Subversion Repositories ALCASAR

#!/bin/bash

#!/bin/bash

# Script de mise en place des regles du parefeu d'Alcasar (mode normal)

# Script de mise en place des regles du parefeu d'Alcasar (mode normal)

# This script writes the netfilter rules for ALCASAR

# This script writes the netfilter rules for ALCASAR

# Rexy - 3abtux - CPN

# Rexy - 3abtux - CPN

#

#

# Reminders

# Reminders

SSH=${SSH:=off}

SSH=${SSH:=off}

SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`

SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`

SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)

SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)

IPTABLES="/sbin/iptables"

IPTABLES="/sbin/iptables"

IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP

IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP

# Sauvegarde des SET des utilisateurs connectés si ils existent

# Sauvegarde des SET des utilisateurs connectés si ils existent

# Saving SET of connected users if it exists

# Saving SET of connected users if it exists

ipset list not_filtered 1>/dev/null 2>&1

ipset list not_filtered 1>/dev/null 2>&1

if [ $? -eq 0 ];

if [ $? -eq 0 ];

for ip in $(cat $IP_REHABILITEES)

for ip in $(cat $IP_REHABILITEES)

do

do

	ipset del bl_ip_blocked $ip

	ipset del bl_ip_blocked $ip

done

done

###### WL set  ###########

###### WL set  ###########

# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading

# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading

wl_set_length=65536

wl_set_length=65536

# Chargement Loading

# Chargement Loading

echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save

echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save

# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)

# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)

$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80

$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80

# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian

# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian

# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)

# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)

# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy

# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy

# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy

# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy

$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090

$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090

$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090

$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090