9,22 → 9,23 |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
|
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2` |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2` |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server |
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server |
|
IPTABLES="/sbin/iptables" |
PROTO_FILTERING="no" |
DNS_FILTERING="no" |
QOS="no" |
dns1=`grep DNS1 $conf_file|cut -d"=" -f2` # first public DNS server |
dns2=`grep DNS2 $conf_file|cut -d"=" -f2` # second public DNS server |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (yes/no) |
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no) |
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (yse/no) |
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (yes/no) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" # listen card for chilli daemon |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
IPTABLES="/sbin/iptables" |
|
# Effacement des règles existantes |
# Flush all existing rules |
96,7 → 97,7 |
# If DNS filter is activate # |
############################### |
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions |
if [ $DNS_FILTERING = "yes" ]; then |
if [ $DNS_FILTERING = on ]; then |
# Compute exception IP |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
112,7 → 113,7 |
# If protocols filter is activate # |
##################################### |
# filtrage de protocoles sauf pour les IP en exceptions |
if [ $PROTO_FILTERING = "yes" ]; then |
if [ $PROTOCOLS_FILTERING = on ]; then |
# Compute exception IP |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
152,7 → 153,7 |
######################## |
# If QOS is activate # |
######################## |
if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then |
. /usr/local/etc/alcasar-iptables-qos.sh |
fi |
|
172,10 → 173,8 |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT |
|
# SSHD rules if activate |
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
if [ $SSH = on ] |
then |
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! ) |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |