| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1769 2016-01-17 20:39:23Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1818 2016-04-07 13:38:05Z raphael.pion $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 60... |
Line 60... |
| 60 |
then
|
60 |
then
|
| 61 |
ipset save no_filtering_set > $TMP_users_set_save
|
61 |
ipset save no_filtering_set > $TMP_users_set_save
|
| 62 |
ipset save havp_set >> $TMP_users_set_save
|
62 |
ipset save havp_set >> $TMP_users_set_save
|
| 63 |
ipset save havp_bl_set >> $TMP_users_set_save
|
63 |
ipset save havp_bl_set >> $TMP_users_set_save
|
| 64 |
ipset save havp_wl_set >> $TMP_users_set_save
|
64 |
ipset save havp_wl_set >> $TMP_users_set_save
|
| - |
|
65 |
ipset save user_not_connected_yet >> $TMP_users_set_save
|
| - |
|
66 |
ipset save ipset_users >> $TMP_users_set_save
|
| 65 |
fi
|
67 |
fi
|
| 66 |
|
68 |
|
| 67 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
69 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
| 68 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
70 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
| 69 |
|
71 |
|
| Line 135... |
Line 137... |
| 135 |
else
|
137 |
else
|
| 136 |
ipset create no_filtering_set hash:net hashsize 1024
|
138 |
ipset create no_filtering_set hash:net hashsize 1024
|
| 137 |
ipset create havp_set hash:net hashsize 1024
|
139 |
ipset create havp_set hash:net hashsize 1024
|
| 138 |
ipset create havp_bl_set hash:net hashsize 1024
|
140 |
ipset create havp_bl_set hash:net hashsize 1024
|
| 139 |
ipset create havp_wl_set hash:net hashsize 1024
|
141 |
ipset create havp_wl_set hash:net hashsize 1024
|
| - |
|
142 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
| - |
|
143 |
#used for intercepting users not connected to the network
|
| - |
|
144 |
ipset create user_not_connected_yet hash:net hashsize 1024
|
| - |
|
145 |
ipset create ipset_users_list list:set
|
| - |
|
146 |
ipset add ipset_users_list havp_set
|
| - |
|
147 |
ipset add ipset_users_list havp_wl_set
|
| - |
|
148 |
ipset add ipset_users_list havp_bl_set
|
| - |
|
149 |
ipset add ipset_users_list no_filtering_set
|
| - |
|
150 |
ipset add ipset_users_list user_not_connected_yet
|
| 140 |
fi
|
151 |
fi
|
| 141 |
|
152 |
|
| 142 |
#############################
|
153 |
#############################
|
| 143 |
# PREROUTING #
|
154 |
# PREROUTING #
|
| 144 |
#############################
|
155 |
#############################
|
| Line 199... |
Line 210... |
| 199 |
|
210 |
|
| 200 |
# Redirection des requêtes NTP vers le serveur NTP local
|
211 |
# Redirection des requêtes NTP vers le serveur NTP local
|
| 201 |
# Redirect NTP request in local NTP server
|
212 |
# Redirect NTP request in local NTP server
|
| 202 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
213 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
| 203 |
|
214 |
|
| - |
|
215 |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
|
| - |
|
216 |
# Redirect users not connected DNS requests in DNS-Blackhole
|
| - |
|
217 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
|
| - |
|
218 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
|
| - |
|
219 |
|
| 204 |
#############################
|
220 |
#############################
|
| 205 |
# INPUT #
|
221 |
# INPUT #
|
| 206 |
#############################
|
222 |
#############################
|
| 207 |
|
223 |
|
| 208 |
# Tout passe sur loopback
|
224 |
# Tout passe sur loopback
|