9,16 → 9,22 |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
|
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2` |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server |
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server |
|
IPTABLES="/sbin/iptables" |
PROTO_FILTERING="no" |
DNS_FILTERING="no" |
QOS="no" |
EXTIF="eth0" |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" |
PRIVATE_NETWORK_MASK="192.168.182.0/24" |
PRIVATE_IP="192.168.182.1" |
DNSSERVERS="208.67.220.220,208.67.222.222" |
TUNIF="tun0" # listen card for chilli daemon |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
|
# Effacement des règles existantes |
# Flush all existing rules |
77,17 → 83,6 |
# Drop broadcast & multicast |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
|
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN |
# Allow ping (icmp N°0 & 8) from LAN |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
|
# Insertion de règles locales |
# Here, we add local rules (i.e. ssh from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
|
# Rejet des tentatives de création de tunnels DNS (même pour les utilisateurs authentifiés) |
# Deny forward DNS (even for authenticated users ...) |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
166,18 → 161,36 |
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT |
|
########################################################################################### |
# Direct input from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) # |
########################################################################################### |
################################################################################################# |
# Direct input from local network (icmp, dns, ntp, https, http, ssh and 3990 (user disconnect) # |
################################################################################################# |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT # ping reply |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # ping request |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # dnsmasq without forward |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT |
|
# SSHD rules if activate |
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! ) |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
fi |
|
# Insertion de règles locales |
# Here, we add local rules (i.e. ssh from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
|
# On autorise les retours de connexions légitimes par INPUT |
# Conntrack on INPUT |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |