Subversion Repositories ALCASAR

Rev

Rev 1390 | Rev 1393 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1390 Rev 1392
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 1390 2014-06-17 12:37:37Z richard $
 2 
# $Id: alcasar-iptables.sh 1392 2014-06-18 22:23:02Z richard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 10... Line 10...
10 
#	2 protection of ALCASAR with the Ulog group 1 (default group)
10 
#	2 protection of ALCASAR with the Ulog group 1 (default group)
11 
#	3 SSH on ALCASAR with the Ulog group 2;
 11 
#	3 SSH on ALCASAR with the Ulog group 2;
12 
#	4 extern access attempts on ALCASAR with the Ulog group 3.
 12 
#	4 extern access attempts on ALCASAR with the Ulog group 3.
13 
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
13 
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
14 
conf_file="/usr/local/etc/alcasar.conf"
 14 
conf_file="/usr/local/etc/alcasar.conf"
15 
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
 15 
private_ip_mask=`grep ^PRIVATE_IP= $conf_file|cut -d"=" -f2`
16 
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
 16 
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
17 
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
 17 
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
18 
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
 18 
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
19 
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
 19 
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
20 
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
 20 
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
21 
public_ip_mask=`grep PUBLIC_IP= $conf_file|cut -d"=" -f2`		# ALCASAR WAN IP address
 21 
public_ip_mask=`grep ^PUBLIC_IP= $conf_file|cut -d"=" -f2`		# ALCASAR WAN IP address
22 
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
 22 
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
23 
dns1=`grep DNS1= $conf_file|cut -d"=" -f2`				# first public DNS server
 23 
dns1=`grep ^DNS1= $conf_file|cut -d"=" -f2`				# first public DNS server
24 
dns1=${dns1:=208.67.220.220}
 24 
dns1=${dns1:=208.67.220.220}
25 
dns2=`grep DNS2= $conf_file|cut -d"=" -f2`				# second public DNS server
 25 
dns2=`grep ^DNS2= $conf_file|cut -d"=" -f2`				# second public DNS server
26 
dns2=${dns2:=208.67.222.222}
 26 
dns2=${dns2:=208.67.222.222}
27 
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
 27 
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
28 
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
 28 
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 29 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
30 
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
 - 
 
31 
DNS_FILTERING=${DNS_FILTERING:=off}
 - 
 
32 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 30 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
33 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
 31 
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
34 
WL_IP_OSSI="/usr/local/share/ossi-ip-wl"				# ip of the whitelist
 32 
WL_IP_OSSI="/usr/local/share/ossi-ip-wl"				# ip of the whitelist
35 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
33 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
36 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 34 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
37 
QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
 35 
QOS=`grep ^QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
38 
QOS=${QOS:=off}
 36 
QOS=${QOS:=off}
39 
SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
 37 
SSH=`grep ^SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
40 
SSH=${SSH:=off}
 38 
SSH=${SSH:=off}
41 
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
 39 
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
42 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 40 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
43 
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2`				# LDAP external server active (on/off)
 41 
LDAP=`grep ^LDAP= $conf_file|cut -d"=" -f2`				# LDAP external server active (on/off)
44 
LDAP=${LDAP:=off}
 42 
LDAP=${LDAP:=off}
45 
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
 43 
LDAP_IP=`grep ^LDAP_IP= $conf_file|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
46 
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
 44 
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
47 
EXTIF="enp1s0"
 45 
EXTIF="enp1s0"
48 
INTIF="enp2s0"
 46 
INTIF="enp2s0"
49 
TUNIF="tun0"								# listen device for chilli daemon
 47 
TUNIF="tun0"								# listen device for chilli daemon
50 
IPTABLES="/sbin/iptables"
 48 
IPTABLES="/sbin/iptables"