BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts @ 790

  → /scripts/ @ 791

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 790 → Rev 791

/scripts/alcasar-iptables.sh
135,13 → 135,21
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
# Filtrage de l'accès au LAN connecté sur EXTIF (eth0)
# EXTIF (eth0) connected LAN filtering
if [ $EXT_LAN_FILTERING = on ]; then
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $public_ip_mask -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
else
# Autorisation des connexions légitimes à DansGuardian
# Allow connections for DansGuardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
fi
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
# autorisation des connexion légitime à DNSMASQ (avec blackhole)
# Allow connections for DNSMASQ (with blackhole)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
189,9 → 197,6
#############################
# FORWARD #
#############################
# Autorisation des retours de connexions légitimes
# Allow conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Rejet des requêtes DNS vers Internet
# Deny forward DNS
256,10 → 261,11
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
fi
# Autorisation des retours de connexions légitimes
# Allow conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
########################
# If QOS is activate #
########################
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
. /usr/local/etc/alcasar-iptables-qos.sh
fi

/scripts/sbin/alcasar-nf.sh
13,7 → 13,7
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions"
FIC_CONF="/usr/local/etc/alcasar.conf"
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off}"
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off} | {--lan_ext_filter_on | -lan_ext_filter_on} | {--lan_ext_filter_off | -lan_ext_filter_off}"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
44,6 → 44,14
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=off?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
--lan_ext_filter_on|-lan_ext_filter_on) # allow external LAN access (LAN located between ALCASAR and the Internet gateway)
$SED "s?^EXT_LAN_FILTERING.*?EXT_LAN_FILTERING=on?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
--lan_ext_filter_off|-lan_ext_filter_off) # allow external LAN access (LAN located between ALCASAR and the Internet gateway)
$SED "s?^EXT_LAN_FILTERING.*?EXT_LAN_FILTERING=off?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
*)
echo "Argument inconnu :$1";
echo "$usage"