Subversion Repositories ALCASAR

Rev

Rev 2465 | Rev 2485 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2465 Rev 2468
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 2465 2017-12-17 23:00:14Z richard $
2
# $Id: alcasar-iptables.sh 2468 2017-12-27 17:22:39Z richard $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 39... Line 39...
39
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
39
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
40
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
40
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
41
SSH=${SSH:=off}
41
SSH=${SSH:=off}
42
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
42
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
43
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
43
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
44
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2`				# LDAP external server active (on/off)
-
 
45
LDAP=${LDAP:=off}
-
 
46
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2`			# WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
-
 
47
LDAP_SERVER=${LDAP_SERVER:="0.0.0.0/0.0.0.0"}
-
 
48
IPTABLES="/sbin/iptables"
44
IPTABLES="/sbin/iptables"
49
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
45
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
50
 
46
 
51
# Sauvegarde des SET des utilisateurs connectés si ils existent
47
# Sauvegarde des SET des utilisateurs connectés si ils existent
52
# Saving SET of connected users if it exists
48
# Saving SET of connected users if it exists
Line 427... Line 423...
427
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
423
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
428
 
424
 
429
#############################
425
#############################
430
#         OUTPUT            #
426
#         OUTPUT            #
431
#############################
427
#############################
432
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
428
# On laisse tout sortir à l'exception de la carte externe (cf ci-dessous)
433
# Everything is allowed but traffic through outside network interface
429
# Everything is allowed apart from outside network interface (see bellow)
434
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
430
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
435
 
431
 
436
# Si configéré, on autorise les requêtes DHCP
432
# Si configuré, on autorise les requêtes DHCP
437
# Allow DHCP requests if configured
433
# Allow DHCP requests if configured
438
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
434
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
439
if [[ "$public_ip_mask" == "dhcp" ]]
435
if [[ "$public_ip_mask" == "dhcp" ]]
440
then
436
then
441
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
437
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
Line 444... Line 440...
444
 
440
 
445
# On autorise les requêtes DNS vers les serveurs DNS identifiés
441
# On autorise les requêtes DNS vers les serveurs DNS identifiés
446
# Allow DNS requests to identified DNS servers
442
# Allow DNS requests to identified DNS servers
447
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
443
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
448
 
444
 
449
# On autorise les requêtes HTTP sortantes
445
# On autorise les requêtes HTTP avec log Netflow (en provenance de Dansguardian)
450
# HTTP requests are allowed
446
# HTTPS requests are allowed with netflow log (from Dansguardian)
451
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
447
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
452
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
448
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
453
 
449
 
454
# On autorise les requêtes HTTPS sortantes
450
# On autorise les requêtes HTTPS sortantes
455
# HTTPS requests are allowed
451
# HTTPS requests are allowed
456
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
452
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
457
 
453
 
458
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
454
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
459
# RSYNC requests are allowed (to update BL of Toulouse)
455
# RSYNC requests are allowed (update of Toulouse BL)
460
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
456
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
461
 
457
 
462
# On autorise les requêtes FTP
458
# On autorise les requêtes FTP
463
# FTP requests are allowed
459
# FTP requests are allowed
464
modprobe nf_conntrack_ftp
460
modprobe nf_conntrack_ftp
Line 471... Line 467...
471
 
467
 
472
# On autorise les requêtes ICMP (ping)
468
# On autorise les requêtes ICMP (ping)
473
# ICMP (ping) requests are allowed
469
# ICMP (ping) requests are allowed
474
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
470
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
475
 
471
 
476
# On autorise les requêtes LDAP si un serveur externe est configué
472
# On autorise les requêtes LDAP
477
# LDAP requests are allowed if an external server is declared
473
# LDAP requests are allowed
478
if [ $LDAP = on ]
-
 
479
	then
-
 
480
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
474
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
481
	$IPTABLES -A OUTPUT -p udp -d $LDAP_SERVER -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
475
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
482
fi
-
 
483
 
476
 
484
#############################
477
#############################
485
#       POSTROUTING         #
478
#       POSTROUTING         #
486
#############################
479
#############################
487
# Traduction dynamique d'adresse en sortie
480
# Traduction dynamique d'adresse en sortie