29,6 → 29,7 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
82,7 → 83,7 |
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2 |
|
# Si le filtrage est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions |
# Si le filtrage DNS est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions |
# If DNS filter is on, redirect DNS request to udp 54 (dns+blackhole) except for exception IP addresses |
if [ $DNS_FILTERING = on ]; then |
# Compute exception IP |
214,7 → 215,7 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
|
# Insertion des règles de blocage IP |
# Here, we add IP block rules |
# Here, we add local IP block rules |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
230,6 → 231,23 |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
|
# Si le filtrage de domain est activé, blocage des IP de la BL |
# If DNS filter is on, reject IP of BL |
# Comment : loading time is too long and iptables should become oveloaded !!! |
#if [ $DNS_FILTERING = on ]; then |
# cd $BL_IP_CAT |
# for category in `ls -1 | cut -d"@" -f1` |
# do |
# while read ip_blocked |
# do |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
# done < $BL_IP_CAT/$category |
# done |
#fi |
|
# Autorisation des retours de connexions légitimes |
# Allow conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |