Subversion Repositories ALCASAR

Rev

Rev 1486 | Rev 1585 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1486 Rev 1488
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1486 2014-11-13 11:15:17Z richard $
2
# $Id: alcasar-iptables.sh 1488 2014-11-16 23:10:57Z richard $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 318... Line 318...
318
 
318
 
319
# Autorisation des retours de connexions légitimes
319
# Autorisation des retours de connexions légitimes
320
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
320
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
321
 
321
 
322
#  If protocols filter is activate
322
#  If protocols filter is activate
323
#if [ $PROTOCOLS_FILTERING = on ]; then
323
if [ $PROTOCOLS_FILTERING = on ]; then
324
#	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
324
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
325
#	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
325
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
326
#	if [ $nb_uamallowed != "0" ]
326
	if [ $nb_uamallowed != "0" ]
327
#	then
327
	then
328
#		while read ip_allowed_line 
328
		while read ip_allowed_line 
329
#		do
329
		do
330
#			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
330
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
331
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
331
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
332
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
332
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
333
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
333
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
334
#		done < /usr/local/etc/alcasar-uamallowed
334
		done < /usr/local/etc/alcasar-uamallowed
335
#	fi
335
	fi
336
#	# Autorisation des protocoles non commentés
336
	# Autorisation du HTTP et des protocoles non commentés
337
#	# Allow non comment protocols
337
	# Allow HTTP and non comment protocols
-
 
338
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
-
 
339
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
-
 
340
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
338
#	while read svc_line
341
	while read svc_line
339
#	do
342
	do
340
#		svc_on=`echo $svc_line|cut -b1`
343
		svc_on=`echo $svc_line|cut -b1`
341
#		if [ $svc_on != "#" ]
344
		if [ $svc_on != "#" ]
342
#		then	
345
		then	
343
#			svc_name=`echo $svc_line|cut -d" " -f1`
346
			svc_name=`echo $svc_line|cut -d" " -f1`
344
#			svc_port=`echo $svc_line|cut -d" " -f2`
347
			svc_port=`echo $svc_line|cut -d" " -f2`
345
#			if [ $svc_name = "icmp" ]
348
			if [ $svc_name = "icmp" ]
346
#			then
349
			then
347
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
350
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
348
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
351
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
349
#			else
352
			else
350
#
353
 
351
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
354
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
352
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
355
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
353
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
356
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
354
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
357
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
355
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
358
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
356
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
359
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
357
#			fi
360
			fi
358
#		fi
361
		fi
359
#	done < /usr/local/etc/alcasar-services
362
	done < /usr/local/etc/alcasar-services
360
#	# Rejet explicite des autres protocoles
363
	# Rejet explicite des autres protocoles
361
#	# reject the others protocols
364
	# reject the others protocols
362
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
365
	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
363
#	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
366
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
364
#	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
367
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
365
#	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
368
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
366
#fi
369
fi
367
 
370
 
368
#  If QOS is activate  #
371
#  If QOS is activate  #
369
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
372
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
370
	. /usr/local/etc/alcasar-iptables-qos.sh 	
373
	. /usr/local/etc/alcasar-iptables-qos.sh 	
371
fi
374
fi