Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 3195 2024-04-23 22:39:48Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 3205 2024-06-03 21:33:22Z rexy $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 450... |
Line 450... |
450 |
# filtrage protocole par utilisateur (profile 1 : http, https)
|
450 |
# filtrage protocole par utilisateur (profile 1 : http, https)
|
451 |
# protocols filtering for users (profil 1 : http, https)
|
451 |
# protocols filtering for users (profil 1 : http, https)
|
452 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
452 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
453 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
453 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
454 |
|
454 |
|
455 |
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
|
455 |
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
|
456 |
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh)
|
456 |
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
|
457 |
|
457 |
|
458 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
458 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
459 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
459 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
460 |
|
460 |
|
461 |
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
|
461 |
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
|
462 |
# protocols filtering for users (profil 3 : customized with ACC)
|
462 |
# protocols filtering for users (profil 3 : customized with ACC)
|
463 |
custom_tcp_protocols_list='';custom_udp_protocols_list=''
|
463 |
custom_tcp_protocols_list='';custom_udp_protocols_list=''
|
464 |
while read svc_line
|
464 |
while read svc_line
|