BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/ @ 2667

  → /scripts/ @ 2668

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 2667 → Rev 2668

/scripts/alcasar-iptables.sh
60,6 → 60,7
ipset save proto_3 >> $TMP_users_set_save
fi
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
144,7 → 145,7
ipset create havp hash:ip hashsize 1024
ipset create havp_bl hash:ip hashsize 1024
ipset create havp_wl hash:ip hashsize 1024
#pour les filtrages de protocole par utilisateur
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
ipset create proto_0 hash:ip hashsize 1024
ipset create proto_1 hash:ip hashsize 1024
ipset create proto_2 hash:ip hashsize 1024
155,10 → 156,6
# PREROUTING #
#############################
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
213,8 → 210,8
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
314,7 → 311,8
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
# SSHD rules if activate
# Accès au serveur SSHD si activé
# SSHD server access if enabled
if [ $SSH = on ]
then
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
358,7 → 356,7
# Allow Conntrack
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
if [ $nb_uamallowed != "0" ]
then
383,7 → 381,6
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
# protocols filtering for users (profil 3 : customized with ACC)
#profile 3 personalisables via l'ACC
custom_tcp_protocols_list='';custom_udp_protocols_list=''
while read svc_line
do
453,7 → 450,7
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)
# HTTPS requests are allowed with netflow log (from E2guardian)
# HTTP requests are allowed with netflow log (from E2guardian)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT