45,6 → 45,9 |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
|
#lancement du module kernel ipt_NETFLOW (module iptables) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
|
# Effacement des règles existantes |
# Flush all existing rules |
$IPTABLES -F |
132,6 → 135,7 |
|
# On autorise les retours de connexions légitimes par INPUT |
# Conntrack on INPUT |
#$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j NETFLOW |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
154,6 → 158,8 |
fi |
# Autorisation des connexions légitimes à DansGuardian |
# Allow connections for DansGuardian |
#Flux netflow des requêtes HTTP à destination de DansGuardian |
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -j NETFLOW |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
|
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
249,7 → 255,6 |
#fi |
|
# Autorisation des retours de connexions légitimes |
# Allow conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
# If protocols filter is activate |
261,6 → 266,7 |
while read ip_exception |
do |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
fi |
272,6 → 278,7 |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-uamallowed |
fi |
286,11 → 293,15 |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
else |
|
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
fi |
fi |
311,18 → 322,19 |
# Autorisation des connections sortant du LAN |
# Allow forward connections with log |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
|
############################# |
# OUTPUT # |
############################# |
|
# On autorise les retours de connexions légitimes par OUTPUT |
# Conntrack on OUTPUT |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
# On laisse tout sortir sur INTIF |
# Everything is allowed only on INTIF |
# SSHD rules if activate |
if [ $SSH = on ] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
fi |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur |
# Everything is allowed but traffic through outside network interface |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
|
# On autorise les requêtes DNS vers les serveurs DNS identifiés |
331,6 → 343,7 |
|
# On autorise les requêtes HTTP sortantes |
# HTTP requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
|
# On autorise les requêtes FTP |
337,6 → 350,7 |
# FTP requests are allowed |
modprobe ip_conntrack_ftp |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
# On autorise les requêtes NTP |
# NTP requests are allowed |
356,6 → 370,7 |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
fi |
|
|
############################# |
# POSTROUTING # |
############################# |