Subversion Repositories ALCASAR

Rev

Rev 1863 | Rev 1872 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1863 Rev 1867
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 1863 2016-05-03 12:18:07Z raphael.pion $
 2 
# $Id: alcasar-iptables.sh 1867 2016-05-04 12:22:08Z raphael.pion $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 52... Line 52...
52 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
 52 
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
53 
SAVE_DIR="/etc/sysconfig"						# Saving path
 53 
SAVE_DIR="/etc/sysconfig"						# Saving path
54 
 
 54 
 
55 
# Sauvegarde des SET des utilisateurs connectés si ils existent
 55 
# Sauvegarde des SET des utilisateurs connectés si ils existent
56 
# Saving SET of connected users if it exists
 56 
# Saving SET of connected users if it exists
57 
ipset list no_filtering_set 1>/dev/null 2>&1
 57 
ipset list not_filtered 1>/dev/null 2>&1
58 
if [ $? -eq 0 ];
 58 
if [ $? -eq 0 ];
59 
then
 59 
then
60 
	ipset save no_filtering_set > $TMP_users_set_save
 60 
	ipset save not_filtered > $TMP_users_set_save
61 
	ipset save havp_set >> $TMP_users_set_save
 61 
	ipset save havp_set >> $TMP_users_set_save
62 
	ipset save havp_bl_set >> $TMP_users_set_save
 62 
	ipset save havp_bl_set >> $TMP_users_set_save
63 
	ipset save havp_wl_set >> $TMP_users_set_save
 63 
	ipset save havp_wl_set >> $TMP_users_set_save
64 
	ipset save user_not_connected_yet >> $TMP_users_set_save
 64 
	ipset save not_auth_yet >> $TMP_users_set_save
65 
	ipset save ipset_users_list >> $TMP_users_set_save
 65 
	ipset save users_list >> $TMP_users_set_save
66 
fi
 66 
fi
67 
 
 67 
 
68 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
 68 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
69 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 69 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
70 
 
 70 
 
Line 98... Line 98...
98 
 
 98 
 
99 
# destruction de tous les SET
 99 
# destruction de tous les SET
100 
# destroy all SET
 100 
# destroy all SET
101 
ipset destroy
 101 
ipset destroy
102 
 
 102 
 
103 
ipset flush blacklist_ip_blocked
 103 
ipset flush bl_ip_blocked
104 
ipset destroy blacklist_ip_blocked
 104 
ipset destroy bl_ip_blocked
105 
ipset flush whitelist_ip_allowed
 105 
ipset flush wl_ip_allowed
106 
ipset destroy whitelist_ip_allowed
 106 
ipset destroy wl_ip_allowed
107 
###### BL set  ###########
 107 
###### BL set  ###########
108 
# Calcul de la taille / Compute the length
 108 
# Calcul de la taille / Compute the length
109 
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 109 
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
110 
# Chargement / loading
 110 
# Chargement / loading
111 
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
 111 
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
112 
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
 112 
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
113 
do
 113 
do
114 
	cat $BL_IP_CAT/$category >> $TMP_set_save
 114 
	cat $BL_IP_CAT/$category >> $TMP_set_save
115 
done
 115 
done
116 
cat $BL_IP_OSSI >> $TMP_set_save
 116 
cat $BL_IP_OSSI >> $TMP_set_save
117 
ipset -! restore < $TMP_set_save
 117 
ipset -! restore < $TMP_set_save
118 
rm -f $TMP_set_save
 118 
rm -f $TMP_set_save
119 
# Suppression des ip réhabilitées / Removing of rehabilitated ip
 119 
# Suppression des ip réhabilitées / Removing of rehabilitated ip
120 
for ip in $(cat $IP_REHABILITEES)
 120 
for ip in $(cat $IP_REHABILITEES)
121 
do
 121 
do
122 
	ipset del blacklist_ip_blocked $ip
 122 
	ipset del bl_ip_blocked $ip
123 
done
 123 
done
124 
 
 124 
 
125 
###### WL set  ###########
 125 
###### WL set  ###########
126 
# Calcul de la taille / Compute the length
 126 
# Calcul de la taille / Compute the length
127 
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
 127 
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
128 
# Chargement Loading
 128 
# Chargement Loading
129 
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
 129 
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
130 
#get ip-wl files from ACC
 130 
#get ip-wl files from ACC
131 
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
 131 
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
132 
do
 132 
do
133 
	cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
 133 
	cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
134 
done
 134 
done
Line 140... Line 140...
140 
if [ -e $TMP_users_set_save ];
 140 
if [ -e $TMP_users_set_save ];
141 
then
 141 
then
142 
	ipset -! restore < $TMP_users_set_save
 142 
	ipset -! restore < $TMP_users_set_save
143 
	rm -f $TMP_users_set_save
 143 
	rm -f $TMP_users_set_save
144 
else
 144 
else
145 
	ipset create no_filtering_set hash:net hashsize 1024
 145 
	ipset create not_filtered hash:net hashsize 1024
146 
	ipset create havp_set hash:net hashsize 1024
 146 
	ipset create havp_set hash:net hashsize 1024
147 
	ipset create havp_bl_set hash:net hashsize 1024
 147 
	ipset create havp_bl_set hash:net hashsize 1024
148 
	ipset create havp_wl_set hash:net hashsize 1024
 148 
	ipset create havp_wl_set hash:net hashsize 1024
149 
	#utilisé pour l'interception des utilisateurs non authentifiés au réseau
 149 
	#utilisé pour l'interception des utilisateurs non authentifiés au réseau
150 
	#used for intercepting users not connected to the network
 150 
	#used for intercepting users not connected to the network
151 
	ipset create user_not_connected_yet hash:net hashsize 1024
 151 
	ipset create not_auth_yet hash:net hashsize 1024
152 
	ipset create ipset_users_list list:set
 152 
	ipset create users_list list:set
153 
	ipset add ipset_users_list havp_set
 153 
	ipset add users_list havp_set
154 
	ipset add ipset_users_list havp_wl_set
 154 
	ipset add users_list havp_wl_set
155 
	ipset add ipset_users_list havp_bl_set
 155 
	ipset add users_list havp_bl_set
156 
	ipset add ipset_users_list no_filtering_set
 156 
	ipset add users_list not_filtered
157 
	ipset add ipset_users_list user_not_connected_yet
 157 
	ipset add users_list not_auth_yet
158 
fi
 158 
fi
159 
 
 159 
 
160 
#############################
 160 
#############################
161 
#       PREROUTING          #
 161 
#       PREROUTING          #
162 
#############################
 162 
#############################
163 
 
 163 
 
164 
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
 164 
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
165 
# Redirect users not connected DNS requests in DNS-Blackhole
 165 
# Redirect users not connected DNS requests in DNS-Blackhole
166 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
 166 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
167 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
 167 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
168 
 
 168 
 
169 
 
 169 
 
170 
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
 170 
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
171 
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
 171 
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
172 
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
 172 
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
Line 205... Line 205...
205 
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
 205 
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
206 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
 206 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
207 
 
 207 
 
208 
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
 208 
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
209 
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
 209 
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
210 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 210 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
211 
 
 211 
 
212 
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
 212 
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
213 
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
 213 
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
214 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 214 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
215 
 
 215 
 
216 
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
 216 
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
217 
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
 217 
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
218 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
 218 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
219 
 
 219 
 
Line 341... Line 341...
341 
 
 341 
 
342 
#############################
 342 
#############################
343 
#        FORWARD            #
 343 
#        FORWARD            #
344 
#############################
 344 
#############################
345 
 
 345 
 
346 
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
 346 
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set
347 
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
 347 
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set
348 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
 348 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
349 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
 349 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
350 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 350 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
351 
 
 351 
 
352 
# Rejet des requêtes DNS vers Internet
 352 
# Rejet des requêtes DNS vers Internet
353 
# Deny forward DNS
 353 
# Deny forward DNS
354 
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 354 
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
355 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 355 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset