BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/alcasar-iptables.sh @ 611

  → /scripts/alcasar-iptables.sh @ 612

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 611 → Rev 612

/scripts/alcasar-iptables.sh
9,22 → 9,23
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server
IPTABLES="/sbin/iptables"
PROTO_FILTERING="no"
DNS_FILTERING="no"
QOS="no"
dns1=`grep DNS1 $conf_file|cut -d"=" -f2` # first public DNS server
dns2=`grep DNS2 $conf_file|cut -d"=" -f2` # second public DNS server
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (yes/no)
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no)
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (yse/no)
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (yes/no)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0" # listen card for chilli daemon
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
IPTABLES="/sbin/iptables"
# Effacement des règles existantes
# Flush all existing rules
96,7 → 97,7
# If DNS filter is activate #
###############################
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
if [ $DNS_FILTERING = "yes" ]; then
if [ $DNS_FILTERING = on ]; then
# Compute exception IP
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
112,7 → 113,7
# If protocols filter is activate #
#####################################
# filtrage de protocoles sauf pour les IP en exceptions
if [ $PROTO_FILTERING = "yes" ]; then
if [ $PROTOCOLS_FILTERING = on ]; then
# Compute exception IP
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
152,7 → 153,7
########################
# If QOS is activate #
########################
if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
. /usr/local/etc/alcasar-iptables-qos.sh
fi
172,10 → 173,8
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
# SSHD rules if activate
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2`
if [ $ssh_active = "on" ]
if [ $SSH = on ]
then
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"