| 39,6 → 39,7 |
|---|
| WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
| TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
| TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
| TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
| SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
| SSH=${SSH:=off} |
| SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
| 46,6 → 47,10 |
|---|
| IPTABLES="/sbin/iptables" |
| IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
| SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
| MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
| PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
| PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
| nb_gw=`grep ^WAN $CONF_FILE|wc -l` |
| |
| # Allow requests to internal DNS if activated |
| if [ "$INT_DNS_ACTIVE" = "on" ] |
| 53,6 → 58,15 |
|---|
| DNSSERVERS="$DNSSERVERS,$INT_DNS_IP" |
| fi |
| |
| #ipset name list for load_balancing |
| gw_list="gw0" |
| if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
| for ((i=1 ; i<=$nb_gw ; i++)); do |
| gw_list="${gw_list} gw$i" |
| done |
| fi |
| |
| |
| # Sauvegarde des SET des utilisateurs connectés si ils existent |
| # Saving SET of connected users if it exists |
| ipset list not_filtered 1>/dev/null 2>&1 |
| 68,6 → 82,20 |
|---|
| ipset save proto_3 >> $TMP_users_set_save |
| fi |
| |
| # Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing |
| # Saving all of the already connected IP in order to put them back in the load balancing after |
| if [ ! -f $TMP_ip_gw_save ];then |
| # Save only if alcasar-network.sh --save has not been executed before |
| for i in $gw_list;do |
| ipset list $i 1>/dev/null 2>&1 |
| if [ $? -eq 0 ] |
| then |
| # the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members |
| ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save |
| fi |
| done |
| fi |
| |
| # Chargement de la sonde NetFlow (module noyau ipt_NETFLOW) |
| # loading of NetFlow probe (ipt_NETFLOW kernel module) |
| modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
| 160,10 → 188,41 |
|---|
| ipset create proto_3 hash:ip hashsize 1024 |
| fi |
| |
| #ipsets for load balancing |
| for i in $gw_list; do |
| ipset create $i hash:ip |
| done |
| cat $TMP_ip_gw_save | while read ip; do |
| gw_min="gw0" |
| weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2` |
| already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2` |
| #The *1000 is here to avoid working on floats in bash |
| gw_min_value=$((1000 * $already / $weight)) |
| i=1 |
| for gw in $gw_list;do |
| if [ "$gw" != "gw0" ]; then |
| weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'` |
| already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2` |
| value=$((1000 * $already / $weight)) |
| if [ $value -lt $gw_min_value ] |
| then |
| gw_min_value=$value |
| gw_min=$gw |
| fi |
| i=$(($i+1)) |
| fi |
| done |
| ipset add $gw_min $ip |
| done |
| rm -f $TMP_ip_gw_save |
| |
| |
| |
| ############################# |
| # PREROUTING # |
| ############################# |
| |
| |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
| # 8080 = ipset av_bl |
| 196,7 → 255,7 |
|---|
| # 55 = ipset av_wl |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
| # 53 = all other users |
| # 53 = all other users |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
| |
| 217,6 → 276,7 |
|---|
| # Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian |
| # Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian |
| # 8080 = ipset av_bl |
| #$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
| # 8090 = ipset av_wl & av |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
| 232,6 → 292,23 |
|---|
| # Redirect NTP request in local NTP server |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
| |
| #Récupération de la marque associée à une gw pour chaque connection |
| $IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark |
| |
| if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP |
| fi |
| |
| #Marquage pour le load balancing |
| if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
| temp_index=200 |
| for i in $gw_list; do |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index |
| temp_index=$(($temp_index+1)) |
| done |
| fi |
| |
| |
| ############################# |
| # INPUT # |
| ############################# |
| 242,7 → 319,7 |
|---|
| $IPTABLES -A OUTPUT -o lo -j ACCEPT |
| |
| # Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
| # Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
| # Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN) |
| $IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
| $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
| 455,7 → 532,7 |
|---|
| # HTTP & HTTPS requests are allowed with netflow log (from E2guardian) |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
| #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy) |
| #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy) |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT |
| |
| # On autorise les requêtes RSYNC sortantes (maj BL de Toulouse) |
| 489,6 → 566,9 |
|---|
| # Dynamic NAT on EXTIF |
| $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
| |
| #Sauvegarde de la marque associée à la connexion pour le load balancing |
| $IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark |
| |
| ############################# |
| # FAIL2BAN # |
| ############################# |