Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1220 → Rev 1221

/scripts/alcasar-iptables.sh
5,11 → 5,11
# Rexy - 3abtux - CPN
#
# Reminders
# There are three channels for log :
# 1 (default) for tracability;
# 2 for secure admin (ssh);
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'this script
# There are four channels for log :
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);
# 2 protection of ALCASAR with the Ulog group 1 (default group)
# 3 SSH with the ulog group 2;
# 4 extern access attempts with the ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
76,7 → 76,7
#############################
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
102,8 → 102,9
fi
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD
# Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)
# Redirect HTTP requests in DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
137,8 → 138,8
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
 
# Insertion des règles de blocage IP
150,7 → 151,7
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT
fi
done < /usr/local/etc/alcasar-ip-blocked
226,7 → 227,6
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
262,7 → 262,7
then
while read ip_exception
do
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
274,7 → 274,7
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
294,10 → 294,10
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
else
 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
fi
305,7 → 305,7
done < /usr/local/etc/alcasar-services
# Rejet explicite des autres protocoles
# reject the others protocols
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
318,7 → 318,7
 
# Autorisation des connections sortant du LAN
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 
358,8 → 358,6
then
$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
fi