29,8 → 29,10 |
QOS=${QOS:=off} |
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! ) |
LDAP=`grep LDAP $conf_file|cut -d"=" -f2` # ldap external server active (on/off) |
LDAP=${LDAP:=off} |
LDAP_IP=${LDAP_IP:="0.0.0.0"} |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
191,7 → 193,6 |
# SSHD rules if activate |
if [ $SSH = on ] |
then |
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! ) |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
200,7 → 201,7 |
fi |
|
# Insertion de règles locales |
# Here, we add local rules (i.e. ssh from Internet) |
# Here, we add local rules (i.e. VPN from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
264,8 → 265,10 |
# LDAP requests are allowed if an external server is declared |
if [ $LDAP = on ] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ldap -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ldap -j ACCEPT |
$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
fi |
# Traduction dynamique d'adresse en sortie |
# Dynamic NAT on EXTIF |