Subversion Repositories ALCASAR

Rev

Rev 3195 | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3195 Rev 3205
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 3195 2024-04-23 22:39:48Z rexy $
2
# $Id: alcasar-iptables.sh 3205 2024-06-03 21:33:22Z rexy $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 450... Line 450...
450
# filtrage protocole par utilisateur (profile 1 : http, https)
450
# filtrage protocole par utilisateur (profile 1 : http, https)
451
# protocols filtering for users (profil 1 : http, https)
451
# protocols filtering for users (profil 1 : http, https)
452
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
452
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
453
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
453
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
454
 
454
 
455
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
455
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
456
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
456
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
457
 
457
 
458
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
458
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
459
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
459
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
460
 
460
 
461
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
461
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
462
# protocols filtering for users (profil 3 : customized with ACC)
462
# protocols filtering for users (profil 3 : customized with ACC)
463
custom_tcp_protocols_list='';custom_udp_protocols_list=''
463
custom_tcp_protocols_list='';custom_udp_protocols_list=''
464
while read svc_line
464
while read svc_line