Subversion Repositories ALCASAR

Rev

Rev 3041 | Rev 3043 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3041 Rev 3042
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
# $Id: alcasar-iptables.sh 3041 2022-07-20 21:06:54Z rexy $
 2 
# $Id: alcasar-iptables.sh 3042 2022-07-22 12:35:45Z rexy $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script writes the netfilter rules for ALCASAR
 4 
# This script writes the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 38... Line 38...
38 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 38 
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
39 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
 39 
WL_IP_CAT="/usr/local/share/iptables-wl-enabled"			# categories files of the WhiteListed IP
40 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
 40 
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
41 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
 41 
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
42 
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
 42 
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
43 
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
 43 
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`			# SSH LAN port
44 
SSH=${SSH:=off}
 44 
SSH_LAN=${SSH_LAN:=0}
45 
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`			# local SSH active
 45 
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`		#ssh WAN port
46 
SSH_LAN=${SSH_LAN:=off}
 46 
SSH_WAN=${SSH_WAN:=0}
47 
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`		#ssh WAN port
 47 
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
48 
SSH_PORT=${SSH_PORT:=0}
 48 
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
- 
 
 49 
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
49 
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
 50 
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
- 
 
 51 
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
50 
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}			# WAN IP address to reduce ssh access (all ip allowed on LAN side)
 52 
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
51 
IPTABLES="/sbin/iptables"
 53 
IPTABLES="/sbin/iptables"
52 
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
 54 
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
53 
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
 55 
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
54 
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
 56 
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
55 
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
 57 
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
Line 391... Line 393...
391 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
 393 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
392 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
 394 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
393 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
 395 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
394 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
 396 
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
395 
 
 397 
 
396 
# Accès au serveur SSHD si activé
 398 
# Accès au serveur SSHD si activé en LAN et WAN
397 
# SSHD server access if enabled
 399 
# SSHD server access in LAN and WAN if enabled
398 
if [ $SSH = on ]
 400 
if [ $SSH_LAN -gt 0 ]
399 
	then
 401 
	then
400 
	if [ $SSH_LAN = on ]
 - 
 
401 
		then
 - 
 
402 
		$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
 402 
	$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
403 
		$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 403 
	$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
404 
	fi
 404 
fi
405 
	if [ $SSH_PORT -gt 0 ]
 405 
if [ $SSH_WAN -gt 0 ]
406 
		then
 406 
	then
407 
		$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
 407 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
408 
		$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT
 408 
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT
409 
	fi
 - 
 
410 
fi
 409 
fi
411 
 
 410 
 
412 
# Insertion de règles locales
 411 
# Insertion de règles locales
413 
# Here, we add local rules (i.e. VPN from Internet)
 412 
# Here, we add local rules (i.e. VPN from Internet)
414 
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
 413 
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then