5,11 → 5,11 |
# Rexy - 3abtux - CPN |
# |
# Reminders |
# There are three channels for log : |
# 1 (default) for tracability; |
# 2 for secure admin (ssh); |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'this script |
# There are four channels for log : |
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW); |
# 2 protection of ALCASAR with the Ulog group 1 (default group) |
# 3 SSH with the ulog group 2; |
# 4 extern access attempts with the ulog group 3. |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2` |
76,7 → 76,7 |
############################# |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules |
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
|
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT |
102,8 → 102,9 |
fi |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD |
# Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD |
## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
|
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent) |
# Redirect HTTP requests in DansGuardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
137,8 → 138,8 |
# Conntrack on INPUT |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING) |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
|
# Insertion des règles de blocage IP |
150,7 → 151,7 |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
226,7 → 227,6 |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
262,7 → 262,7 |
then |
while read ip_exception |
do |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
274,7 → 274,7 |
while read ip_allowed_line |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-uamallowed |
294,10 → 294,10 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
else |
|
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
fi |
305,7 → 305,7 |
done < /usr/local/etc/alcasar-services |
# Rejet explicite des autres protocoles |
# reject the others protocols |
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT " |
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT " |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |
318,7 → 318,7 |
|
# Autorisation des connections sortant du LAN |
# Allow forward connections with log |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
|
358,8 → 358,6 |
then |
$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
fi |
|
|