55`
		205	`# redirect DNS of 'havp_bl' users to port 55`
1364	richard	206	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55`
		207
1544	richard	208	`# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.`
		209	`# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow`
1704	richard	210	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "`
1544	richard	211
		212	`# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')`
		213	`# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)`
1364	richard	214	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80`
		215
1544	richard	216	`# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')`
		217	`# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)`
1393	richard	218	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80`
		219
1544	richard	220	`# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian`
1484	richard	221	`# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)`
		222	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`
		223
1544	richard	224	`# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy`
1486	richard	225	`# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy`
1484	richard	226	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`
1544	richard	227	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`
1364	richard	228
783	richard	229	`# Redirection des requêtes NTP vers le serveur NTP local`
		230	`# Redirect NTP request in local NTP server`
		231	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123`
		232
472	richard	233	`#############################`
783	richard	234	`# INPUT #`
472	richard	235	`#############################`
871	richard	236
783	richard	237	`# Tout passe sur loopback`
		238	`# accept all on loopback`
		239	`$IPTABLES -A INPUT -i lo -j ACCEPT`
990	franck	240	`$IPTABLES -A OUTPUT -o lo -j ACCEPT`
783	richard	241
		242	`# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)`
		243	`# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)`
472	richard	244	`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`
		245	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`
		246	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`
		247	`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
675	richard	248	`$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP`
498	richard	249
1587	richard	250	`# Si configéré, on autorise les réponses DHCP`
		251	`# Allow DHCP answers if configured`
		252	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
		253	`if [[ "$public_ip_mask" == "dhcp" ]]`
		254	`then`
		255	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT`
		256	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT`
		257	`fi`
871	richard	258	`# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)`
		259	`# Drop broadcast & multicast on EXTIF to avoid log`
1629	richard	260	`$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`
498	richard	261
783	richard	262	`# On autorise les retours de connexions légitimes par INPUT`
		263	`# Conntrack on INPUT`
		264	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
373	richard	265
1221	richard	266	`# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)`
1486	richard	267	`# Deny direct connections on DansGuardian port (8080). The concerned paquets have been marked and logged in mangle table (PREROUTING)`
783	richard	268	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset`
791	richard	269
783	richard	270	`# Autorisation des connexions légitimes à DansGuardian`
		271	`# Allow connections for DansGuardian`
		272	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`
373	richard	273
1486	richard	274	`# On interdit les connexions directes au port utilisé par tinyproxy (8090). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)`
		275	`# Deny direct connections on tinyproxy port (8090). The concerned paquets have been marked in mangle table (PREROUTING)`
		276	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset`
		277
		278	`# Autorisation des connexions légitimes vers tinyproxy`
		279	`# Allow connections to tinyproxy`
		280	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT`
		281
1472	richard	282	`# On interdit les connexions directes au port UDP 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`
		283	`# Deny direct connections on UDP 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING)`
1486	richard	284	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable`
791	richard	285
1472	richard	286	`# On interdit les connexions directes au port UDP 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`
		287	`# Deny direct connections on UDP 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING)`
1486	richard	288	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable`
1364	richard	289
1472	richard	290	`# On interdit les connexions directes au port UDP 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`
		291	`# Deny direct connections on UDP 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)`
1486	richard	292	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable`
1472	richard	293
1364	richard	294	`# autorisation des connexion légitime à DNSMASQ (avec blacklist)`
		295	`# Allow connections for DNSMASQ (with blacklist)`
783	richard	296	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT`
		297
1364	richard	298	`# autorisation des connexion légitime à DNSMASQ (avec whitelist)`
		299	`# Allow connections for DNSMASQ (with whitelist)`
		300	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT`
		301
1472	richard	302	`# autorisation des connexion légitime à DNSMASQ (mode blackhole)`
		303	`# Allow connections for DNSMASQ (blackhole mode)`
		304	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT`
		305
783	richard	306	`# Accès direct aux services internes`
		307	`# Internal services access`
1364	richard	308	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blacklist`
786	richard	309	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce`
		310	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request`
		311	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC`
		312	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages`
		313	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests`
		314	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server`
783	richard	315
		316	`# SSHD rules if activate`
		317	`if [ $SSH = on ]`
520	richard	318	`then`
1731	richard	319	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"`
783	richard	320	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
1731	richard	321	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`
1161	richard	322	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`
520	richard	323	`fi`
783	richard	324
		325	`# Insertion de règles locales`
		326	`# Here, we add local rules (i.e. VPN from Internet)`
		327	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
		328	`. /usr/local/etc/alcasar-iptables-local.sh`
		329	`fi`
		330
		331	`# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN`
		332	`# Deny and log on INPUT from the LAN`
1704	richard	333	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "`
783	richard	334	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
		335	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
		336
1393	richard	337	`# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).`
783	richard	338	`# Reject INTIF access (only when chilli is down)`
1704	richard	339	`$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "`
783	richard	340	`$IPTABLES -A INPUT -i $INTIF -j REJECT`
		341
		342	`# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)`
		343	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`
1731	richard	344	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"`
783	richard	345
		346	`#############################`
		347	`# FORWARD #`
		348	`#############################`
		349
1364	richard	350	`# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set`
		351	`# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set`
		352	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable`
		353	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable`
		354	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset`
		355
783	richard	356	`# Rejet des requêtes DNS vers Internet`
		357	`# Deny forward DNS`
		358	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`
		359	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset`
		360
815	richard	361	`# Autorisation des retours de connexions légitimes`
		362	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`
790	richard	363
1364	richard	364	`# If protocols filter is activate`
1488	richard	365	`if [ $PROTOCOLS_FILTERING = on ]; then`
		366	`# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)`
		367	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed \| cut -d" " -f1`
		368	`if [ $nb_uamallowed != "0" ]`
		369	`then`
		370	`while read ip_allowed_line`
		371	`do`
		372	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`
1704	richard	373	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "`
1488	richard	374	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW`
		375	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`
		376	`done < /usr/local/etc/alcasar-uamallowed`
		377	`fi`
		378	`# Autorisation du HTTP et des protocoles non commentés`
		379	`# Allow HTTP and non comment protocols`
1704	richard	380	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`
1488	richard	381	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW`
		382	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT`
		383	`while read svc_line`
		384	`do`
		385	svc_on=`echo $svc_line\|cut -b1`
		386	`if [ $svc_on != "#" ]`
		387	`then`
		388	svc_name=`echo $svc_line\|cut -d" " -f1`
		389	svc_port=`echo $svc_line\|cut -d" " -f2`
		390	`if [ $svc_name = "icmp" ]`
		391	`then`
		392	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW`
		393	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`
		394	`else`
492	franck	395
1704	richard	396	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`
1488	richard	397	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW`
		398	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`
1704	richard	399	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`
1488	richard	400	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW`
		401	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`
		402	`fi`
		403	`fi`
		404	`done < /usr/local/etc/alcasar-services`
		405	`# Rejet explicite des autres protocoles`
		406	`# reject the others protocols`
1704	richard	407	`$IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT "`
1488	richard	408	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
		409	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
		410	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`
		411	`fi`
		412
498	richard	413	`# Autorisation des connections sortant du LAN`
476	richard	414	`# Allow forward connections with log`
1221	richard	415	`#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`
1159	crox53	416	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW`
859	richard	417	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT`
1	root	418
783	richard	419	`#############################`
		420	`# OUTPUT #`
		421	`#############################`
1159	crox53	422	`# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur`
		423	`# Everything is allowed but traffic through outside network interface`
498	richard	424	`$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT`
520	richard	425
1587	richard	426	`# Si configéré, on autorise les requêtes DHCP`
		427	`# Allow DHCP requests if configured`
		428	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
		429	`if [[ "$public_ip_mask" == "dhcp" ]]`
		430	`then`
		431	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT`
		432	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT`
		433	`fi`
		434
503	richard	435	`# On autorise les requêtes DNS vers les serveurs DNS identifiés`
498	richard	436	`# Allow DNS requests to identified DNS servers`
		437	`$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT`
783	richard	438
615	richard	439	`# On autorise les requêtes HTTP sortantes`
498	richard	440	`# HTTP requests are allowed`
1159	crox53	441	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW`
498	richard	442	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT`
783	richard	443
784	richard	444	`# On autorise les requêtes FTP`
		445	`# FTP requests are allowed`
1705	richard	446	`modprobe nf_conntrack_ftp`
784	richard	447	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT`
1159	crox53	448	`$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT`
784	richard	449
615	richard	450	`# On autorise les requêtes NTP`
498	richard	451	`# NTP requests are allowed`
		452	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT`
783	richard	453
503	richard	454	`# On autorise les requêtes ICMP (ping)`
		455	`# ICMP (ping) requests are allowed`
		456	`$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT`
783	richard	457
615	richard	458	`# On autorise les requêtes LDAP si un serveur externe est configué`
		459	`# LDAP requests are allowed if an external server is declared`
		460	`if [ $LDAP = on ]`
		461	`then`
694	franck	462	`$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
		463	`$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
615	richard	464	`fi`
783	richard	465
		466	`#############################`
		467	`# POSTROUTING #`
		468	`#############################`
498	richard	469	`# Traduction dynamique d'adresse en sortie`
476	richard	470	`# Dynamic NAT on EXTIF`
1	root	471	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`
		472
476	richard	473	`# End of script`
1	root	474

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh @ 2976 – Rev 1854