54,15 → 54,15 |
|
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list no_filtering_set 1>/dev/null 2>&1 |
ipset list not_filtered 1>/dev/null 2>&1 |
if [ $? -eq 0 ]; |
then |
ipset save no_filtering_set > $TMP_users_set_save |
ipset save not_filtered > $TMP_users_set_save |
ipset save havp_set >> $TMP_users_set_save |
ipset save havp_bl_set >> $TMP_users_set_save |
ipset save havp_wl_set >> $TMP_users_set_save |
ipset save user_not_connected_yet >> $TMP_users_set_save |
ipset save ipset_users_list >> $TMP_users_set_save |
ipset save not_auth_yet >> $TMP_users_set_save |
ipset save users_list >> $TMP_users_set_save |
fi |
|
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
100,15 → 100,15 |
# destroy all SET |
ipset destroy |
|
ipset flush blacklist_ip_blocked |
ipset destroy blacklist_ip_blocked |
ipset flush whitelist_ip_allowed |
ipset destroy whitelist_ip_allowed |
ipset flush bl_ip_blocked |
ipset destroy bl_ip_blocked |
ipset flush wl_ip_allowed |
ipset destroy wl_ip_allowed |
###### BL set ########### |
# Calcul de la taille / Compute the length |
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
# Chargement / loading |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> $TMP_set_save |
119,7 → 119,7 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
do |
ipset del blacklist_ip_blocked $ip |
ipset del bl_ip_blocked $ip |
done |
|
###### WL set ########### |
126,7 → 126,7 |
# Calcul de la taille / Compute the length |
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3)) |
# Chargement Loading |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
#get ip-wl files from ACC |
for ossi in `ls -1 $DIR_WL_IP_ENABLED` |
do |
142,19 → 142,19 |
ipset -! restore < $TMP_users_set_save |
rm -f $TMP_users_set_save |
else |
ipset create no_filtering_set hash:net hashsize 1024 |
ipset create not_filtered hash:net hashsize 1024 |
ipset create havp_set hash:net hashsize 1024 |
ipset create havp_bl_set hash:net hashsize 1024 |
ipset create havp_wl_set hash:net hashsize 1024 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau |
#used for intercepting users not connected to the network |
ipset create user_not_connected_yet hash:net hashsize 1024 |
ipset create ipset_users_list list:set |
ipset add ipset_users_list havp_set |
ipset add ipset_users_list havp_wl_set |
ipset add ipset_users_list havp_bl_set |
ipset add ipset_users_list no_filtering_set |
ipset add ipset_users_list user_not_connected_yet |
ipset create not_auth_yet hash:net hashsize 1024 |
ipset create users_list list:set |
ipset add users_list havp_set |
ipset add users_list havp_wl_set |
ipset add users_list havp_bl_set |
ipset add users_list not_filtered |
ipset add users_list not_auth_yet |
fi |
|
############################# |
163,8 → 163,8 |
|
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole |
# Redirect users not connected DNS requests in DNS-Blackhole |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56 |
|
|
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT |
207,11 → 207,11 |
|
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian |
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy) |
343,11 → 343,11 |
# FORWARD # |
############################# |
|
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set |
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Rejet des requêtes DNS vers Internet |
# Deny forward DNS |