Subversion Repositories ALCASAR

Rev

Rev 1339 | Rev 1370 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1339 Rev 1364
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 1339 2014-05-05 12:55:57Z richard $
 2 
# $Id: alcasar-iptables.sh 1364 2014-05-27 15:56:02Z richard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
8 
# There are four channels for log :
 8 
# There are four channels for log :
9 
#	1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
 9 
#	1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
10 
#	2 protection of ALCASAR with the Ulog group 1 (default group)
10 
#	2 protection of ALCASAR with the Ulog group 1 (default group)
11 
#	3 SSH on ALCASAR with the Ulog group 2;
 11 
#	3 SSH on ALCASAR with the Ulog group 2;
12 
#	4 extern access attempts on ALCASAR with the Ulog group 3.
 12 
#	4 extern access attempts on ALCASAR with the Ulog group 3.
13 
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
13 
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
14 
conf_file="/usr/local/etc/alcasar.conf"
 14 
conf_file="/usr/local/etc/alcasar.conf"
15 
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
 15 
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
16 
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
 16 
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
17 
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
 17 
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
18 
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
 18 
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
19 
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
 19 
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
20 
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
 20 
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
21 
public_ip_mask=`grep PUBLIC_IP= $conf_file|cut -d"=" -f2`		# ALCASAR WAN IP address
 21 
public_ip_mask=`grep PUBLIC_IP= $conf_file|cut -d"=" -f2`		# ALCASAR WAN IP address
22 
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
 22 
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
23 
dns1=`grep DNS1= $conf_file|cut -d"=" -f2`				# first public DNS server
 23 
dns1=`grep DNS1= $conf_file|cut -d"=" -f2`				# first public DNS server
24 
dns1=${dns1:=208.67.220.220}
 24 
dns1=${dns1:=208.67.220.220}
25 
dns2=`grep DNS2= $conf_file|cut -d"=" -f2`				# second public DNS server
 25 
dns2=`grep DNS2= $conf_file|cut -d"=" -f2`				# second public DNS server
26 
dns2=${dns2:=208.67.222.222}
 26 
dns2=${dns2:=208.67.222.222}
27 
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
 27 
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
28 
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
 28 
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
 30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
31 
DNS_FILTERING=${DNS_FILTERING:=off}
 31 
DNS_FILTERING=${DNS_FILTERING:=off}
32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
33 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
 33 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
- 
 
 34 
FILE_IP_WL="/usr/local/share/ossi_wl"					# ip of the whitelist
- 
 
 35 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
- 
 
 36 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
34 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
 37 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
35 
QOS=${QOS:=off}
 38 
QOS=${QOS:=off}
36 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
 39 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
37 
SSH=${SSH:=off}
 40 
SSH=${SSH:=off}
38 
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
 41 
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
39 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 42 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
40 
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2`				# LDAP external server active (on/off)
 43 
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2`				# LDAP external server active (on/off)
41 
LDAP=${LDAP:=off}
 44 
LDAP=${LDAP:=off}
42 
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
 45 
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
43 
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
 46 
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
44 
EXTIF="eth0"
 47 
EXTIF="eth0"
45 
INTIF="eth1"
 48 
INTIF="eth1"
46 
TUNIF="tun0"								# listen device for chilli daemon
 49 
TUNIF="tun0"								# listen device for chilli daemon
47 
IPTABLES="/sbin/iptables"
 50 
IPTABLES="/sbin/iptables"
48 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
 51 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
- 
 
 52 
SAVE_DIR="/etc/sysconfig"						# Saving path
- 
 
 53 
 
- 
 
 54 
# Sauvegarde des SET des utilisateurs connectés si ils existent
- 
 
 55 
# Saving SET of connected users if it exists
- 
 
 56 
ipset list no_filtering_set 1>/dev/null 2>&1
- 
 
 57 
if [ $? -eq 0 ];
- 
 
 58 
then
- 
 
 59 
	ipset save no_filtering_set > $TMP_users_set_save
- 
 
 60 
	ipset save havp_set >> $TMP_users_set_save
- 
 
 61 
	ipset save havp_bl_set >> $TMP_users_set_save
- 
 
 62 
	ipset save havp_wl_set >> $TMP_users_set_save
- 
 
 63 
fi
49 
 
 64 
 
50 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
 65 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
51 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 66 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
52 
 
 67 
 
53 
# Effacement des règles existantes
 68 
# Effacement des règles existantes
54 
# Flush all existing rules
 69 
# Flush all existing rules
55 
$IPTABLES -F
 70 
$IPTABLES -F
56 
$IPTABLES -t nat -F
 71 
$IPTABLES -t nat -F
57 
$IPTABLES -t mangle -F
 72 
$IPTABLES -t mangle -F
58 
$IPTABLES -F INPUT
 73 
$IPTABLES -F INPUT
59 
$IPTABLES -F FORWARD
 74 
$IPTABLES -F FORWARD
60 
$IPTABLES -F OUTPUT
 75 
$IPTABLES -F OUTPUT
61 
 
 76 
 
62 
# Suppression des chaines utilisateurs sur les tables filter et nat
 77 
# Suppression des chaines utilisateurs sur les tables filter et nat
63 
# Flush non default rules on filter and nat tables
 78 
# Flush non default rules on filter and nat tables
64 
$IPTABLES -X
 79 
$IPTABLES -X
65 
$IPTABLES -t nat -X
 80 
$IPTABLES -t nat -X
66 
 
 81 
 
67 
# Stratégies par défaut
 82 
# Stratégies par défaut
68 
# Default policies
 83 
# Default policies
69 
$IPTABLES -P INPUT DROP
 84 
$IPTABLES -P INPUT DROP
70 
$IPTABLES -P FORWARD DROP
 85 
$IPTABLES -P FORWARD DROP
71 
$IPTABLES -P OUTPUT DROP
 86 
$IPTABLES -P OUTPUT DROP
72 
$IPTABLES -t nat -P PREROUTING ACCEPT
 87 
$IPTABLES -t nat -P PREROUTING ACCEPT
73 
$IPTABLES -t nat -P POSTROUTING ACCEPT
 88 
$IPTABLES -t nat -P POSTROUTING ACCEPT
74 
$IPTABLES -t nat -P OUTPUT ACCEPT
 89 
$IPTABLES -t nat -P OUTPUT ACCEPT
75 
 
 90 
 
76 
# destruction de tous les SET
 91 
# destruction de tous les SET
77 
# destroy all SET
 92 
# destroy all SET
78 
ipset destroy
 93 
ipset destroy
79 
 
 94 
 
80 
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
 - 
 
81 
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
 - 
 
82 
ipset create authenticated_ip hash:net hashsize 1024
 - 
 
83 
OLDIFS=$IFS
 - 
 
84 
IFS=$'\n'
 - 
 
85 
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
 - 
 
86 
do
 - 
 
87 
	active_ip=`echo $equipment |cut -d" " -f2`
 - 
 
88 
	active_session=`echo $equipment |cut -d" " -f5`
 - 
 
89 
	if [[ $(expr $active_session) -eq 1 ]]
 - 
 
90 
	then
 - 
 
91 
		ipset add authenticated_ip $active_ip
 - 
 
92 
	fi
 - 
 
93 
done
 - 
 
94 
IFS=$OLDIFS
 - 
 
95 
 
 - 
 
96 
# Calcul de la taille de l'ipset
 95 
# Calcul de la taille du set
97 
cd $BL_IP_CAT
 96 
cd $BL_IP_CAT
98 
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 97 
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
99 
 
 98 
 
100 
# Création du fichier set temporaire, remplissage, chargement et suppression
 99 
# Création du fichier set temporaire, remplissage, chargement et suppression
101 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save
 100 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save
102 
for category in `ls -1 | cut -d '@' -f1`
 101 
for category in `ls -1 | cut -d '@' -f1`
103 
do
 102 
do
104 
	cat $BL_IP_CAT/$category >> /tmp/ipset_save
 103 
	cat $BL_IP_CAT/$category >> $TMP_set_save
105 
done
 104 
done
106 
cat $BL_IP_OSSI >> /tmp/ipset_save
 105 
cat $BL_IP_OSSI >> $TMP_set_save
107 
ipset -! restore < /tmp/ipset_save
 106 
ipset -! restore < $TMP_set_save
108 
rm -f /tmp/ipset_save
 107 
rm -f $TMP_set_save
109 
 
 108 
 
110 
# Extraction des ip réhabilitées
 109 
# Extraction des ip réhabilitées
111 
for ip in $(cat $IP_REHABILITEES)
 110 
for ip in $(cat $IP_REHABILITEES)
112 
do
 111 
do
113 
	ipset del blacklist_ip_blocked $ip
 112 
	ipset del blacklist_ip_blocked $ip
114 
done
 113 
done
115 
 
 114 
 
- 
 
 115 
# Calcul de la taille du set de la whitelist
- 
 
 116 
set_wl_length=$(wc -l $FILE_IP_WL | awk '{print $1}')
- 
 
 117 
 
- 
 
 118 
# Création du fichier set temporaire, remplissage, chargement et suppression
- 
 
 119 
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
- 
 
 120 
cat $FILE_IP_WL >> $TMP_set_save
- 
 
 121 
ipset -! restore < $TMP_set_save
- 
 
 122 
rm -f $TMP_set_save
- 
 
 123 
 
- 
 
 124 
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
- 
 
 125 
if [ -e $TMP_users_set_save ];
- 
 
 126 
then
- 
 
 127 
	ipset -! restore < $TMP_users_set_save
- 
 
 128 
	rm -f $TMP_users_set_save
- 
 
 129 
else
- 
 
 130 
	ipset create no_filtering_set hash:net hashsize 1024
- 
 
 131 
	ipset create havp_set hash:net hashsize 1024
- 
 
 132 
	ipset create havp_bl_set hash:net hashsize 1024
- 
 
 133 
	ipset create havp_wl_set hash:net hashsize 1024
- 
 
 134 
fi
- 
 
 135 
 
116 
# Sauvegarde de tous les set (pour restaurer après redémarrage)
 136 
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage)
- 
 
 137 
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save
117 
ipset save > /etc/sysconfig/ipset_save
 138 
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save
- 
 
 139 
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
- 
 
 140 
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
- 
 
 141 
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
- 
 
 142 
echo "create havp_wl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
118 
 
 143 
 
119 
#############################
 144 
#############################
120 
#       PREROUTING          #
 145 
#       PREROUTING          #
121 
#############################
 146 
#############################
122 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
 147 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
123 
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
 148 
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
124 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
 149 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
125 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 150 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
126 
 
 151 
 
127 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
 152 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
128 
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
 153 
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
129 
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé
 - 
 
130 
# Remark : this port is only open when filtering is on
 - 
 
131 
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY "
 154 
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY "
132 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
 155 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
133 
 
 156 
 
134 
# Si le filtrage DNS est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
157 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 pour pouvoir les rejeter en INPUT
135 
# If DNS filter is on, redirect DNS request to udp 54 (dns+blackhole) except for exception IP addresses
 158 
# Mark (and log) the udp 55 direct attempts to REJECT them in INPUT rules
136 
if [ $DNS_FILTERING = on ]; then
 159 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3
- 
 
 160 
 
- 
 
 161 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT
137 
	# Compute exception IP
 162 
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
138 
	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 163 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4
- 
 
 164 
 
139 
	if [ $nb_exceptions != "0" ]
 165 
# Aiguillage des flux DNS
140 
	then
 166 
# Switching DNS streams
- 
 
 167 
# havp_bl_set --> redirection vers le port 54
141 
		while read ip_exception
168 
# havp_bl_set --> redirect to port 54
142 
		do
 - 
 
143 
			$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
 169 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
144 
		done < /usr/local/etc/alcasar-filter-exceptions
 170 
# havp_wl_set --> redirection vers le port 55
145 
	fi
 - 
 
- 
 
 171 
# havp_wl_set --> redirect to port 55
146 
		$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
 172 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
147 
fi
 - 
 
148 
 
 173 
 
149 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
 174 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
150 
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
 - 
 
151 
if [ $DNS_FILTERING = on ]; then
 - 
 
152 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 175 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
153 
fi
 - 
 
154 
 
 176 
 
155 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
 177 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
156 
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
 178 
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
157 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 179 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
158 
 
 180 
 
- 
 
 181 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_set
- 
 
 182 
# Redirect outbound HTTP requests to HAVP for the set havp_set
- 
 
 183 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
- 
 
 184 
 
159 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent)
 185 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set
160 
# Redirect outbound HTTP requests to DansGuardian (transparent proxy)
 186 
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set
161 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 187 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
- 
 
 188 
 
- 
 
 189 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set
- 
 
 190 
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set
- 
 
 191 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
162 
 
 192 
 
163 
# Redirection des requêtes NTP vers le serveur NTP local
 193 
# Redirection des requêtes NTP vers le serveur NTP local
164 
# Redirect NTP request in local NTP server
 194 
# Redirect NTP request in local NTP server
165 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 195 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
166 
 
 196 
 
167 
#############################
 197 
#############################
168 
#         INPUT             #
 198 
#         INPUT             #
169 
#############################
 199 
#############################
170 
 
 200 
 
171 
# Tout passe sur loopback
 201 
# Tout passe sur loopback
172 
# accept all on loopback
 202 
# accept all on loopback
173 
$IPTABLES -A INPUT -i lo -j ACCEPT
 203 
$IPTABLES -A INPUT -i lo -j ACCEPT
174 
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 204 
$IPTABLES -A OUTPUT -o lo -j ACCEPT
175 
 
 205 
 
176 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
 206 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
177 
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
 207 
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
178 
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
 208 
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
179 
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 209 
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
180 
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 210 
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
181 
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 211 
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
182 
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 212 
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
183 
 
 213 
 
184 
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
 214 
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
185 
# Drop broadcast & multicast on EXTIF to avoid log
215 
# Drop broadcast & multicast on EXTIF to avoid log
186 
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 216 
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
187 
 
 217 
 
188 
# On autorise les retours de connexions légitimes par INPUT
 218 
# On autorise les retours de connexions légitimes par INPUT
189 
# Conntrack on INPUT
 219 
# Conntrack on INPUT
190 
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 220 
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
191 
 
 221 
 
192 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
 222 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
193 
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
 223 
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
194 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
 224 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
195 
 
 225 
 
196 
# Autorisation des connexions légitimes à DansGuardian
226 
# Autorisation des connexions légitimes à DansGuardian
197 
# Allow connections for DansGuardian
 227 
# Allow connections for DansGuardian
198 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 228 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
199 
 
 229 
 
200 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
 230 
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
201 
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
 231 
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING)
202 
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
 232 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
203 
 
 233 
 
- 
 
 234 
# On interdit les connexions directes au port UDP 55. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
- 
 
 235 
# Deny direct connections on UDP 55. The concerned paquets are marked in mangle table (PREROUTING)
- 
 
 236 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
- 
 
 237 
 
- 
 
 238 
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
- 
 
 239 
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING)
- 
 
 240 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset
- 
 
 241 
 
- 
 
 242 
# Autorisation des connexions légitimes à HAVP
- 
 
 243 
# Allow connections for HAVP
- 
 
 244 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
- 
 
 245 
 
204 
# autorisation des connexion légitime à DNSMASQ (avec blackhole)
 246 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
205 
# Allow connections for DNSMASQ (with blackhole)
 247 
# Allow connections for DNSMASQ (with blacklist)
206 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
 248 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
207 
 
 249 
 
- 
 
 250 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
- 
 
 251 
# Allow connections for DNSMASQ (with whitelist)
- 
 
 252 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT
- 
 
 253 
 
208 
# Accès direct aux services internes
 254 
# Accès direct aux services internes
209 
# Internal services access
 255 
# Internal services access
210 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT	# DNS non filtré # DNS without blackhole
 256 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT	# DNS non filtré # DNS without blacklist
211 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT	# Réponse ping # ping responce
 257 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT	# Réponse ping # ping responce
212 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT	# Requête  ping # ping request
 258 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT	# Requête  ping # ping request
213 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
 259 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
214 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
 260 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
215 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
 261 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
216 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
 262 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
217 
 
 263 
 
218 
# SSHD rules if activate
264 
# SSHD rules if activate
219 
if [ $SSH = on ]
 265 
if [ $SSH = on ]
220 
	then
 266 
	then
221 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
 267 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
222 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 268 
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
223 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
 269 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
224 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
 270 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
225 
fi
 271 
fi
226 
 
 272 
 
227 
# Insertion de règles locales
 273 
# Insertion de règles locales
228 
# Here, we add local rules (i.e. VPN from Internet)
 274 
# Here, we add local rules (i.e. VPN from Internet)
229 
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
 275 
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
230 
        . /usr/local/etc/alcasar-iptables-local.sh
 276 
        . /usr/local/etc/alcasar-iptables-local.sh
231 
fi
 277 
fi
232 
 
 278 
 
233 
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
 279 
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
234 
# Deny and log on INPUT from the LAN
 280 
# Deny and log on INPUT from the LAN
235 
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
 281 
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
236 
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
 282 
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
237 
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 283 
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
238 
 
 284 
 
239 
# interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
 285 
# interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
240 
# Reject INTIF access (only when chilli is down)
 286 
# Reject INTIF access (only when chilli is down)
241 
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
 287 
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
242 
$IPTABLES -A INPUT -i $INTIF -j REJECT
 288 
$IPTABLES -A INPUT -i $INTIF -j REJECT
243 
 
 289 
 
244 
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
 290 
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
245 
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
 291 
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
246 
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
 292 
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
247 
 
 293 
 
248 
 
 - 
 
249 
#############################
 294 
#############################
250 
#        FORWARD            #
 295 
#        FORWARD            #
251 
#############################
 296 
#############################
252 
 
 297 
 
- 
 
 298 
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
- 
 
 299 
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
- 
 
 300 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
- 
 
 301 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
- 
 
 302 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
- 
 
 303 
 
253 
# Rejet des requêtes DNS vers Internet
 304 
# Rejet des requêtes DNS vers Internet
254 
# Deny forward DNS
 305 
# Deny forward DNS
255 
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 306 
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
256 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 307 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
257 
 
 308 
 
258 
if [ $DNS_FILTERING = on ]; then
 - 
 
259 
	# Blocage des IPs du SET blacklist_ip_blocked
 - 
 
260 
	# Deny IPs of the SET blacklist_ip_blocked
- 
 
261 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
 - 
 
262 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
 - 
 
263 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
 - 
 
264 
fi
 - 
 
265 
 
 - 
 
266 
# Autorisation des retours de connexions légitimes
 309 
# Autorisation des retours de connexions légitimes
267 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 310 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
268 
 
 311 
 
269 
#  If protocols filter is activate
312 
#  If protocols filter is activate
270 
if [ $PROTOCOLS_FILTERING = on ]; then
 313 
#if [ $PROTOCOLS_FILTERING = on ]; then
271 
	# Compute exception IP (IP addresses that shouldn't be filtered)
 - 
 
272 
	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 - 
 
273 
	if [ $nb_exceptions != "0" ]
 - 
 
274 
	then
 - 
 
275 
		while read ip_exception
- 
 
276 
		do
 - 
 
277 
#			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
 - 
 
278 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
 - 
 
279 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
 - 
 
280 
		done < /usr/local/etc/alcasar-filter-exceptions
 - 
 
281 
	fi
 - 
 
282 
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
314 
#	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
283 
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
 315 
#	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
284 
	if [ $nb_uamallowed != "0" ]
 316 
#	if [ $nb_uamallowed != "0" ]
285 
	then
 317 
#	then
286 
		while read ip_allowed_line
318 
#		while read ip_allowed_line
287 
		do
 319 
#		do
288 
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
 320 
#			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
289 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
 321 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
290 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
 322 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
291 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
 323 
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
292 
		done < /usr/local/etc/alcasar-uamallowed
 324 
#		done < /usr/local/etc/alcasar-uamallowed
293 
	fi
 325 
#	fi
294 
	# Autorisation des protocoles non commentés
 326 
#	# Autorisation des protocoles non commentés
295 
	# Allow non comment protocols
 327 
#	# Allow non comment protocols
296 
	while read svc_line
 328 
#	while read svc_line
297 
	do
 329 
#	do
298 
		svc_on=`echo $svc_line|cut -b1`
 330 
#		svc_on=`echo $svc_line|cut -b1`
299 
		if [ $svc_on != "#" ]
 331 
#		if [ $svc_on != "#" ]
300 
		then
332 
#		then
301 
			svc_name=`echo $svc_line|cut -d" " -f1`
 333 
#			svc_name=`echo $svc_line|cut -d" " -f1`
302 
			svc_port=`echo $svc_line|cut -d" " -f2`
 334 
#			svc_port=`echo $svc_line|cut -d" " -f2`
303 
			if [ $svc_name = "icmp" ]
 335 
#			if [ $svc_name = "icmp" ]
304 
			then
 336 
#			then
305 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
 337 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
306 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
338 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
307 
			else
 339 
#			else
308 
 
 340 
#
309 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
 341 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
310 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
 342 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
311 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
 343 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
312 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
 344 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
313 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
 345 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
314 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
 346 
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
315 
			fi
 347 
#			fi
316 
		fi
 348 
#		fi
317 
	done < /usr/local/etc/alcasar-services
 349 
#	done < /usr/local/etc/alcasar-services
318 
	# Rejet explicite des autres protocoles
 350 
#	# Rejet explicite des autres protocoles
319 
	# reject the others protocols
 351 
#	# reject the others protocols
320 
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
 352 
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
321 
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
 353 
#	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
322 
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 354 
#	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
323 
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
355 
#	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
324 
fi
 356 
#fi
325 
 
 357 
 
326 
#  If QOS is activate  #
 358 
#  If QOS is activate  #
327 
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
 359 
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
328 
	. /usr/local/etc/alcasar-iptables-qos.sh
360 
	. /usr/local/etc/alcasar-iptables-qos.sh
329 
fi
 361 
fi
330 
 
 362 
 
331 
# Autorisation des connections sortant du LAN
363 
# Autorisation des connections sortant du LAN
332 
# Allow forward connections with log
 364 
# Allow forward connections with log
333 
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
 365 
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
334 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
 366 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
335 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 367 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
336 
 
 368 
 
337 
#############################
 369 
#############################
338 
#         OUTPUT            #
 370 
#         OUTPUT            #
339 
#############################
 371 
#############################
340 
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
 372 
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
341 
# Everything is allowed but traffic through outside network interface
 373 
# Everything is allowed but traffic through outside network interface
342 
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 374 
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
343 
 
 375 
 
344 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
376 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
345 
# Allow DNS requests to identified DNS servers
 377 
# Allow DNS requests to identified DNS servers
346 
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
 378 
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
347 
 
 379 
 
348 
# On autorise les requêtes HTTP sortantes
 380 
# On autorise les requêtes HTTP sortantes
349 
# HTTP requests are allowed
 381 
# HTTP requests are allowed
350 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
 382 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
351 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
 383 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
352 
 
 384 
 
353 
# On autorise les requêtes FTP
385 
# On autorise les requêtes FTP
354 
# FTP requests are allowed
 386 
# FTP requests are allowed
355 
modprobe ip_conntrack_ftp
 387 
modprobe ip_conntrack_ftp
356 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
 388 
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
357 
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
 389 
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
358 
 
 390 
 
359 
# On autorise les requêtes NTP
391 
# On autorise les requêtes NTP
360 
# NTP requests are allowed
 392 
# NTP requests are allowed
361 
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
 393 
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
362 
 
 394 
 
363 
# On autorise les requêtes ICMP (ping)
395 
# On autorise les requêtes ICMP (ping)
364 
# ICMP (ping) requests are allowed
 396 
# ICMP (ping) requests are allowed
365 
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
 397 
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
366 
 
 398 
 
367 
# On autorise les requêtes LDAP si un serveur externe est configué
 399 
# On autorise les requêtes LDAP si un serveur externe est configué
368 
# LDAP requests are allowed if an external server is declared
 400 
# LDAP requests are allowed if an external server is declared
369 
if [ $LDAP = on ]
 401 
if [ $LDAP = on ]
370 
	then
 402 
	then
371 
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 403 
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
372 
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
 404 
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
373 
fi
 405 
fi
374 
 
 406 
 
375 
 
 - 
 
376 
#############################
 407 
#############################
377 
#       POSTROUTING         #
 408 
#       POSTROUTING         #
378 
#############################
 409 
#############################
379 
# Traduction dynamique d'adresse en sortie
 410 
# Traduction dynamique d'adresse en sortie
380 
# Dynamic NAT on EXTIF
 411 
# Dynamic NAT on EXTIF
381 
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 412 
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
382 
 
 413 
 
383 
# Save all rules
 414 
# Save all rules
384 
/etc/init.d/iptables save
 415 
/etc/init.d/iptables save
385 
 
 416 
 
386 
# End of script
 417 
# End of script
387 
 
 418 
 
388 
 
 419