| 54,15 → 54,15 |
|---|
| |
| # Sauvegarde des SET des utilisateurs connectés si ils existent |
| # Saving SET of connected users if it exists |
| ipset list no_filtering_set 1>/dev/null 2>&1 |
| ipset list not_filtered 1>/dev/null 2>&1 |
| if [ $? -eq 0 ]; |
| then |
| ipset save no_filtering_set > $TMP_users_set_save |
| ipset save not_filtered > $TMP_users_set_save |
| ipset save havp_set >> $TMP_users_set_save |
| ipset save havp_bl_set >> $TMP_users_set_save |
| ipset save havp_wl_set >> $TMP_users_set_save |
| ipset save user_not_connected_yet >> $TMP_users_set_save |
| ipset save ipset_users_list >> $TMP_users_set_save |
| ipset save not_auth_yet >> $TMP_users_set_save |
| ipset save users_list >> $TMP_users_set_save |
| fi |
| |
| # loading of NetFlow probe (ipt_NETFLOW kernel module) |
| 100,15 → 100,15 |
|---|
| # destroy all SET |
| ipset destroy |
| |
| ipset flush blacklist_ip_blocked |
| ipset destroy blacklist_ip_blocked |
| ipset flush whitelist_ip_allowed |
| ipset destroy whitelist_ip_allowed |
| ipset flush bl_ip_blocked |
| ipset destroy bl_ip_blocked |
| ipset flush wl_ip_allowed |
| ipset destroy wl_ip_allowed |
| ###### BL set ########### |
| # Calcul de la taille / Compute the length |
| bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
| # Chargement / loading |
| echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
| echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save |
| for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1` |
| do |
| cat $BL_IP_CAT/$category >> $TMP_set_save |
| 119,7 → 119,7 |
|---|
| # Suppression des ip réhabilitées / Removing of rehabilitated ip |
| for ip in $(cat $IP_REHABILITEES) |
| do |
| ipset del blacklist_ip_blocked $ip |
| ipset del bl_ip_blocked $ip |
| done |
| |
| ###### WL set ########### |
| 126,7 → 126,7 |
|---|
| # Calcul de la taille / Compute the length |
| wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3)) |
| # Chargement Loading |
| echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
| echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
| #get ip-wl files from ACC |
| for ossi in `ls -1 $DIR_WL_IP_ENABLED` |
| do |
| 142,19 → 142,19 |
|---|
| ipset -! restore < $TMP_users_set_save |
| rm -f $TMP_users_set_save |
| else |
| ipset create no_filtering_set hash:net hashsize 1024 |
| ipset create not_filtered hash:net hashsize 1024 |
| ipset create havp_set hash:net hashsize 1024 |
| ipset create havp_bl_set hash:net hashsize 1024 |
| ipset create havp_wl_set hash:net hashsize 1024 |
| #utilisé pour l'interception des utilisateurs non authentifiés au réseau |
| #used for intercepting users not connected to the network |
| ipset create user_not_connected_yet hash:net hashsize 1024 |
| ipset create ipset_users_list list:set |
| ipset add ipset_users_list havp_set |
| ipset add ipset_users_list havp_wl_set |
| ipset add ipset_users_list havp_bl_set |
| ipset add ipset_users_list no_filtering_set |
| ipset add ipset_users_list user_not_connected_yet |
| ipset create not_auth_yet hash:net hashsize 1024 |
| ipset create users_list list:set |
| ipset add users_list havp_set |
| ipset add users_list havp_wl_set |
| ipset add users_list havp_bl_set |
| ipset add users_list not_filtered |
| ipset add users_list not_auth_yet |
| fi |
| |
| ############################# |
| 163,8 → 163,8 |
|---|
| |
| # Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole |
| # Redirect users not connected DNS requests in DNS-Blackhole |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56 |
| |
| |
| # Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT |
| 207,11 → 207,11 |
|---|
| |
| # Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
| |
| # Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
| # Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
| |
| # Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian |
| # Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy) |
| 343,11 → 343,11 |
|---|
| # FORWARD # |
| ############################# |
| |
| # Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set |
| # Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
| # Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set |
| # Deny IPs of the SET bl_ip_blocked for the set havp_bl_set |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
| |
| # Rejet des requêtes DNS vers Internet |
| # Deny forward DNS |