| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1386 2014-06-12 14:53:07Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1390 2014-06-17 12:37:37Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 28... |
Line 28... |
| 28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
| 31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
| 32 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
32 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
| 33 |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
|
- |
|
| 34 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
33 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
| 35 |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
|
34 |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
|
| 36 |
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist
|
- |
|
| 37 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
35 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
| 38 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
36 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
| 39 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
37 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
| 40 |
QOS=${QOS:=off}
|
38 |
QOS=${QOS:=off}
|
| 41 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
39 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
| Line 115... |
Line 113... |
| 115 |
for ip in $(cat $IP_REHABILITEES)
|
113 |
for ip in $(cat $IP_REHABILITEES)
|
| 116 |
do
|
114 |
do
|
| 117 |
ipset del blacklist_ip_blocked $ip
|
115 |
ipset del blacklist_ip_blocked $ip
|
| 118 |
done
|
116 |
done
|
| 119 |
|
117 |
|
| 120 |
# Calcul de la taille du set de la whitelist
|
- |
|
| 121 |
# Compute the whitelist set length
|
- |
|
| 122 |
cd $WL_IP_CAT
|
- |
|
| 123 |
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}')))
|
- |
|
| 124 |
|
- |
|
| 125 |
# Création du fichier set temporaire, remplissage, chargement et suppression
|
118 |
# Création du fichier set temporaire, remplissage, chargement et suppression
|
| 126 |
# Creating the temporary set file, filling, loading and deleting
|
119 |
# Creating the temporary set file, filling, loading and deleting
|
| 127 |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
|
120 |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save
|
| 128 |
for category in `ls -1 | cut -d '@' -f1`
|
- |
|
| 129 |
do
|
- |
|
| 130 |
cat $WL_IP_CAT/$category >> $TMP_set_save
|
- |
|
| 131 |
done
|
- |
|
| 132 |
cat $WL_IP_OSSI >> $TMP_set_save
|
121 |
cat $WL_IP_OSSI >> $TMP_set_save
|
| 133 |
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save
|
- |
|
| 134 |
ipset -! restore < $TMP_set_save
|
122 |
ipset -! restore < $TMP_set_save
|
| 135 |
rm -f $TMP_set_save
|
123 |
rm -f $TMP_set_save
|
| 136 |
|
124 |
|
| 137 |
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
|
125 |
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
|
| 138 |
# Restoring the connected users SETs if available, otherwise creating SETs
|
126 |
# Restoring the connected users SETs if available, otherwise creating SETs
|
| Line 182... |
Line 170... |
| 182 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
|
170 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
|
| 183 |
|
171 |
|
| 184 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
|
172 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
|
| 185 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
173 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
| 186 |
|
174 |
|
| 187 |
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set
|
- |
|
| 188 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
|
- |
|
| 189 |
|
- |
|
| 190 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
175 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
| 191 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
176 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
| 192 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
177 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
| 193 |
|
178 |
|
| 194 |
# Redirection des requêtes HTTP sortantes vers HAVP (8091) pour le set havp_set
|
179 |
# Redirection des requêtes HTTP sortantes vers HAVP (8091) pour le set havp_set
|