| 20,7 → 20,7 |
|---|
| PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
| private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
| private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
| PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
| PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24) |
| public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
| if [[ "$public_ip_mask" == "dhcp" ]] |
| then |
| 42,7 → 42,7 |
|---|
| TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
| SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port |
| SSH_LAN=${SSH_LAN:=0} |
| SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port |
| SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port |
| SSH_WAN=${SSH_WAN:=0} |
| SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2` |
| SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"} |
| 51,8 → 51,8 |
|---|
| SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
| SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
| IPTABLES="/sbin/iptables" |
| IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
| SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
| REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist" |
| ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
| MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
| PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
| PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
| 75,7 → 75,6 |
|---|
| done |
| fi |
| |
| |
| # Sauvegarde des SET des utilisateurs connectés si ils existent |
| # Saving SET of connected users if it exists |
| ipset list not_filtered 1>/dev/null 2>&1 |
| 132,11 → 131,9 |
|---|
| $IPTABLES -t nat -P POSTROUTING ACCEPT |
| $IPTABLES -t nat -P OUTPUT ACCEPT |
| |
| |
| ############################# |
| # IPSET # |
| ############################# |
| |
| # destruction de tous les SET |
| # destroy all SET |
| ipset flush |
| 154,7 → 151,7 |
|---|
| ipset -! restore < $TMP_set_save |
| rm -f $TMP_set_save |
| # Suppression des ip réhabilitées / Removing of rehabilitated ip |
| for ip in $(cat $IP_REHABILITEES) |
| for ip in $(cat $REHABILITED_IP) |
| do |
| ipset -q del bl_ip_blocked $ip |
| done |
| 161,7 → 158,7 |
|---|
| |
| # ipset for exception web sites (usefull for filtered users = av_bl) |
| ipset create site_direct hash:net hashsize 1024 |
| for site in $(cat $SITE_DIRECT) |
| for site in $(cat $ALLOWED_SITES) |
| do |
| ipset add site_direct $site |
| done |
| 225,13 → 222,9 |
|---|
| done |
| rm -f $TMP_ip_gw_save |
| |
| |
| |
| ############################# |
| # PREROUTING # |
| ############################# |
| |
| |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
| # 8080 = ipset av_bl |
| 317,11 → 310,9 |
|---|
| done |
| fi |
| |
| |
| ############################# |
| # INPUT # |
| ############################# |
| |
| # Tout passe sur loopback |
| # accept all on loopback |
| $IPTABLES -A INPUT -i lo -j ACCEPT |
| 405,7 → 396,7 |
|---|
| if [ $SSH_WAN -gt 0 ] |
| then |
| $IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
| $IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT |
| $IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT |
| fi |
| |
| # Insertion de règles locales |
| 432,7 → 423,6 |
|---|
| ############################# |
| # FORWARD # |
| ############################# |
| |
| # Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
| # Deny IPs of the SET bl_ip_blocked for the set av_bl |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |