Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2484 → Rev 2485

/scripts/alcasar-iptables.sh
43,6 → 43,7
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
112,6 → 113,13
ipset del bl_ip_blocked $ip
done
 
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés
ipset create site_direct hash:net hashsize 1024
for site in $(cat $SITE_DIRECT)
do
ipset add site_direct $site
done
 
###### WL set ###########
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading
wl_set_length=65536
198,8 → 206,8
 
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090