1,15 → 1,19 |
#!/bin/sh |
# |
# $Id$ |
# script de mise en place des regles personnalisées du parefeu d'Alcasar |
# Rexy - 3abtux - CPN |
# version 2.2 (04/2016) |
# changelog : |
# + example to allow ICMP from an Internet IP address (Admin_from) to EXTIF |
# + exemple to allow SMTP from aLCASAR to an Internet server (SMTP_IP) |
# + exemple of PAT rules from Internet |
# + List of local MAC addresses filtered (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee) |
# this script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc |
# Local MAC addresses filtering |
# |
# Custom rules for ALCASAR firewall |
# |
# Examples: |
# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee) |
# - allow ICMP from an Internet IP address (Admin_from) to EXTIF |
# - allow SMTP from aLCASAR to an Internet server (SMTP_IP) |
# - PAT rules from Internet |
# - Deny access to protected networks from internal LAN |
# - Allow managers to access ACC from the external network |
# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc |
|
# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee) |
if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then |
while read mac_line |
do |
26,17 → 30,19 |
done < /usr/local/etc/alcasar-iptables-local-mac-filtered |
fi |
|
# On autorise le ping (echo & request) (icmp N°0 & 8) en provenance de l'extérieur vers ALCASAR |
# ping (echo & request) (icmp N°0 & 8) is allowed on EXTIF |
#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT |
# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR |
# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF |
#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT |
#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT |
|
# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.) |
# Allow access to a mail server (SMTP) |
#SMTP_IP=0.0.0.0 # renseigner l'@IP du serveur SMTP |
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport smtp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport smtp -m conntrack --ctstate ESTABLISHED -j ACCEPT |
#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport smtp -m conntrack --ctstate ESTABLISHED -j ACCEPT |
|
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet |
# Allow PAT (Port Adresse Translation) |
#m_ports=5000,5001 |
#to_ip=192.168.182.3 |
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP -m multiport --dports $m_ports -j DNAT --to $to_ip |
43,4 → 49,14 |
#$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $to_ip -m multiport --dports $m_ports -j ACCEPT |
#$IPTABLES -A FORWARD -o $EXTIF -p tcp -s $to_ip -m multiport --sports $m_ports -j ACCEPT |
|
# Fin du script des règles du parefeu |
# Deny access to protected networks from internal LAN |
#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918) |
#$IPTABLES -A FORWARD -i $TUNIF -d $protectedNetworks -j DROP |
|
# Allow managers to access ACC from the external network |
#managerIPs='192.168.111.10' |
#externalPort='34443' |
#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport 443 -j MARK --set-mark 1 |
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443 |
#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 1 -j DROP |
#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -j ACCEPT |