| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1299 2014-01-13 22:26:55Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1332 2014-04-23 12:40:53Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 27... |
Line 27... |
| 27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
| 28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
| 31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
| 32 |
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP
|
32 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
| 33 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
33 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
| 34 |
QOS=${QOS:=off}
|
34 |
QOS=${QOS:=off}
|
| 35 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
35 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
| 36 |
SSH=${SSH:=off}
|
36 |
SSH=${SSH:=off}
|
| 37 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
37 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
| Line 71... |
Line 71... |
| 71 |
$IPTABLES -t nat -P PREROUTING ACCEPT
|
71 |
$IPTABLES -t nat -P PREROUTING ACCEPT
|
| 72 |
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
72 |
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
| 73 |
$IPTABLES -t nat -P OUTPUT ACCEPT
|
73 |
$IPTABLES -t nat -P OUTPUT ACCEPT
|
| 74 |
|
74 |
|
| 75 |
# destruction de tous les SET
|
75 |
# destruction de tous les SET
|
| 76 |
# destroy all the SET
|
76 |
# destroy all SET
|
| 77 |
ipset destroy
|
77 |
ipset destroy
|
| 78 |
|
78 |
|
| 79 |
# Création et peuplement du SET alcasar_ip_blocked
|
79 |
# Création et peuplement du SET alcasar_ip_blocked
|
| 80 |
# creation and first populating of alcasar_ip_blocked SET
|
80 |
# creation and first populating of alcasar_ip_blocked SET
|
| 81 |
ipset create alcasar_ip_blocked hash:net hashsize 1024
|
81 |
ipset create alcasar_ip_blocked hash:net hashsize 1024
|
| Line 105... |
Line 105... |
| 105 |
ipset add authenticated_ip $active_ip
|
105 |
ipset add authenticated_ip $active_ip
|
| 106 |
fi
|
106 |
fi
|
| 107 |
done
|
107 |
done
|
| 108 |
IFS=$OLDIFS
|
108 |
IFS=$OLDIFS
|
| 109 |
|
109 |
|
| 110 |
# Création et peuplement du SET blacklist_ip_blocked
|
110 |
# Calcul de la taille du SET blacklist_ip_blocked
|
| 111 |
# creation and first populating of blacklist_ip_blocked SET
|
111 |
# Computing the length of the blacklist_ip_blocked set
|
| - |
|
112 |
cd $BL_IP_CAT
|
| 112 |
# It take a lot of time (try to do this during the blacklist import process)
|
113 |
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1)
|
| - |
|
114 |
|
| 113 |
#ipset create blacklist_ip_blocked hash:net hashsize 1024
|
115 |
# Ajout du delta (ip entrées manuellement)
|
| - |
|
116 |
# Addition of the delta (ip entered manually)
|
| 114 |
#cd $BL_IP_CAT
|
117 |
((ipset_length=$ipset_length+10))
|
| - |
|
118 |
|
| - |
|
119 |
# Création du fichier ipset temporaire, remplissage, chargement et suppression
|
| - |
|
120 |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save
|
| 115 |
#for category in `ls -1 | cut -d"@" -f1`
|
121 |
for category in `ls -1 | cut -d '@' -f1`
|
| 116 |
#do
|
122 |
do
|
| 117 |
# while read ip_blocked
|
123 |
cat $BL_IP_CAT/$category >> ipset_save
|
| 118 |
# do
|
124 |
done
|
| 119 |
# ipset add blacklist_ip_blocked $ip_blocked
|
125 |
ipset -! restore < ipset_save
|
| 120 |
# done < $BL_IP_CAT/$category
|
126 |
rm -f ipset_save
|
| 121 |
#done
|
127 |
|
| - |
|
128 |
# Sauvegarde de tous les ipset (pour restaurer après redémarrage)
|
| - |
|
129 |
ipset save > /etc/sysconfig/ipset_save
|
| 122 |
|
130 |
|
| 123 |
#############################
|
131 |
#############################
|
| 124 |
# PREROUTING #
|
132 |
# PREROUTING #
|
| 125 |
#############################
|
133 |
#############################
|
| 126 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
134 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
| Line 153... |
Line 161... |
| 153 |
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window)
|
161 |
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window)
|
| 154 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http
|
162 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http
|
| 155 |
|
163 |
|
| 156 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
|
164 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
|
| 157 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
165 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
| 158 |
#if [ $DNS_FILTERING = on ]; then
|
166 |
if [ $DNS_FILTERING = on ]; then
|
| 159 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
167 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
| 160 |
#fi
|
168 |
fi
|
| 161 |
|
169 |
|
| 162 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
170 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
| 163 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
171 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
| 164 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
172 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
| 165 |
|
173 |
|
| Line 268... |
Line 276... |
| 268 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
276 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
| 269 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
277 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
| 270 |
|
278 |
|
| 271 |
# Blocage des IPs du SET blacklist_ip_blocked
|
279 |
# Blocage des IPs du SET blacklist_ip_blocked
|
| 272 |
# Deny IPs of the SET blacklist_ip_blocked
|
280 |
# Deny IPs of the SET blacklist_ip_blocked
|
| 273 |
#if [ $DNS_FILTERING = on ]; then
|
281 |
if [ $DNS_FILTERING = on ]; then
|
| 274 |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
282 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
| 275 |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
283 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
| 276 |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
284 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
| 277 |
#fi
|
285 |
fi
|
| 278 |
|
286 |
|
| 279 |
# Autorisation des retours de connexions légitimes
|
287 |
# Autorisation des retours de connexions légitimes
|
| 280 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
288 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
| 281 |
|
289 |
|
| 282 |
# If protocols filter is activate
|
290 |
# If protocols filter is activate
|