Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1486 2014-11-13 11:15:17Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1488 2014-11-16 23:10:57Z richard $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 318... |
Line 318... |
318 |
|
318 |
|
319 |
# Autorisation des retours de connexions légitimes
|
319 |
# Autorisation des retours de connexions légitimes
|
320 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
320 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
321 |
|
321 |
|
322 |
# If protocols filter is activate
|
322 |
# If protocols filter is activate
|
323 |
#if [ $PROTOCOLS_FILTERING = on ]; then
|
323 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
324 |
# # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
|
324 |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
|
325 |
# nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
325 |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
326 |
# if [ $nb_uamallowed != "0" ]
|
326 |
if [ $nb_uamallowed != "0" ]
|
327 |
# then
|
327 |
then
|
328 |
# while read ip_allowed_line
|
328 |
while read ip_allowed_line
|
329 |
# do
|
329 |
do
|
330 |
# ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
330 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
331 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
331 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
332 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
|
332 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
|
333 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
|
333 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
|
334 |
# done < /usr/local/etc/alcasar-uamallowed
|
334 |
done < /usr/local/etc/alcasar-uamallowed
|
335 |
# fi
|
335 |
fi
|
336 |
# # Autorisation des protocoles non commentés
|
336 |
# Autorisation du HTTP et des protocoles non commentés
|
337 |
# # Allow non comment protocols
|
337 |
# Allow HTTP and non comment protocols
|
- |
|
338 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
|
- |
|
339 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
|
- |
|
340 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
|
338 |
# while read svc_line
|
341 |
while read svc_line
|
339 |
# do
|
342 |
do
|
340 |
# svc_on=`echo $svc_line|cut -b1`
|
343 |
svc_on=`echo $svc_line|cut -b1`
|
341 |
# if [ $svc_on != "#" ]
|
344 |
if [ $svc_on != "#" ]
|
342 |
# then
|
345 |
then
|
343 |
# svc_name=`echo $svc_line|cut -d" " -f1`
|
346 |
svc_name=`echo $svc_line|cut -d" " -f1`
|
344 |
# svc_port=`echo $svc_line|cut -d" " -f2`
|
347 |
svc_port=`echo $svc_line|cut -d" " -f2`
|
345 |
# if [ $svc_name = "icmp" ]
|
348 |
if [ $svc_name = "icmp" ]
|
346 |
# then
|
349 |
then
|
347 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
|
350 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
|
348 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
|
351 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
|
349 |
# else
|
352 |
else
|
350 |
#
|
353 |
|
351 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
|
354 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
|
352 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
|
355 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
|
353 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
|
356 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
|
354 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
|
357 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
|
355 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
|
358 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
|
356 |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
|
359 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
|
357 |
# fi
|
360 |
fi
|
358 |
# fi
|
361 |
fi
|
359 |
# done < /usr/local/etc/alcasar-services
|
362 |
done < /usr/local/etc/alcasar-services
|
360 |
# # Rejet explicite des autres protocoles
|
363 |
# Rejet explicite des autres protocoles
|
361 |
# # reject the others protocols
|
364 |
# reject the others protocols
|
362 |
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
|
365 |
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
|
363 |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
366 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
364 |
# $IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
367 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
365 |
# $IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
368 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
366 |
#fi
|
369 |
fi
|
367 |
|
370 |
|
368 |
# If QOS is activate #
|
371 |
# If QOS is activate #
|
369 |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
|
372 |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
|
370 |
. /usr/local/etc/alcasar-iptables-qos.sh
|
373 |
. /usr/local/etc/alcasar-iptables-qos.sh
|
371 |
fi
|
374 |
fi
|