Subversion Repositories ALCASAR

Rev

Rev 1962 | Rev 2010 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1962 Rev 2006
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 1962 2016-06-24 17:21:40Z richard $
 2 
# $Id: alcasar-iptables.sh 2006 2016-07-22 13:07:10Z raphael.pion $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 31... Line 31...
31 
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
 31 
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
32 
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
 32 
dns2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2`
33 
dns1=${dns1:=208.67.220.220}
 33 
dns1=${dns1:=208.67.220.220}
34 
dns2=${dns2:=208.67.222.222}
 34 
dns2=${dns2:=208.67.222.222}
35 
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
 35 
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
36 
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE|cut -d"=" -f2`	# Network protocols filter (on/off)
 - 
 
37 
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 - 
 
38 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 36 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
39 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
 37 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
40 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
38 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
41 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 39 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
42 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
 40 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
Line 60... Line 58...
60 
	ipset save havp >> $TMP_users_set_save
 58 
	ipset save havp >> $TMP_users_set_save
61 
	ipset save havp_bl >> $TMP_users_set_save
 59 
	ipset save havp_bl >> $TMP_users_set_save
62 
	ipset save havp_wl >> $TMP_users_set_save
 60 
	ipset save havp_wl >> $TMP_users_set_save
63 
	ipset save not_auth_yet >> $TMP_users_set_save
 61 
	ipset save not_auth_yet >> $TMP_users_set_save
64 
	ipset save users_list >> $TMP_users_set_save
 62 
	ipset save users_list >> $TMP_users_set_save
- 
 
 63 
	ipset save proto_0 >> $TMP_users_set_save
- 
 
 64 
	ipset save proto_1 >> $TMP_users_set_save
- 
 
 65 
	ipset save proto_2 >> $TMP_users_set_save
- 
 
 66 
	ipset save proto_3 >> $TMP_users_set_save
65 
fi
 67 
fi
66 
 
 68 
 
67 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
 69 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
68 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 70 
modprobe ipt_NETFLOW destination=127.0.0.1:2055
69 
 
 71 
 
Line 148... Line 150...
148 
	ipset add users_list havp
 150 
	ipset add users_list havp
149 
	ipset add users_list havp_wl
 151 
	ipset add users_list havp_wl
150 
	ipset add users_list havp_bl
 152 
	ipset add users_list havp_bl
151 
	ipset add users_list not_filtered
 153 
	ipset add users_list not_filtered
152 
	ipset add users_list not_auth_yet
 154 
	ipset add users_list not_auth_yet
- 
 
 155 
	#pour les filtrages de protocole par utilisateur
- 
 
 156 
	ipset create proto_0 hash:net hashsize 1024
- 
 
 157 
	ipset create proto_1 hash:net hashsize 1024
- 
 
 158 
	ipset create proto_2 hash:net hashsize 1024
- 
 
 159 
	ipset create proto_3 hash:net hashsize 1024
153 
fi
 160 
fi
154 
 
 161 
 
155 
#############################
 162 
#############################
156 
#       PREROUTING          #
 163 
#       PREROUTING          #
157 
#############################
 164 
#############################
Line 360... Line 367...
360 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 367 
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
361 
 
 368 
 
362 
# Autorisation des retours de connexions légitimes
 369 
# Autorisation des retours de connexions légitimes
363 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 370 
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
364 
 
 371 
 
365 
#  If protocols filter is activate
 - 
 
366 
if [ $PROTOCOLS_FILTERING = on ]; then
 - 
 
367 
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
372 
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
368 
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
 373 
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
369 
	if [ $nb_uamallowed != "0" ]
 374 
if [ $nb_uamallowed != "0" ]
370 
	then
 375 
then
371 
		while read ip_allowed_line
376 
	while read ip_allowed_line
372 
		do
 - 
 
373 
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
 - 
 
374 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
 - 
 
375 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
 - 
 
376 
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
 - 
 
377 
		done < /usr/local/etc/alcasar-uamallowed
 - 
 
378 
	fi
 - 
 
379 
	# Autorisation du HTTP et des protocoles non commentés
 - 
 
380 
	# Allow HTTP and non comment protocols
 - 
 
381 
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
 - 
 
382 
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
 - 
 
383 
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
 - 
 
384 
	while read svc_line
 - 
 
385 
	do
 377 
	do
386 
		svc_on=`echo $svc_line|cut -b1`
 - 
 
387 
		if [ $svc_on != "#" ]
 - 
 
388 
		then
- 
 
389 
			svc_name=`echo $svc_line|cut -d" " -f1`
 - 
 
390 
			svc_port=`echo $svc_line|cut -d" " -f2`
 378 
		ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
391 
			if [ $svc_name = "icmp" ]
 - 
 
392 
			then
 - 
 
393 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
 - 
 
394 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
- 
 
395 
			else
 - 
 
396 
 
 - 
 
397 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
 - 
 
398 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
 - 
 
399 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
 - 
 
400 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
 379 
		$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
401 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
 380 
		$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
402 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
 381 
		$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
403 
			fi
 - 
 
404 
		fi
 - 
 
405 
	done < /usr/local/etc/alcasar-services
 382 
	done < /usr/local/etc/alcasar-uamallowed
406 
	# Rejet explicite des autres protocoles
 - 
 
407 
	# reject the others protocols
 - 
 
408 
	$IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT "
 - 
 
409 
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
 - 
 
410 
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 - 
 
411 
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
- 
 
412 
fi
 383 
fi
413 
 
 384 
 
- 
 
 385 
 
- 
 
 386 
 
- 
 
 387 
#filtrage protocole par utilisateur (on autorise le HTTP pour tous)
- 
 
 388 
#profile 1 : HTTP/S only
- 
 
 389 
for proto in $(echo http https)
- 
 
 390 
do
- 
 
 391 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P1$proto -- ACCEPT "
- 
 
 392 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW
- 
 
 393 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT
- 
 
 394 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P1$proto -- ACCEPT "
- 
 
 395 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW
- 
 
 396 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT
- 
 
 397 
done
- 
 
 398 
 
- 
 
 399 
#profile 2 : HTTP/S, POP3S, IMAP/S, FTP, SSH/SFTP
- 
 
 400 
for proto in $(echo http https pop3 pop3s imap imaps ftp sftp ssh)
- 
 
 401 
do
- 
 
 402 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P2$proto -- ACCEPT "
- 
 
 403 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW
- 
 
 404 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT
- 
 
 405 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P2$proto -- ACCEPT "
- 
 
 406 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW
- 
 
 407 
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT
- 
 
 408 
done
- 
 
 409 
 
- 
 
 410 
#profile 3 personalisables via l'ACC
- 
 
 411 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3http -- ACCEPT "
- 
 
 412 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
- 
 
 413 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
- 
 
 414 
while read svc_line
- 
 
 415 
do
- 
 
 416 
	svc_on=`echo $svc_line|cut -b1`
- 
 
 417 
	if [ $svc_on != "#" ]
- 
 
 418 
	then
- 
 
 419 
		svc_name=`echo $svc_line|cut -d" " -f1`
- 
 
 420 
		svc_port=`echo $svc_line|cut -d" " -f2`
- 
 
 421 
		if [ $svc_name = "icmp" ]
- 
 
 422 
		then
- 
 
 423 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
- 
 
 424 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
- 
 
 425 
		else
- 
 
 426 
 
- 
 
 427 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3$svc_name -- ACCEPT "
- 
 
 428 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
- 
 
 429 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
- 
 
 430 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P3$svc_name -- ACCEPT "
- 
 
 431 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
- 
 
 432 
			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
- 
 
 433 
		fi
- 
 
 434 
	fi
- 
 
 435 
done < /usr/local/etc/alcasar-services
- 
 
 436 
 
- 
 
 437 
# Rejet explicite des autres protocoles pour P1, P2, P3 et les autres
- 
 
 438 
# reject the others protocols for P1,P2, P3 and other
- 
 
 439 
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -j NFLOG --nflog-prefix "RULE F_filterP1 -- REJECT "
- 
 
 440 
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p tcp -j REJECT --reject-with tcp-reset
- 
 
 441 
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p udp -j REJECT --reject-with icmp-port-unreachable
- 
 
 442 
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p icmp -j REJECT
- 
 
 443 
 
- 
 
 444 
 
- 
 
 445 
 
414 
# Autorisation des connections sortant du LAN
446 
# Autorisation des connections sortant du LAN
415 
# Allow forward connections with log
 447 
# Allow forward connections with log
416 
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
 448 
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
417 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
 449 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
418 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 450 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT