WebSVN – ALCASAR – Path Comparison – / – /scripts/alcasar-iptables.sh Rev 577 and /scripts/alcasar-iptables.sh Rev 604

Ignore whitespace Rev 577 → Rev 604

 /scripts/alcasar-iptables.sh
 ,16 → 9,22
 #       3 for exterior access attempts.
 # The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
+private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
+private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`         # LAN IP address (ie.: 192.168.182.0)
+private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`          # LAN prefix (ie. 24)
+dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2`           # first public DNS server
+dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2`           # second public DNS server
 IPTABLES="/sbin/iptables"
 PROTO_FILTERING="no"
 DNS_FILTERING="no"
 QOS="no"
-EXTIF="eth0"
+EXTIF="eth0"
 INTIF="eth1"
-TUNIF="tun0"
-PRIVATE_NETWORK_MASK="192.168.182.0/24"
-PRIVATE_IP="192.168.182.1"
-DNSSERVERS="208.67.220.220,208.67.222.222"
+TUNIF="tun0"                                                            # listen card for chilli daemon
+PRIVATE_NETWORK_MASK=$private_network/$private_prefix                   # Lan IP address + prefix (192.168.182.0/24)
+PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`                      # ALCASAR LAN IP address
+DNSSERVERS="$dns1,$dns2"                                                # first and second DNS IP servers addresses
 # Effacement des règles existantes
 # Flush all existing rules
 ,17 → 83,6
 # Drop broadcast & multicast
 $IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
-# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
-# Allow ping (icmp N°0 & 8) from LAN
-$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
-$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
-# Insertion de règles locales
-# Here, we add local rules (i.e. ssh from Internet)
-if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
-        . /usr/local/etc/alcasar-iptables-local.sh
-fi
 # Rejet des tentatives de création de tunnels DNS (même pour les utilisateurs authentifiés)
 # Deny forward DNS (even for authenticated users ...)
 $IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 ,18 → 161,36
 $IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
 $IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT
-###########################################################################################
-#  Direct input from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #
-###########################################################################################
+#################################################################################################
+#  Direct input from local network (icmp, dns, ntp, https, http, ssh and 3990 (user disconnect) #
+#################################################################################################
+$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT # ping reply
+$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # ping request
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # dnsmasq without forward
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
-$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
-$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
+# SSHD rules if activate
+ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2`
+if [ $ssh_active = "on" ]
+        then
+        Admin_from_IP="0.0.0.0/0.0.0.0"         # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0  = de n'importe où ! )
+        $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
+        $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
+        $IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
+        $IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT
+        $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
+fi
+# Insertion de règles locales
+# Here, we add local rules (i.e. ssh from Internet)
+if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
+        . /usr/local/etc/alcasar-iptables-local.sh
+fi
 # On autorise les retours de connexions légitimes par INPUT
 # Conntrack on INPUT
 $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 577 → Rev 604