WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh


#!/bin/sh
# $Id: alcasar-iptables.sh 492 2011-02-14 06:40:53Z franck $
# script de mise en place des regles du parefeu d'Alcasar (mode normal)
# Rexy - 3abtux - CPN
# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts,
 
IPTABLES="/sbin/iptables"
FILTERING="no"
QOS="no"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0"
PRIVATE_NETWORK_MASK="192.168.182.0/24"
PRIVATE_IP="192.168.182.1"
 
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -N SYN-FLOOD
 
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
 
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# Block all attempts to spoof the loopback address
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
 
# Block all attempts to spoof the local IP address
$IPTABLES -A INPUT -s $PRIVATE_IP -j DROP
 
# Block Syn Flood attacks
$IPTABLES -A INPUT -p tcp -m tcp --syn -j SYN-FLOOD
 
# Syn flood filtering chain
$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SYN-FLOOD -j DROP
 
# Ensure that TCP connections start with syn packets
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
#############################
#       INTIF rules         #
#############################
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
# INTIF is closed (all by TUNIF)
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
#############################
#  Local protection rules   #
#############################
# Drop XMAS & NULLscans 
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# Antispoofing rules with log
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP
# Allow ping (icmp N°0 & 8) from LAN
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
#  Here, we add local rules (i.e. ssh from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
        . /usr/local/etc/alcasar-iptables-local.sh
fi
 
# Deny forward DNS (even for authenticated users ...)
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#####################################
#  If protocols filter is activate  #
#####################################
if [ $FILTERING = "yes" ]; then
	# Compute exception IP
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
	if [ $nb_exceptions != "0" ]
	then
		while read ip_exception 
		do
			echo $ip_exception 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-filter-exceptions
	fi
	# Allow non comment protocols
	while read svc_line
	do
		svc_on=`echo $svc_line|cut -b1`
		if [ $svc_on != "#" ]
		then	
			svc_name=`echo $svc_line|cut -d" " -f1`
			svc_port=`echo $svc_line|cut -d" " -f2`
			if [ $svc_name = "icmp" ]
			then
				$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT 
			else
				$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
			fi
		fi
	done < /usr/local/etc/alcasar-services
	# reject the others
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
fi
 
########################
#  If QOS is activate  #
########################
if [ $QOS = "yes" ]; then
	. /usr/local/etc/alcasar-iptables-qos.sh 	
fi
 
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT
 
####################################################################################
#  Imput from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #
####################################################################################
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
 
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Deny direct connections on DansGuardian port (8080)
# The concerned paquets are marked by a pre-routing rule (see further)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP
# Allow connections for DansGuardian
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 
# Log HTTP requests (only syn)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
# Redirect HTTP request in DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080
# Mark the dansguardian bypass attempts
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1
 
# Deny and log on INPUT from the LAN
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
# Drop on EXTIF
$IPTABLES -A INPUT -i $EXTIF -j DROP
 
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
# Save all rules
/etc/init.d/iptables save
 
# no martians log (for mdv2009 only)
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
 
# End of script
 
 

Rev 478	Rev 492
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-iptables.sh 478 2011-02-07 23:17:10Z richard $`	2	`# $Id: alcasar-iptables.sh 492 2011-02-14 06:40:53Z franck $`
3	`# script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# Rexy - 3abtux - CPN`	4	`# Rexy - 3abtux - CPN`
5	`# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts,`	5	`# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts,`
6		6
7	`IPTABLES="/sbin/iptables"`	7	`IPTABLES="/sbin/iptables"`
8	`FILTERING="no"`	8	`FILTERING="no"`
-		9	`QOS="no"`
9	`EXTIF="eth0"`	10	`EXTIF="eth0"`
10	`INTIF="eth1"`	11	`INTIF="eth1"`
11	`TUNIF="tun0"`	12	`TUNIF="tun0"`
12	`PRIVATE_NETWORK_MASK="192.168.182.0/24"`	13	`PRIVATE_NETWORK_MASK="192.168.182.0/24"`
13	`PRIVATE_IP="192.168.182.1"`	14	`PRIVATE_IP="192.168.182.1"`
14		15
15	`# Flush all existing rules`	16	`# Flush all existing rules`
16	`$IPTABLES -F`	17	`$IPTABLES -F`
17	`$IPTABLES -t nat -F`	18	`$IPTABLES -t nat -F`
18	`$IPTABLES -t mangle -F`	19	`$IPTABLES -t mangle -F`
19	`$IPTABLES -F INPUT`	20	`$IPTABLES -F INPUT`
20	`$IPTABLES -F FORWARD`	21	`$IPTABLES -F FORWARD`
21	`$IPTABLES -F OUTPUT`	22	`$IPTABLES -F OUTPUT`
-		23	`$IPTABLES -N SYN-FLOOD`
22		24
23	`# Default policies`	25	`# Default policies`
24	`$IPTABLES -P INPUT DROP`	26	`$IPTABLES -P INPUT DROP`
25	`$IPTABLES -P FORWARD DROP`	27	`$IPTABLES -P FORWARD DROP`
26	`$IPTABLES -P OUTPUT ACCEPT`	28	`$IPTABLES -P OUTPUT ACCEPT`
27	`$IPTABLES -t nat -P PREROUTING ACCEPT`	29	`$IPTABLES -t nat -P PREROUTING ACCEPT`
28	`$IPTABLES -t nat -P POSTROUTING ACCEPT`	30	`$IPTABLES -t nat -P POSTROUTING ACCEPT`
29	`$IPTABLES -t nat -P OUTPUT ACCEPT`	31	`$IPTABLES -t nat -P OUTPUT ACCEPT`
30		32
31	`# Flush non default rules on filter and nat tables`	33	`# Flush non default rules on filter and nat tables`
32	`$IPTABLES -X`	34	`$IPTABLES -X`
33	`$IPTABLES -t nat -X`	35	`$IPTABLES -t nat -X`
34		36
35	`# accept all on loopback`	37	`# accept all on loopback`
36	`$IPTABLES -A INPUT -i lo -j ACCEPT`	38	`$IPTABLES -A INPUT -i lo -j ACCEPT`
37		39
-		40	`# Block all attempts to spoof the loopback address`
-		41	`$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP`
-		42	`$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP`
-		43
-		44	`# Block all attempts to spoof the local IP address`
-		45	`$IPTABLES -A INPUT -s $PRIVATE_IP -j DROP`
-		46
-		47	`# Block Syn Flood attacks`
-		48	`$IPTABLES -A INPUT -p tcp -m tcp --syn -j SYN-FLOOD`
-		49
-		50	`# Syn flood filtering chain`
-		51	`$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN`
-		52	`$IPTABLES -A SYN-FLOOD -j DROP`
-		53
-		54	`# Ensure that TCP connections start with syn packets`
-		55	`$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP`
-		56
38	`#############################`	57	`#############################`
39	`# INTIF rules #`	58	`# INTIF rules #`
40	`#############################`	59	`#############################`
41	`# accept dhcp`	60	`# accept dhcp`
42	`$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT`	61	`$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT`
43	`# INTIF is closed (all by TUNIF)`	62	`# INTIF is closed (all by TUNIF)`
44	`$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "`	63	`$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "`
45	`$IPTABLES -A INPUT -i $INTIF -j REJECT`	64	`$IPTABLES -A INPUT -i $INTIF -j REJECT`
46		65
47	`#############################`	66	`#############################`
48	`# Local protection rules #`	67	`# Local protection rules #`
49	`#############################`	68	`#############################`
50	`# Drop XMAS & NULLscans`	69	`# Drop XMAS & NULLscans`
51	`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`	70	`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`
52	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`	71	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`
53	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`	72	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`
54	`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`	73	`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
55	`# Drop broadcast & multicast`	74	`# Drop broadcast & multicast`
56	`$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`	75	`$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`
57	`# Antispoofing rules with log`	76	`# Antispoofing rules with log`
58	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "`	77	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "`
59	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP`	78	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP`
60	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "`	79	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "`
61	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP`	80	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP`
62	`# Allow ping (icmp N°0 & 8) from LAN`	81	`# Allow ping (icmp N°0 & 8) from LAN`
63	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT`	82	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT`
64	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT`	83	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT`
65		84
66	`# Here, we add local rules (i.e. ssh from Internet)`	85	`# Here, we add local rules (i.e. ssh from Internet)`
67	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`	86	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
68	`. /usr/local/etc/alcasar-iptables-local.sh`	87	`. /usr/local/etc/alcasar-iptables-local.sh`
69	`fi`	88	`fi`
70		89
71	`# Deny forward DNS (even for authenticated users ...)`	90	`# Deny forward DNS (even for authenticated users ...)`
72	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`	91	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`
73	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset`	92	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset`
74		93
75	`# Conntrack on forward`	94	`# Conntrack on forward`
76	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`	95	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`
77		96
78	`#####################################`	97	`#####################################`
79	`# If protocols filter is activate #`	98	`# If protocols filter is activate #`
80	`#####################################`	99	`#####################################`
81	`if [ $FILTERING = "yes" ]; then`	100	`if [ $FILTERING = "yes" ]; then`
82	`# Compute exception IP`	101	`# Compute exception IP`
83	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`	102	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`
84	`if [ $nb_exceptions != "0" ]`	103	`if [ $nb_exceptions != "0" ]`
85	`then`	104	`then`
86	`while read ip_exception`	105	`while read ip_exception`
87	`do`	106	`do`
88	`echo $ip_exception`	107	`echo $ip_exception`
89	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`	108	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`
90	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`	109	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`
91	`done < /usr/local/etc/alcasar-filter-exceptions`	110	`done < /usr/local/etc/alcasar-filter-exceptions`
92	`fi`	111	`fi`
93	`# Allow non comment protocols`	112	`# Allow non comment protocols`
94	`while read svc_line`	113	`while read svc_line`
95	`do`	114	`do`
96	svc_on=`echo $svc_line\|cut -b1`	115	svc_on=`echo $svc_line\|cut -b1`
97	`if [ $svc_on != "#" ]`	116	`if [ $svc_on != "#" ]`
98	`then`	117	`then`
99	svc_name=`echo $svc_line\|cut -d" " -f1`	118	svc_name=`echo $svc_line\|cut -d" " -f1`
100	svc_port=`echo $svc_line\|cut -d" " -f2`	119	svc_port=`echo $svc_line\|cut -d" " -f2`
101	`if [ $svc_name = "icmp" ]`	120	`if [ $svc_name = "icmp" ]`
102	`then`	121	`then`
103	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT`	122	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT`
104	`else`	123	`else`
105	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "`	124	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "`
106	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`	125	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`
107	`fi`	126	`fi`
108	`fi`	127	`fi`
109	`done < /usr/local/etc/alcasar-services`	128	`done < /usr/local/etc/alcasar-services`
110	`# reject the others`	129	`# reject the others`
111	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`	130	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`
112	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	131	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
113	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	132	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
114	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`	133	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`
115	`fi`	134	`fi`
-		135
-		136	`########################`
-		137	`# If QOS is activate #`
-		138	`########################`
-		139	`if [ $QOS = "yes" ]; then`
-		140	`. /usr/local/etc/alcasar-iptables-qos.sh`
-		141	`fi`
-		142
116	`# Allow forward connections with log`	143	`# Allow forward connections with log`
117	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`	144	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`
118	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT`	145	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT`
119		146
120	`####################################################################################`	147	`####################################################################################`
121	`# Imput from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #`	148	`# Imput from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #`
122	`####################################################################################`	149	`####################################################################################`
123	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`	150	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`
124	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`	151	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`
125	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT`	152	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT`
126	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT`	153	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT`
127	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`	154	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`
128	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`	155	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
129	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT`	156	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT`
130		157
131	`# Conntrack on INPUT`	158	`# Conntrack on INPUT`
132	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`	159	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
133		160
134	`# Deny direct connections on DansGuardian port (8080)`	161	`# Deny direct connections on DansGuardian port (8080)`
135	`# The concerned paquets are marked by a pre-routing rule (see further)`	162	`# The concerned paquets are marked by a pre-routing rule (see further)`
136	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP`	163	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP`
137	`# Allow connections for DansGuardian`	164	`# Allow connections for DansGuardian`
138	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`	165	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`
139		166
140	`# Log HTTP requests (only syn)`	167	`# Log HTTP requests (only syn)`
141	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`	168	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`
142	`# Redirect HTTP request in DansGuardian (transparent proxy)`	169	`# Redirect HTTP request in DansGuardian (transparent proxy)`
143	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080`	170	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080`
144	`# Mark the dansguardian bypass attempts`	171	`# Mark the dansguardian bypass attempts`
145	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`	172	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`
146	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1`	173	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1`
147		174
148	`# Deny and log on INPUT from the LAN`	175	`# Deny and log on INPUT from the LAN`
149	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "`	176	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "`
150	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	177	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
151	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	178	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
-		179
152	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`	180	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`
153	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"`	181	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"`
154	`# Drop on EXTIF`	182	`# Drop on EXTIF`
155	`$IPTABLES -A INPUT -i $EXTIF -j DROP`	183	`$IPTABLES -A INPUT -i $EXTIF -j DROP`
156		184
157	`# Dynamic NAT on EXTIF`	185	`# Dynamic NAT on EXTIF`
158	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`	186	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`
159		187
160	`# Save all rules`	188	`# Save all rules`
161	`/etc/init.d/iptables save`	189	`/etc/init.d/iptables save`
162		190
163	`# no martians log (for mdv2009 only)`	191	`# no martians log (for mdv2009 only)`
164	`echo 0 > /proc/sys/net/ipv4/conf/all/log_martians`	192	`echo 0 > /proc/sys/net/ipv4/conf/all/log_martians`
165		193
166	`# End of script`	194	`# End of script`
167		195
168		196

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh @ 3041 – Rev 478 → 492