| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1896 2016-05-18 15:38:04Z raphael.pion $
|
2 |
# $Id: alcasar-iptables.sh 1932 2016-06-09 21:36:47Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 34... |
Line 34... |
| 34 |
dns2=${dns2:=208.67.222.222}
|
34 |
dns2=${dns2:=208.67.222.222}
|
| 35 |
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers
|
35 |
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers
|
| 36 |
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE|cut -d"=" -f2` # Network protocols filter (on/off)
|
36 |
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 37 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
37 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 38 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
38 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
| 39 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
- |
|
| 40 |
DIR_WL_IP_ENABLED="/usr/local/share/iptables-wl-enabled/" # ip files repository of the WL (feature : imported wl file from ACC)
|
39 |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
|
| 41 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
40 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
| 42 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
41 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
| 43 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
42 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
| 44 |
SSH=${SSH:=off}
|
43 |
SSH=${SSH:=off}
|
| 45 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
44 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
| Line 101... |
Line 100... |
| 101 |
ipset flush
|
100 |
ipset flush
|
| 102 |
ipset destroy
|
101 |
ipset destroy
|
| 103 |
|
102 |
|
| 104 |
###### BL set ###########
|
103 |
###### BL set ###########
|
| 105 |
# Calcul de la taille / Compute the length
|
104 |
# Calcul de la taille / Compute the length
|
| 106 |
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
|
105 |
bl_set_length=$(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)
|
| 107 |
# Chargement / loading
|
106 |
# Chargement / loading
|
| 108 |
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
|
107 |
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
|
| 109 |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
|
108 |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
|
| 110 |
do
|
109 |
do
|
| 111 |
cat $BL_IP_CAT/$category >> $TMP_set_save
|
110 |
cat $BL_IP_CAT/$category >> $TMP_set_save
|
| 112 |
done
|
111 |
done
|
| 113 |
cat $BL_IP_OSSI >> $TMP_set_save
|
- |
|
| 114 |
ipset -! restore < $TMP_set_save
|
112 |
ipset -! restore < $TMP_set_save
|
| 115 |
rm -f $TMP_set_save
|
113 |
rm -f $TMP_set_save
|
| 116 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip
|
114 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip
|
| 117 |
for ip in $(cat $IP_REHABILITEES)
|
115 |
for ip in $(cat $IP_REHABILITEES)
|
| 118 |
do
|
116 |
do
|
| 119 |
ipset del bl_ip_blocked $ip
|
117 |
ipset del bl_ip_blocked $ip
|
| 120 |
done
|
118 |
done
|
| 121 |
|
119 |
|
| 122 |
###### WL set ###########
|
120 |
###### WL set ###########
|
| 123 |
# Calcul de la taille / Compute the length
|
- |
|
| 124 |
#wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
|
121 |
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading
|
| 125 |
wl_set_length=65536
|
122 |
wl_set_length=65536
|
| 126 |
# Chargement Loading
|
123 |
# Chargement Loading
|
| 127 |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
|
124 |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
|
| 128 |
#get ip-wl files from ACC
|
125 |
#get ip-wl files from ACC
|
| 129 |
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
|
126 |
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
|
| 130 |
do
|
127 |
do
|
| 131 |
cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
|
128 |
cat $WL_IP_CAT/$category >> $TMP_set_save
|
| 132 |
done
|
129 |
done
|
| 133 |
ipset -! restore < $TMP_set_save
|
130 |
ipset -! restore < $TMP_set_save
|
| 134 |
rm -f $TMP_set_save
|
131 |
rm -f $TMP_set_save
|
| 135 |
|
132 |
|
| 136 |
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
|
133 |
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
|