WebSVN – ALCASAR – Blame – /scripts/alcasar-iptables.sh

Rev	Author	Line No.	Line
872	richard	1	`#!/bin/bash`
64	franck	2	`# $Id: alcasar-iptables.sh 3040 2022-07-17 22:31:53Z rexy $`
675	richard	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
1339	richard	4	`# This script writes the netfilter rules for ALCASAR`
675	richard	5	`# Rexy - 3abtux - CPN`
		6	`#`
		7	`# Reminders`
1221	richard	8	`# There are four channels for log :`
1294	richard	9	`# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);`
2454	tom.houday	10	`# 2 protection of ALCASAR with the Ulog group 1 (default group)`
1294	richard	11	`# 3 SSH on ALCASAR with the Ulog group 2;`
		12	`# 4 extern access attempts on ALCASAR with the Ulog group 3.`
2454	tom.houday	13	`# The bootps/dhcp (67) port is always open on tun0/INTIF by coova`
1469	richard	14	`CONF_FILE="/usr/local/etc/alcasar.conf"`
1587	richard	15	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
		16	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
		17	`TUNIF="tun0" # listen device for chilli daemon`
1469	richard	18	private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
615	richard	19	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
783	richard	20	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address
604	richard	21	private_network=`/bin/ipcalc -n $private_ip_mask\|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
		22	private_prefix=`/bin/ipcalc -p $private_ip_mask\|cut -d"=" -f2` # LAN prefix (ie. 24)
783	richard	23	`PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)`
1469	richard	24	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
1585	richard	25	`if [[ "$public_ip_mask" == "dhcp" ]]`
		26	`then`
		27	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/([012]?[0-9]\|3[0-2])\b"`
1587	richard	28	public_ip_mask=`ip addr show $EXTIF \| egrep -o $PTN`
1585	richard	29	`fi`
783	richard	30	PUBLIC_IP=`echo $public_ip_mask \| cut -d"/" -f1`
1588	richard	31	dns1=`grep ^DNS1= $CONF_FILE\|cut -d"=" -f2`
		32	dns2=`grep ^DNS2= $CONF_FILE\|cut -d"=" -f2`
615	richard	33	`dns1=${dns1:=208.67.220.220}`
		34	`dns2=${dns2:=208.67.222.222}`
1585	richard	35	`DNSSERVERS="$dns1,$dns2" # first and second public DNS servers`
2688	lucas.echa	36	INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE\|cut -d"=" -f2` # Adresse du serveur DNS interne
		37	INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE\|cut -d"=" -f2` # Activation de la redirection DNS interne
1332	richard	38	`BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP`
1932	richard	39	`WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP`
2454	tom.houday	40	`TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set`
1364	richard	41	`TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation`
2956	rexy	42	`TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips`
1469	richard	43	SSH=`grep ^SSH= $CONF_FILE\|cut -d"=" -f2` # sshd active (on/off)
615	richard	44	`SSH=${SSH:=off}`
3040	rexy	45	SSH_PORT=`grep ^SSH_WAN= $CONF_FILE\|cut -d"=" -f2` #ssh WAN port
		46	`SSH_PORT=${SSH_PORT:=0}`
1469	richard	47	SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE\|cut -d"=" -f2`
1063	richard	48	`SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)`
612	richard	49	`IPTABLES="/sbin/iptables"`
2521	armand.ito	50	`IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP`
2841	rexy	51	`SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)`
2956	rexy	52	MULTIWAN=`grep ^MULTIWAN $CONF_FILE\|cut -d"=" -f2`
		53	PROXY=`grep ^PROXY= $CONF_FILE\|cut -d"=" -f2`
		54	PROXY_IP=`grep ^PROXY_IP= $CONF_FILE\|cut -d"=" -f2`
		55	nb_gw=`grep ^WAN $CONF_FILE\|wc -l`
3040	rexy	56	HOST=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2`
		57	DOM=`grep ^DOMAIN= $CONF_FILE\|cut -d"=" -f2`
		58	`DOMAIN="$HOST.$DOM"`
1	root	59
2688	lucas.echa	60	`# Allow requests to internal DNS if activated`
		61	`if [ "$INT_DNS_ACTIVE" = "on" ]`
		62	`then`
		63	`DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"`
		64	`fi`
		65
2956	rexy	66	`#ipset name list for load_balancing`
		67	`gw_list="gw0"`
		68	`if [ "$MULTIWAN" == "on" ] \|\| [ "$MULTIWAN" == "On" ]; then`
		69	`for ((i=1 ; i<=$nb_gw ; i++)); do`
		70	`gw_list="${gw_list} gw$i"`
		71	`done`
		72	`fi`
		73
		74
1364	richard	75	`# Sauvegarde des SET des utilisateurs connectés si ils existent`
		76	`# Saving SET of connected users if it exists`
1867	raphael.pi	77	`ipset list not_filtered 1>/dev/null 2>&1`
1364	richard	78	`if [ $? -eq 0 ];`
		79	`then`
1867	raphael.pi	80	`ipset save not_filtered > $TMP_users_set_save`
2841	rexy	81	`ipset save av >> $TMP_users_set_save`
		82	`ipset save av_bl >> $TMP_users_set_save`
		83	`ipset save av_wl >> $TMP_users_set_save`
2006	raphael.pi	84	`ipset save proto_0 >> $TMP_users_set_save`
		85	`ipset save proto_1 >> $TMP_users_set_save`
		86	`ipset save proto_2 >> $TMP_users_set_save`
		87	`ipset save proto_3 >> $TMP_users_set_save`
1364	richard	88	`fi`
		89
2956	rexy	90	`# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing`
		91	`# Saving all of the already connected IP in order to put them back in the load balancing after`
		92	`if [ ! -f $TMP_ip_gw_save ];then`
		93	`# Save only if alcasar-network.sh --save has not been executed before`
		94	`for i in $gw_list;do`
		95	`ipset list $i 1>/dev/null 2>&1`
		96	`if [ $? -eq 0 ]`
		97	`then`
		98	`# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members`
		99	`ipset list $i \| cut -d":" -f5 \| sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save`
		100	`fi`
		101	`done`
		102	`fi`
		103
2668	rexy	104	`# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)`
1291	richard	105	`# loading of NetFlow probe (ipt_NETFLOW kernel module)`
1159	crox53	106	`modprobe ipt_NETFLOW destination=127.0.0.1:2055`
		107
498	richard	108	`# Effacement des règles existantes`
476	richard	109	`# Flush all existing rules`
1	root	110	`$IPTABLES -F`
		111	`$IPTABLES -t nat -F`
		112	`$IPTABLES -t mangle -F`
		113	`$IPTABLES -F INPUT`
		114	`$IPTABLES -F FORWARD`
		115	`$IPTABLES -F OUTPUT`
		116
498	richard	117	`# Suppression des chaines utilisateurs sur les tables filter et nat`
		118	`# Flush non default rules on filter and nat tables`
		119	`$IPTABLES -X`
		120	`$IPTABLES -t nat -X`
		121
		122	`# Stratégies par défaut`
476	richard	123	`# Default policies`
1	root	124	`$IPTABLES -P INPUT DROP`
		125	`$IPTABLES -P FORWARD DROP`
498	richard	126	`$IPTABLES -P OUTPUT DROP`
1	root	127	`$IPTABLES -t nat -P PREROUTING ACCEPT`
		128	`$IPTABLES -t nat -P POSTROUTING ACCEPT`
		129	`$IPTABLES -t nat -P OUTPUT ACCEPT`
		130
1484	richard	131
		132	`#############################`
		133	`# IPSET #`
		134	`#############################`
		135
1291	richard	136	`# destruction de tous les SET`
1332	richard	137	`# destroy all SET`
1876	raphael.pi	138	`ipset flush`
1291	richard	139	`ipset destroy`
1855	raphael.pi	140
1484	richard	141	`###### BL set ###########`
		142	`# Calcul de la taille / Compute the length`
1932	richard	143	`bl_set_length=$(wc -l $BL_IP_CAT/* \| awk '{print $1}' \| tail -n 1)`
1484	richard	144	`# Chargement / loading`
1867	raphael.pi	145	`echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save`
1393	richard	146	for category in `ls -1 $BL_IP_CAT \| cut -d '@' -f1`
1332	richard	147	`do`
1364	richard	148	`cat $BL_IP_CAT/$category >> $TMP_set_save`
1332	richard	149	`done`
1364	richard	150	`ipset -! restore < $TMP_set_save`
		151	`rm -f $TMP_set_save`
1484	richard	152	`# Suppression des ip réhabilitées / Removing of rehabilitated ip`
1339	richard	153	`for ip in $(cat $IP_REHABILITEES)`
		154	`do`
2688	lucas.echa	155	`ipset -q del bl_ip_blocked $ip`
1339	richard	156	`done`
		157
2841	rexy	158	`# ipset for exception web sites (usefull for filtered users = av_bl)`
2485	franck	159	`ipset create site_direct hash:net hashsize 1024`
		160	`for site in $(cat $SITE_DIRECT)`
		161	`do`
2688	lucas.echa	162	`ipset add site_direct $site`
2485	franck	163	`done`
		164
1484	richard	165	`###### WL set ###########`
2688	lucas.echa	166	`# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading`
1896	raphael.pi	167	`wl_set_length=65536`
1484	richard	168	`# Chargement Loading`
1867	raphael.pi	169	`echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save`
1852	raphael.pi	170	`#get ip-wl files from ACC`
1932	richard	171	for category in `ls -1 $WL_IP_CAT \|cut -d '@' -f1`
1852	raphael.pi	172	`do`
1932	richard	173	`cat $WL_IP_CAT/$category >> $TMP_set_save`
1852	raphael.pi	174	`done`
1364	richard	175	`ipset -! restore < $TMP_set_save`
		176	`rm -f $TMP_set_save`
		177
2454	tom.houday	178	`# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET`
1377	richard	179	`# Restoring the connected users SETs if available, otherwise creating SETs`
1364	richard	180	`if [ -e $TMP_users_set_save ];`
		181	`then`
		182	`ipset -! restore < $TMP_users_set_save`
		183	`rm -f $TMP_users_set_save`
		184	`else`
2386	tom.houday	185	`ipset create not_filtered hash:ip hashsize 1024`
2841	rexy	186	`ipset create av hash:ip hashsize 1024`
		187	`ipset create av_bl hash:ip hashsize 1024`
		188	`ipset create av_wl hash:ip hashsize 1024`
2668	rexy	189	`# pour les filtrages de protocole par utilisateur / For network protocols filtering by user`
2386	tom.houday	190	`ipset create proto_0 hash:ip hashsize 1024`
		191	`ipset create proto_1 hash:ip hashsize 1024`
		192	`ipset create proto_2 hash:ip hashsize 1024`
		193	`ipset create proto_3 hash:ip hashsize 1024`
1364	richard	194	`fi`
		195
2956	rexy	196	`#ipsets for load balancing`
		197	`for i in $gw_list; do`
		198	`ipset create $i hash:ip`
		199	`done`
		200	`cat $TMP_ip_gw_save \| while read ip; do`
		201	`gw_min="gw0"`
		202	weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE \| cut -d"=" -f2`
		203	already=`ipset list $gw_min \| grep Number\ of\ entries: \| cut -d":" -f2`
		204	`#The *1000 is here to avoid working on floats in bash`
		205	`gw_min_value=$((1000 * $already / $weight))`
		206	`i=1`
		207	`for gw in $gw_list;do`
		208	`if [ "$gw" != "gw0" ]; then`
		209	weight=`grep ^WAN$i= $CONF_FILE \| awk -F'"' '{ print $2 }' \| awk -F ',' '{ print $2 }'`
		210	already=`ipset list $gw \| grep Number\ of\ entries: \| cut -d":" -f2`
		211	`value=$((1000 * $already / $weight))`
		212	`if [ $value -lt $gw_min_value ]`
		213	`then`
		214	`gw_min_value=$value`
		215	`gw_min=$gw`
		216	`fi`
		217	`i=$(($i+1))`
		218	`fi`
		219	`done`
		220	`ipset add $gw_min $ip`
		221	`done`
		222	`rm -f $TMP_ip_gw_save`
		223
		224
		225
472	richard	226	`#############################`
783	richard	227	`# PREROUTING #`
472	richard	228	`#############################`
1827	raphael.pi	229
2956	rexy	230
2840	rexy	231	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT`
		232	`# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules`
2841	rexy	233	`# 8080 = ipset av_bl`
2355	tom.houday	234	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`
783	richard	235	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`
2841	rexy	236	`# 8090 = ipset av_wl + av`
2355	tom.houday	237	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`
1486	richard	238	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2`
2844	rexy	239	`# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version)`
		240	`#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`
		241	`#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6`
1486	richard	242
2840	rexy	243	`# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT`
		244	`# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules`
2841	rexy	245	`# 54 = ipset av_bl`
1486	richard	246	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3`
1962	richard	247	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3`
2841	rexy	248	`# 55 = ipset av_wl`
1486	richard	249	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4`
1962	richard	250	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4`
2840	rexy	251	`# 56 = blackall`
1486	richard	252	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5`
1962	richard	253	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5`
1472	richard	254
2840	rexy	255	`# redirection DNS des usagers`
		256	`# users DNS redirection`
2841	rexy	257	`# 54 = ipset av_bl`
		258	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54`
		259	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p tcp --dport domain -j REDIRECT --to-port 54`
		260	`# 55 = ipset av_wl`
		261	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55`
		262	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55`
2956	rexy	263	`# 53 = all other users`
2517	rexy	264	`$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53`
		265	`$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53`
		266
2844	rexy	267	`# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')`
		268	`# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)`
		269	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80`
		270
		271	`# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')`
		272	`# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)`
		273	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80`
		274
		275	`# Journalisation des usagers "av_bl + av_wl + av" (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.`
		276	`# accounting of "av_bl + av_wl + av" users (only syn packets). Other protocols are logged in FORWARD by netflow`
		277	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "`
		278	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "`
		279	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "`
		280
		281	`# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian`
		282	`# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian`
2841	rexy	283	`# 8080 = ipset av_bl`
2956	rexy	284	`#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200`
2841	rexy	285	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`
		286	`# 8090 = ipset av_wl & av`
		287	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`
		288	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`
2840	rexy	289
2844	rexy	290	`# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy)`
2841	rexy	291	`# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian`
2844	rexy	292	`#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443`
		293	`#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443`
		294	`#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443`
2840	rexy	295
783	richard	296	`# Redirection des requêtes NTP vers le serveur NTP local`
		297	`# Redirect NTP request in local NTP server`
		298	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123`
		299
2956	rexy	300	`#Récupération de la marque associée à une gw pour chaque connection`
		301	`$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark`
		302
		303	`if [ "$PROXY" == "on" ] \|\| [ "$PROXY" == "On" ];then`
		304	`$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP`
		305	`fi`
		306
		307	`#Marquage pour le load balancing`
		308	`if [ "$MULTIWAN" == "on" ] \|\| [ "$MULTIWAN" == "On" ]; then`
		309	`temp_index=200`
		310	`for i in $gw_list; do`
		311	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index`
		312	`temp_index=$(($temp_index+1))`
		313	`done`
		314	`fi`
		315
		316
472	richard	317	`#############################`
783	richard	318	`# INPUT #`
472	richard	319	`#############################`
871	richard	320
783	richard	321	`# Tout passe sur loopback`
		322	`# accept all on loopback`
		323	`$IPTABLES -A INPUT -i lo -j ACCEPT`
990	franck	324	`$IPTABLES -A OUTPUT -o lo -j ACCEPT`
783	richard	325
		326	`# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)`
2956	rexy	327	`# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)`
472	richard	328	`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`
		329	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`
		330	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`
		331	`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
2496	tom.houday	332	`$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP`
498	richard	333
2454	tom.houday	334	`# Si configéré, on autorise les réponses DHCP`
1587	richard	335	`# Allow DHCP answers if configured`
		336	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
		337	`if [[ "$public_ip_mask" == "dhcp" ]]`
		338	`then`
		339	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT`
		340	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT`
		341	`fi`
871	richard	342	`# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)`
2454	tom.houday	343	`# Drop broadcast & multicast on EXTIF to avoid log`
1629	richard	344	`$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`
498	richard	345
783	richard	346	`# On autorise les retours de connexions légitimes par INPUT`
		347	`# Conntrack on INPUT`
2496	tom.houday	348	`$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`
373	richard	349
2840	rexy	350	`# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)`
		351	`# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)`
2841	rexy	352	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl`
		353	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av`
2844	rexy	354	`#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version)`
791	richard	355
2840	rexy	356	`# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian`
		357	`# Allow HTTP connections to E2Guardian`
2496	tom.houday	358	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT`
		359	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT`
2844	rexy	360	`#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version)`
1486	richard	361
2840	rexy	362	`# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)`
		363	`# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING)`
1962	richard	364	`$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable`
		365	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset`
		366	`$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable`
2840	rexy	367	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with tcp-reset`
1962	richard	368	`$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable`
2840	rexy	369	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset`
1472	richard	370
2840	rexy	371	`# On autorise les connexion DNS légitime`
		372	`# Allow DNS connections`
2841	rexy	373	`# ipset = av_bl`
783	richard	374	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT`
1962	richard	375	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT`
2841	rexy	376	`# ipset = av_wl`
1364	richard	377	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT`
1962	richard	378	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT`
2840	rexy	379	`# blackall`
1472	richard	380	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT`
1962	richard	381	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT`
1472	richard	382
2840	rexy	383	`# On accepte l'accès aux services internes`
783	richard	384	`# Internal services access`
2454	tom.houday	385	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS`
1962	richard	386	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS`
786	richard	387	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce`
		388	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request`
		389	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC`
		390	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages`
2370	tom.houday	391	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests`
786	richard	392	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server`
783	richard	393
2668	rexy	394	`# Accès au serveur SSHD si activé`
		395	`# SSHD server access if enabled`
783	richard	396	`if [ $SSH = on ]`
520	richard	397	`then`
2496	tom.houday	398	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"`
783	richard	399	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
3040	rexy	400	`if [ $SSH_PORT -gt 0 ]`
		401	`then`
		402	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`
		403	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT`
		404	`fi`
520	richard	405	`fi`
783	richard	406
		407	`# Insertion de règles locales`
		408	`# Here, we add local rules (i.e. VPN from Internet)`
		409	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
2454	tom.houday	410	`. /usr/local/etc/alcasar-iptables-local.sh`
783	richard	411	`fi`
		412
		413	`# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN`
		414	`# Deny and log on INPUT from the LAN`
2844	rexy	415	`$IPTABLES -A INPUT -i $TUNIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-prefix "RULE rej-int -- REJECT "`
783	richard	416	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
		417	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
		418
1393	richard	419	`# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).`
783	richard	420	`# Reject INTIF access (only when chilli is down)`
2844	rexy	421	`$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 3 --nflog-prefix "RULE Protect1 -- REJECT "`
783	richard	422	`$IPTABLES -A INPUT -i $INTIF -j REJECT`
		423
		424	`# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)`
		425	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`
2496	tom.houday	426	`$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"`
783	richard	427
		428	`#############################`
		429	`# FORWARD #`
		430	`#############################`
		431
2841	rexy	432	`# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl`
		433	`# Deny IPs of the SET bl_ip_blocked for the set av_bl`
		434	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited`
		435	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited`
		436	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset`
1364	richard	437
2184	richard	438	`# Active le suivi de session`
		439	`# Allow Conntrack`
2496	tom.houday	440	`$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
790	richard	441
2668	rexy	442	`# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)`
2006	raphael.pi	443	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed \| cut -d" " -f1`
		444	`if [ $nb_uamallowed != "0" ]`
		445	`then`
2454	tom.houday	446	`while read ip_allowed_line`
1488	richard	447	`do`
2006	raphael.pi	448	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`
2496	tom.houday	449	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j NETFLOW`
		450	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j ACCEPT`
2006	raphael.pi	451	`done < /usr/local/etc/alcasar-uamallowed`
		452	`fi`
492	franck	453
2184	richard	454	`# filtrage protocole par utilisateur (profile 1 : http, https)`
		455	`# protocols filtering for users (profil 1 : http, https)`
2496	tom.houday	456	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset`
		457	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable`
2006	raphael.pi	458
2998	rexy	459	`# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)`
		460	`# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)`
2006	raphael.pi	461
2998	rexy	462	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset`
		463	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable`
2006	raphael.pi	464
2184	richard	465	`# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)`
		466	`# protocols filtering for users (profil 3 : customized with ACC)`
		467	`custom_tcp_protocols_list='';custom_udp_protocols_list=''`
2006	raphael.pi	468	`while read svc_line`
		469	`do`
		470	svc_on=`echo $svc_line\|cut -b1`
		471	`if [ $svc_on != "#" ]`
2688	lucas.echa	472	`then`
2006	raphael.pi	473	svc_name=`echo $svc_line\|cut -d" " -f1`
		474	svc_port=`echo $svc_line\|cut -d" " -f2`
		475	`if [ $svc_name = "icmp" ]`
		476	`then`
2184	richard	477	`svc_icmp="on"`
2006	raphael.pi	478	`else`
2184	richard	479	`if [ "$custom_tcp_protocols_list" == "" ]`
		480	`then`
		481	`custom_tcp_protocols_list=$svc_port`
		482	`else`
		483	custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port`
		484	`fi`
		485	udp_svc=`egrep "[[:space:]]$svc_port/udp" /etc/services\|wc -l`
		486	`if [ $udp_svc = "1" ] # udp service exist`
		487	`then`
		488	`if [ "$custom_udp_protocols_list" == "" ]`
		489	`then`
		490	`custom_udp_protocols_list=$svc_port`
		491	`else`
		492	custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port`
		493	`fi`
		494	`fi`
1488	richard	495	`fi`
2006	raphael.pi	496	`fi`
		497	`done < /usr/local/etc/alcasar-services`
2184	richard	498	`if [ "$custom_tcp_protocols_list" == "" ]`
		499	`then`
		500	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT`
		501	`else`
		502	`if [ "$svc_icmp" != "on" ]`
		503	`then`
		504	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable`
		505	`fi`
2496	tom.houday	506	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset`
		507	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable`
2184	richard	508	`fi`
1488	richard	509
2841	rexy	510	`# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL`
		511	`# Block 'av_wl' users who want IP not in the WL`
		512	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP`
2674	lucas.echa	513
2454	tom.houday	514	`# journalisation et autorisation des connections sortant du LAN`
476	richard	515	`# Allow forward connections with log`
2496	tom.houday	516	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j NETFLOW`
		517	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT`
1	root	518
783	richard	519	`#############################`
		520	`# OUTPUT #`
		521	`#############################`
2844	rexy	522	`# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)`
		523	`# We let everything out on INTIF (see following rules for the EXTIF)`
2213	richard	524	`$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT`
520	richard	525
2468	richard	526	`# Si configuré, on autorise les requêtes DHCP`
1587	richard	527	`# Allow DHCP requests if configured`
		528	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
		529	`if [[ "$public_ip_mask" == "dhcp" ]]`
		530	`then`
		531	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT`
		532	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT`
		533	`fi`
		534
2454	tom.houday	535	`# On autorise les requêtes DNS vers les serveurs DNS identifiés`
498	richard	536	`# Allow DNS requests to identified DNS servers`
2496	tom.houday	537	`$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT`
783	richard	538
2844	rexy	539	`# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)`
		540	`# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)`
1159	crox53	541	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW`
498	richard	542	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT`
2956	rexy	543	`#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)`
2259	tom.houday	544	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT`
		545
1862	raphael.pi	546	`# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)`
2468	richard	547	`# RSYNC requests are allowed (update of Toulouse BL)`
1862	raphael.pi	548	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT`
		549
2454	tom.houday	550	`# On autorise les requêtes FTP`
784	richard	551	`# FTP requests are allowed`
1705	richard	552	`modprobe nf_conntrack_ftp`
2642	rexy	553	`$IPTABLES -t raw -A OUTPUT -p tcp --dport ftp -j CT --helper ftp`
784	richard	554	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT`
2496	tom.houday	555	`$IPTABLES -A OUTPUT -o $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
784	richard	556
2454	tom.houday	557	`# On autorise les requêtes NTP`
498	richard	558	`# NTP requests are allowed`
		559	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT`
783	richard	560
2454	tom.houday	561	`# On autorise les requêtes ICMP (ping)`
503	richard	562	`# ICMP (ping) requests are allowed`
		563	`$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT`
783	richard	564
2468	richard	565	`# On autorise les requêtes LDAP`
		566	`# LDAP requests are allowed`
2496	tom.houday	567	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
		568	`$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
783	richard	569
		570	`#############################`
		571	`# POSTROUTING #`
		572	`#############################`
498	richard	573	`# Traduction dynamique d'adresse en sortie`
476	richard	574	`# Dynamic NAT on EXTIF`
1	root	575	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`
		576
2956	rexy	577	`#Sauvegarde de la marque associée à la connexion pour le load balancing`
		578	`$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark`
		579
2495	tom.houday	580	`#############################`
		581	`# FAIL2BAN #`
		582	`#############################`
		583	`# Reload Fail2Ban`
2530	lucas.echa	584	`if systemctl -q is-active fail2ban; then`
2899	rexy	585	`/usr/bin/fail2ban-client ping &>/dev/null && /usr/bin/fail2ban-client -q reload &>/dev/null`
2530	lucas.echa	586	`fi`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 3040