WebSVN – ALCASAR – Diff – /conf/etc/alcasar-iptables-local.sh


#!/bin/sh
#
# $Id: alcasar-iptables-local.sh 2716 2019-03-11 21:21:45Z tom.houdayer $
#
# Custom rules for ALCASAR firewall
#
# Examples:
# 	- Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
#	- allow ICMP from an Internet IP address (Admin_from) to EXTIF
#	- allow SMTP from aLCASAR to an Internet server (SMTP_IP)
#	- PAT rules from Internet
#	- Deny access to protected networks from internal LAN
#	- Allow managers to access ACC from the external network
# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc
 
# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)
if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then
	while read mac_line
	do
		ip_on=`echo $mac_line|cut -b1`
		if [ $ip_on != "#" ]
		then
			mac_filtered=`echo $mac_line|cut -d" " -f1`
			echo "MAC filtered = $mac_filtered"
			$IPTABLES -A FORWARD -i $INTIF        -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"
			$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP
			$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP
			$IPTABLES -A FORWARD -i $INTIF        -m mac --mac-source $mac_filtered -j DROP
		fi
	done < /usr/local/etc/alcasar-iptables-local-mac-filtered
fi
 
# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR
# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF
#$IPTABLES -A INPUT  -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT
 
# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)
# Allow access to a mail server (SMTP)
#SMTP_IP='192.168.111.5'		# IP of mail server
#SMTP_PORT=587			# port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT  -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED     -j ACCEPT
 
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet
# Allow PAT (Port Adresse Translation)
# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22
#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT
 
# Deny access to protected networks from internal LAN
#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)
#[ -n "$TUNIF" ] && consultationIF=$TUNIF || consultationIF=$INTIF
#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP
#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP
 
# Allow managers to access ACC from the external network
#managerIPs='192.168.111.10'
#externalPort='34443'
#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j MARK --set-mark 100
#$IPTABLES -t nat    -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443
#$IPTABLES           -A INPUT      -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 100 -j ACCEPT
 
 
 
Generated by GNU Enscript 1.6.6.
 
 
 

Subversion Repositories ALCASAR

(root)/conf/etc/alcasar-iptables-local.sh – Rev 2652 → 2716

Rev 2652		Rev 2716
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`#`	2	`#`
3	`# $Id: alcasar-iptables-local.sh 2652 2018-11-04 02:02:34Z tom.houdayer $`	3	`# $Id: alcasar-iptables-local.sh 2716 2019-03-11 21:21:45Z tom.houdayer $`
4	`#`	4	`#`
5	`# Custom rules for ALCASAR firewall`	5	`# Custom rules for ALCASAR firewall`
6	`#`	6	`#`
7	`# Examples:`	7	`# Examples:`
8	`# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`	8	`# - Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`
9	`# - allow ICMP from an Internet IP address (Admin_from) to EXTIF`	9	`# - allow ICMP from an Internet IP address (Admin_from) to EXTIF`
10	`# - allow SMTP from aLCASAR to an Internet server (SMTP_IP)`	10	`# - allow SMTP from aLCASAR to an Internet server (SMTP_IP)`
11	`# - PAT rules from Internet`	11	`# - PAT rules from Internet`
12	`# - Deny access to protected networks from internal LAN`	12	`# - Deny access to protected networks from internal LAN`
13	`# - Allow managers to access ACC from the external network`	13	`# - Allow managers to access ACC from the external network`
14	`# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc`	14	`# This script inherit of alcasar-iptables.sh variables : $INTIF, $EXTIF, $IPTABLES, etc`
15		15
16	`# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`	16	`# Local MAC addresses filtering (MAC are in '/usr/local/etc/alcasar-iptables-local-mac-filtered'. Format : aa:09:23:2f:4d:ee)`
17	`if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then`	17	`if [ -s /usr/local/etc/alcasar-iptables-local-mac-filtered ]; then`
18	`while read mac_line`	18	`while read mac_line`
19	`do`	19	`do`
20	ip_on=`echo $mac_line\|cut -b1`	20	ip_on=`echo $mac_line\|cut -b1`
21	`if [ $ip_on != "#" ]`	21	`if [ $ip_on != "#" ]`
22	`then`	22	`then`
23	mac_filtered=`echo $mac_line\|cut -d" " -f1`	23	mac_filtered=`echo $mac_line\|cut -d" " -f1`
24	`echo "MAC filtered = $mac_filtered"`	24	`echo "MAC filtered = $mac_filtered"`
25	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"`	25	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j NFLOG --nflog-group 1 --nflog-prefix "$mac_filtered -- Filt_DROP"`
26	`$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP`	26	`$IPTABLES -A FORWARD -i $INTIF -p tcp -m mac --mac-source $mac_filtered -j DROP`
27	`$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP`	27	`$IPTABLES -A FORWARD -i $INTIF -p udp -m mac --mac-source $mac_filtered -j DROP`
28	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP`	28	`$IPTABLES -A FORWARD -i $INTIF -m mac --mac-source $mac_filtered -j DROP`
29	`fi`	29	`fi`
30	`done < /usr/local/etc/alcasar-iptables-local-mac-filtered`	30	`done < /usr/local/etc/alcasar-iptables-local-mac-filtered`
31	`fi`	31	`fi`
32		32
33	`# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR`	33	`# On autorise le ping (echo & request) (ICMP N°0 & 8) en provenance de l'extérieur vers ALCASAR`
34	`# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF`	34	`# Allow ping (echo & request) (ICMP N°0 & 8) on EXTIF`
35	`#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT`	35	`#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT`
36	`#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT`	36	`#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT`
37		37
38	`# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)`	38	`# On autorise l'accès à un serveur MAIL (SMTP) pour l'envoie de rapports, alertes (logwatch, etc.)`
39	`# Allow access to a mail server (SMTP)`	39	`# Allow access to a mail server (SMTP)`
40	`#SMTP_IP='192.168.111.5' # IP of mail server`	40	`#SMTP_IP='192.168.111.5' # IP of mail server`
41	`#SMTP_PORT=587 # port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)`	41	`#SMTP_PORT=587 # port of mail server (25 for SMTP ; 587 for STARTTLS ; 465 for SMTPS)`
42	`#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`	42	`#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport $SMTP_PORT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
43	`#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT`	43	`#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport $SMTP_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT`
44		44
45	`# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet`	45	`# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipements du LAN depuis Internet`
46	`# Allow PAT (Port Adresse Translation)`	46	`# Allow PAT (Port Adresse Translation)`
47	`# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22`	47	`# example for the external UDP-TCP port 11222 which is redirected to the internal IP 192.168.182.10 on port 22`
48	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`	48	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`
49	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`	49	`#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p udp -d $PUBLIC_IP --dport 11222 -j DNAT --to 192.168.182.10:22`
50	`#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT`	50	`#$IPTABLES -A FORWARD -p tcp -d 192.168.182.10 --dport 22 -j ACCEPT`
51	`#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT`	51	`#$IPTABLES -A FORWARD -p udp -d 192.168.182.10 --dport 22 -j ACCEPT`
52		52
53	`# Deny access to protected networks from internal LAN`	53	`# Deny access to protected networks from internal LAN`
54	`#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)`	54	`#protectedNetworks='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' # (RFC 1918)`
55	`#[ -n "$TUNIF" ] && consultationIF=$TUNIF \|\| consultationIF=$INTIF`	55	`#[ -n "$TUNIF" ] && consultationIF=$TUNIF \|\| consultationIF=$INTIF`
56	`#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP`	56	`#$IPTABLES -A FORWARD -i $consultationIF -d $protectedNetworks -j DROP`
57	`#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP`	57	`#$IPTABLES -A FORWARD -o $consultationIF -s $protectedNetworks -j DROP`
58		58
59	`# Allow managers to access ACC from the external network`	59	`# Allow managers to access ACC from the external network`
60	`#managerIPs='192.168.111.10'`	60	`#managerIPs='192.168.111.10'`
61	`#externalPort='34443'`	61	`#externalPort='34443'`
62	`#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport 443 -j MARK --set-mark 1`	62	`#$IPTABLES -t mangle -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j MARK --set-mark 100`
63	`#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443`	63	`#$IPTABLES -t nat -A PREROUTING -i $EXTIF -s $managerIPs -p tcp -d $PUBLIC_IP --dport $externalPort -j DNAT --to $PRIVATE_IP:443`
64	`#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 1 -j DROP`	64	`#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -m mark --mark 100 -j ACCEPT`
65	`#$IPTABLES -A INPUT -i $EXTIF -s $managerIPs -p tcp --dport 443 -j ACCEPT`	-
66		65
67		66
68	`Generated by GNU Enscript 1.6.6.`	67	`Generated by GNU Enscript 1.6.6.`
69		68
70		69
71		70