29,7 → 29,7 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
73,7 → 73,7 |
$IPTABLES -t nat -P OUTPUT ACCEPT |
|
# destruction de tous les SET |
# destroy all the SET |
# destroy all SET |
ipset destroy |
|
# Création et peuplement du SET alcasar_ip_blocked |
107,19 → 107,27 |
done |
IFS=$OLDIFS |
|
# Création et peuplement du SET blacklist_ip_blocked |
# creation and first populating of blacklist_ip_blocked SET |
# It take a lot of time (try to do this during the blacklist import process) |
#ipset create blacklist_ip_blocked hash:net hashsize 1024 |
#cd $BL_IP_CAT |
#for category in `ls -1 | cut -d"@" -f1` |
#do |
# while read ip_blocked |
# do |
# ipset add blacklist_ip_blocked $ip_blocked |
# done < $BL_IP_CAT/$category |
#done |
# Calcul de la taille du SET blacklist_ip_blocked |
# Computing the length of the blacklist_ip_blocked set |
cd $BL_IP_CAT |
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1) |
|
# Ajout du delta (ip entrées manuellement) |
# Addition of the delta (ip entered manually) |
((ipset_length=$ipset_length+10)) |
|
# Création du fichier ipset temporaire, remplissage, chargement et suppression |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> ipset_save |
done |
ipset -! restore < ipset_save |
rm -f ipset_save |
|
# Sauvegarde de tous les ipset (pour restaurer après redémarrage) |
ipset save > /etc/sysconfig/ipset_save |
|
############################# |
# PREROUTING # |
############################# |
155,9 → 163,9 |
|
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window) |
#if [ $DNS_FILTERING = on ]; then |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
#fi |
if [ $DNS_FILTERING = on ]; then |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
fi |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
270,11 → 278,11 |
|
# Blocage des IPs du SET blacklist_ip_blocked |
# Deny IPs of the SET blacklist_ip_blocked |
#if [ $DNS_FILTERING = on ]; then |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
#fi |
if [ $DNS_FILTERING = on ]; then |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
fi |
|
# Autorisation des retours de connexions légitimes |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |