20,7 → 20,7 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24) |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
then |
42,7 → 42,7 |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port |
SSH_LAN=${SSH_LAN:=0} |
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port |
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port |
SSH_WAN=${SSH_WAN:=0} |
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2` |
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"} |
51,8 → 51,8 |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist" |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
75,7 → 75,6 |
done |
fi |
|
|
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
132,11 → 131,9 |
$IPTABLES -t nat -P POSTROUTING ACCEPT |
$IPTABLES -t nat -P OUTPUT ACCEPT |
|
|
############################# |
# IPSET # |
############################# |
|
# destruction de tous les SET |
# destroy all SET |
ipset flush |
154,7 → 151,7 |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
# Suppression des ip réhabilitées / Removing of rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
for ip in $(cat $REHABILITED_IP) |
do |
ipset -q del bl_ip_blocked $ip |
done |
161,7 → 158,7 |
|
# ipset for exception web sites (usefull for filtered users = av_bl) |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
for site in $(cat $ALLOWED_SITES) |
do |
ipset add site_direct $site |
done |
225,13 → 222,9 |
done |
rm -f $TMP_ip_gw_save |
|
|
|
############################# |
# PREROUTING # |
############################# |
|
|
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset av_bl |
317,11 → 310,9 |
done |
fi |
|
|
############################# |
# INPUT # |
############################# |
|
# Tout passe sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
405,7 → 396,7 |
if [ $SSH_WAN -gt 0 ] |
then |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT |
fi |
|
# Insertion de règles locales |
432,7 → 423,6 |
############################# |
# FORWARD # |
############################# |
|
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
# Deny IPs of the SET bl_ip_blocked for the set av_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |