| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1585 2015-03-06 16:15:41Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1587 2015-03-08 22:34:21Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 10... |
Line 10... |
| 10 |
# 2 protection of ALCASAR with the Ulog group 1 (default group)
|
10 |
# 2 protection of ALCASAR with the Ulog group 1 (default group)
|
| 11 |
# 3 SSH on ALCASAR with the Ulog group 2;
|
11 |
# 3 SSH on ALCASAR with the Ulog group 2;
|
| 12 |
# 4 extern access attempts on ALCASAR with the Ulog group 3.
|
12 |
# 4 extern access attempts on ALCASAR with the Ulog group 3.
|
| 13 |
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova
|
13 |
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova
|
| 14 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
14 |
CONF_FILE="/usr/local/etc/alcasar.conf"
|
| - |
|
15 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
| - |
|
16 |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
|
| - |
|
17 |
TUNIF="tun0" # listen device for chilli daemon
|
| 15 |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
|
18 |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
|
| 16 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
19 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
| 17 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
| 18 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
21 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
| 19 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
22 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
| 20 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
23 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
| 21 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
24 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
| 22 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
25 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
| 23 |
then
|
26 |
then
|
| 24 |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
|
27 |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
|
| 25 |
$public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
|
28 |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
|
| 26 |
dns1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`
|
29 |
dns1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`
|
| 27 |
nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
|
30 |
nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
|
| 28 |
if [ $nb_dns == 2 ]
|
31 |
if [ $nb_dns == 2 ]
|
| 29 |
then
|
32 |
then
|
| 30 |
dns2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`
|
33 |
dns2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`
|
| Line 53... |
Line 56... |
| 53 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
56 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
| 54 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
57 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
| 55 |
LDAP=${LDAP:=off}
|
58 |
LDAP=${LDAP:=off}
|
| 56 |
LDAP_IP=`grep ^LDAP_IP= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
|
59 |
LDAP_IP=`grep ^LDAP_IP= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
|
| 57 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
60 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
| 58 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
- |
|
| 59 |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
|
- |
|
| 60 |
TUNIF="tun0" # listen device for chilli daemon
|
- |
|
| 61 |
IPTABLES="/sbin/iptables"
|
61 |
IPTABLES="/sbin/iptables"
|
| 62 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
62 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
| 63 |
SAVE_DIR="/etc/sysconfig" # Saving path
|
63 |
SAVE_DIR="/etc/sysconfig" # Saving path
|
| 64 |
|
64 |
|
| 65 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
65 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
| Line 225... |
Line 225... |
| 225 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
225 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
| 226 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
226 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
| 227 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
227 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
| 228 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
|
228 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
|
| 229 |
|
229 |
|
| - |
|
230 |
# Si configéré, on autorise les réponses DHCP
|
| - |
|
231 |
# Allow DHCP answers if configured
|
| - |
|
232 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
| - |
|
233 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
| - |
|
234 |
then
|
| - |
|
235 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT
|
| - |
|
236 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT
|
| - |
|
237 |
fi
|
| 230 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
238 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
| 231 |
# Drop broadcast & multicast on EXTIF to avoid log
|
239 |
# Drop broadcast & multicast on EXTIF to avoid log
|
| 232 |
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
240 |
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
| 233 |
|
241 |
|
| 234 |
# On autorise les retours de connexions légitimes par INPUT
|
242 |
# On autorise les retours de connexions légitimes par INPUT
|
| Line 398... |
Line 406... |
| 398 |
#############################
|
406 |
#############################
|
| 399 |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
|
407 |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
|
| 400 |
# Everything is allowed but traffic through outside network interface
|
408 |
# Everything is allowed but traffic through outside network interface
|
| 401 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
409 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
| 402 |
|
410 |
|
| - |
|
411 |
# Si configéré, on autorise les requêtes DHCP
|
| - |
|
412 |
# Allow DHCP requests if configured
|
| - |
|
413 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
| - |
|
414 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
| - |
|
415 |
then
|
| - |
|
416 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
|
| - |
|
417 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
|
| - |
|
418 |
fi
|
| - |
|
419 |
|
| 403 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
420 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
| 404 |
# Allow DNS requests to identified DNS servers
|
421 |
# Allow DNS requests to identified DNS servers
|
| 405 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
422 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
| 406 |
|
423 |
|
| 407 |
# On autorise les requêtes HTTP sortantes
|
424 |
# On autorise les requêtes HTTP sortantes
|