109,7 → 109,7 |
|
# Création et peuplement du SET blacklist_ip_blocked |
# creation and first populating of blacklist_ip_blocked SET |
# wait for a better blacklist adapt process |
# It take a lot of time (try to do this during the blacklist import process) |
#ipset create blacklist_ip_blocked hash:net hashsize 1024 |
#cd $BL_IP_CAT |
#for category in `ls -1 | cut -d"@" -f1` |
159,10 → 159,6 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
#fi |
|
# Redirection des requêtes HTTPS des IP sans utilisateurs authentifiés vers ALCASAR (page d'interception) |
# Redirect HTTPS requests of IP that don't have authenticate user to ALCASAR (intercept page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set ! --match-set authenticated_ip src ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port https |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |