Subversion Repositories ALCASAR

Rev

Rev 1370 | Rev 1386 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1370 Rev 1377
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 1370 2014-06-03 21:16:25Z richard $
 2 
# $Id: alcasar-iptables.sh 1377 2014-06-10 22:16:50Z richard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 28... Line 28...
28 
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
 28 
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
 30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
31 
DNS_FILTERING=${DNS_FILTERING:=off}
 31 
DNS_FILTERING=${DNS_FILTERING:=off}
32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
- 
 
 33 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
33 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
 34 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
34 
FILE_IP_WL="/usr/local/share/ossi_wl"					# ip of the whitelist
 35 
WL_IP_OSSI="/usr/local/share/ossi-ip-wl"				# ip of the whitelist
- 
 
 36 
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi"			# ip of the domain names whitelist
35 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
37 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
36 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 38 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
37 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
 39 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
38 
QOS=${QOS:=off}
 40 
QOS=${QOS:=off}
39 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
 41 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
Line 42... Line 44...
42 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 44 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
43 
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2`				# LDAP external server active (on/off)
 45 
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2`				# LDAP external server active (on/off)
44 
LDAP=${LDAP:=off}
 46 
LDAP=${LDAP:=off}
45 
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
 47 
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
46 
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
 48 
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
47 
EXTIF="eth0"
 49 
EXTIF="enp1s0"
48 
INTIF="eth1"
 50 
INTIF="enp2s0"
49 
TUNIF="tun0"								# listen device for chilli daemon
 51 
TUNIF="tun0"								# listen device for chilli daemon
50 
IPTABLES="/sbin/iptables"
 52 
IPTABLES="/sbin/iptables"
51 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
 53 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
52 
SAVE_DIR="/etc/sysconfig"						# Saving path
 54 
SAVE_DIR="/etc/sysconfig"						# Saving path
53 
 
 55 
 
Line 90... Line 92...
90 
 
 92 
 
91 
# destruction de tous les SET
 93 
# destruction de tous les SET
92 
# destroy all SET
 94 
# destroy all SET
93 
ipset destroy
 95 
ipset destroy
94 
 
 96 
 
95 
# Calcul de la taille du set
 97 
# Calcul de la taille du set de la blacklist
- 
 
 98 
# Compute the blacklist set length
96 
cd $BL_IP_CAT
 99 
cd $BL_IP_CAT
97 
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 100 
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
98 
 
 101 
 
99 
# Création du fichier set temporaire, remplissage, chargement et suppression
 102 
# Création du fichier set temporaire, remplissage, chargement et suppression
- 
 
 103 
# Creating the temporary set file, filling, loading and deleting
100 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save
 104 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save
101 
for category in `ls -1 | cut -d '@' -f1`
 105 
for category in `ls -1 | cut -d '@' -f1`
102 
do
 106 
do
103 
	cat $BL_IP_CAT/$category >> $TMP_set_save
 107 
	cat $BL_IP_CAT/$category >> $TMP_set_save
104 
done
 108 
done
105 
cat $BL_IP_OSSI >> $TMP_set_save
 109 
cat $BL_IP_OSSI >> $TMP_set_save
106 
ipset -! restore < $TMP_set_save
 110 
ipset -! restore < $TMP_set_save
107 
rm -f $TMP_set_save
 111 
rm -f $TMP_set_save
108 
 
 112 
 
109 
# Extraction des ip réhabilitées
 113 
# Extraction des ip réhabilitées
- 
 
 114 
# Extracting rehabilitated ip
110 
for ip in $(cat $IP_REHABILITEES)
 115 
for ip in $(cat $IP_REHABILITEES)
111 
do
 116 
do
112 
	ipset del blacklist_ip_blocked $ip
 117 
	ipset del blacklist_ip_blocked $ip
113 
done
 118 
done
114 
 
 119 
 
115 
# Calcul de la taille du set de la whitelist
 120 
# Calcul de la taille du set de la whitelist
- 
 
 121 
# Compute the whitelist set length
- 
 
 122 
cd $WL_IP_CAT
116 
set_wl_length=$(wc -l $FILE_IP_WL | awk '{print $1}')
 123 
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}')))
117 
 
 124 
 
118 
# Création du fichier set temporaire, remplissage, chargement et suppression
 125 
# Création du fichier set temporaire, remplissage, chargement et suppression
- 
 
 126 
# Creating the temporary set file, filling, loading and deleting
119 
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
 127 
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
- 
 
 128 
for category in `ls -1 | cut -d '@' -f1`
- 
 
 129 
do
- 
 
 130 
	cat $WL_IP_CAT/$category >> $TMP_set_save
- 
 
 131 
done
120 
cat $FILE_IP_WL >> $TMP_set_save
 132 
cat $WL_IP_OSSI >> $TMP_set_save
- 
 
 133 
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save
121 
ipset -! restore < $TMP_set_save
 134 
ipset -! restore < $TMP_set_save
122 
rm -f $TMP_set_save
 135 
rm -f $TMP_set_save
123 
 
 136 
 
124 
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
137 
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
- 
 
 138 
# Restoring the connected users SETs if available, otherwise creating SETs
125 
if [ -e $TMP_users_set_save ];
 139 
if [ -e $TMP_users_set_save ];
126 
then
 140 
then
127 
	ipset -! restore < $TMP_users_set_save
 141 
	ipset -! restore < $TMP_users_set_save
128 
	rm -f $TMP_users_set_save
 142 
	rm -f $TMP_users_set_save
129 
else
 143 
else
Line 132... Line 146...
132 
	ipset create havp_bl_set hash:net hashsize 1024
 146 
	ipset create havp_bl_set hash:net hashsize 1024
133 
	ipset create havp_wl_set hash:net hashsize 1024
 147 
	ipset create havp_wl_set hash:net hashsize 1024
134 
fi
 148 
fi
135 
 
 149 
 
136 
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage)
 150 
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage)
- 
 
 151 
# Backup all sets except interception set
137 
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save
 152 
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save
138 
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save
 153 
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save
139 
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
 154 
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
140 
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
 155 
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
141 
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
 156 
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
Line 160... Line 175...
160 
 
 175 
 
161 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT
 176 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT
162 
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
 177 
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
163 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4
 178 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4
164 
 
 179 
 
- 
 
 180 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8091 pour pouvoir les rejeter en INPUT
- 
 
 181 
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules
- 
 
 182 
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5
- 
 
 183 
 
165 
# Aiguillage des flux DNS
 184 
# Aiguillage des flux DNS
166 
# Switching DNS streams
 185 
# Switching DNS streams
167 
# havp_bl_set --> redirection vers le port 54
 186 
# havp_bl_set --> redirection vers le port 54
168 
# havp_bl_set --> redirect to port 54
 187 
# havp_bl_set --> redirect to port 54
169 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
 188 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
Line 172... Line 191...
172 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
 191 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
173 
 
 192 
 
174 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
 193 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
175 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 194 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
176 
 
 195 
 
- 
 
 196 
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set
- 
 
 197 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
- 
 
 198 
 
177 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
 199 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
178 
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
 200 
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
179 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 201 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
180 
 
 202 
 
181 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_set
 203 
# Redirection des requêtes HTTP sortantes vers HAVP (8091) pour le set havp_set
182 
# Redirect outbound HTTP requests to HAVP for the set havp_set
 204 
# Redirect outbound HTTP requests to HAVP (8091) for the set havp_set
183 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 205 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8091
184 
 
 206 
 
185 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set
 207 
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set
186 
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set
 208 
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set
187 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 209 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
188 
 
 210 
 
189 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set
 211 
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set
190 
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set
 212 
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set
191 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 213 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8091
192 
 
 214 
 
193 
# Redirection des requêtes NTP vers le serveur NTP local
 215 
# Redirection des requêtes NTP vers le serveur NTP local
194 
# Redirect NTP request in local NTP server
 216 
# Redirect NTP request in local NTP server
195 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 217 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
196 
 
 218 
 
Line 237... Line 259...
237 
 
 259 
 
238 
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
 260 
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
239 
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING)
 261 
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING)
240 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset
 262 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset
241 
 
 263 
 
- 
 
 264 
# On interdit les connexions directes au port 8091. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
- 
 
 265 
# Deny direct connections on 8091. The concerned paquets are marked in mangle table (PREROUTING)
- 
 
 266 
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 5 -j REJECT --reject-with tcp-reset
- 
 
 267 
 
242 
# Autorisation des connexions légitimes à HAVP
268 
# Autorisation des connexions légitimes à HAVP
243 
# Allow connections for HAVP
 269 
# Allow connections for HAVP
244 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
 270 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
245 
 
 271 
 
- 
 
 272 
# Autorisation des connexions légitimes à HAVP
- 
 
 273 
# Allow connections for HAVP
- 
 
 274 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8091 -m state --state NEW --syn -j ACCEPT
- 
 
 275 
 
246 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
 276 
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
247 
# Allow connections for DNSMASQ (with blacklist)
 277 
# Allow connections for DNSMASQ (with blacklist)
248 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
 278 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
249 
 
 279 
 
250 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)
 280 
# autorisation des connexion légitime à DNSMASQ (avec whitelist)