Subversion Repositories ALCASAR

Rev

Rev 3042 | Rev 3044 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3042 Rev 3043
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 3042 2022-07-22 12:35:45Z rexy $
2
# $Id: alcasar-iptables.sh 3043 2022-07-22 17:10:23Z rexy $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 18... Line 18...
18
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
18
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
19
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
19
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
20
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
20
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
21
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
21
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
22
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
22
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
23
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
23
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# LAN IP address + prefix (192.168.182.0/24)
24
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
24
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
25
if [[ "$public_ip_mask" == "dhcp" ]]
25
if [[ "$public_ip_mask" == "dhcp" ]]
26
then
26
then
27
	PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
27
	PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
28
	public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
28
	public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
Line 40... Line 40...
40
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
40
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
41
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
41
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
42
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
42
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
43
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`			# SSH LAN port
43
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`			# SSH LAN port
44
SSH_LAN=${SSH_LAN:=0}
44
SSH_LAN=${SSH_LAN:=0}
45
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`		#ssh WAN port
45
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`		# SSH WAN port
46
SSH_WAN=${SSH_WAN:=0}
46
SSH_WAN=${SSH_WAN:=0}
47
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
47
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
48
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
48
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
49
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
49
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
50
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
50
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
51
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
51
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
52
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
52
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
53
IPTABLES="/sbin/iptables"
53
IPTABLES="/sbin/iptables"
54
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist"		# Rehabilitated IP
54
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist"
55
SITE_DIRECT="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
55
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
56
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
56
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
57
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
57
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
58
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
58
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
59
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
59
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
60
HOST=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
60
HOST=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`
Line 73... Line 73...
73
	for ((i=1 ; i<=$nb_gw ; i++)); do
73
	for ((i=1 ; i<=$nb_gw ; i++)); do
74
		gw_list="${gw_list} gw$i"
74
		gw_list="${gw_list} gw$i"
75
	done
75
	done
76
fi
76
fi
77
 
77
 
78
 
-
 
79
# Sauvegarde des SET des utilisateurs connectés si ils existent
78
# Sauvegarde des SET des utilisateurs connectés si ils existent
80
# Saving SET of connected users if it exists
79
# Saving SET of connected users if it exists
81
ipset list not_filtered 1>/dev/null 2>&1
80
ipset list not_filtered 1>/dev/null 2>&1
82
if [ $? -eq 0 ];
81
if [ $? -eq 0 ];
83
then
82
then
Line 130... Line 129...
130
$IPTABLES -P OUTPUT DROP
129
$IPTABLES -P OUTPUT DROP
131
$IPTABLES -t nat -P PREROUTING ACCEPT
130
$IPTABLES -t nat -P PREROUTING ACCEPT
132
$IPTABLES -t nat -P POSTROUTING ACCEPT
131
$IPTABLES -t nat -P POSTROUTING ACCEPT
133
$IPTABLES -t nat -P OUTPUT ACCEPT
132
$IPTABLES -t nat -P OUTPUT ACCEPT
134
 
133
 
135
 
-
 
136
#############################
134
#############################
137
#          IPSET            #
135
#          IPSET            #
138
#############################
136
#############################
139
 
-
 
140
# destruction de tous les SET
137
# destruction de tous les SET
141
# destroy all SET
138
# destroy all SET
142
ipset flush
139
ipset flush
143
ipset destroy
140
ipset destroy
144
 
141
 
Line 152... Line 149...
152
	cat $BL_IP_CAT/$category >> $TMP_set_save
149
	cat $BL_IP_CAT/$category >> $TMP_set_save
153
done
150
done
154
ipset -! restore < $TMP_set_save
151
ipset -! restore < $TMP_set_save
155
rm -f $TMP_set_save
152
rm -f $TMP_set_save
156
# Suppression des ip réhabilitées / Removing of rehabilitated ip
153
# Suppression des ip réhabilitées / Removing of rehabilitated ip
157
for ip in $(cat $IP_REHABILITEES)
154
for ip in $(cat $REHABILITED_IP)
158
do
155
do
159
	ipset -q del bl_ip_blocked $ip
156
	ipset -q del bl_ip_blocked $ip
160
done
157
done
161
 
158
 
162
# ipset for exception web sites (usefull for filtered users = av_bl)
159
# ipset for exception web sites (usefull for filtered users = av_bl)
163
ipset create site_direct hash:net hashsize 1024
160
ipset create site_direct hash:net hashsize 1024
164
for site in $(cat $SITE_DIRECT)
161
for site in $(cat $ALLOWED_SITES)
165
do
162
do
166
    ipset add site_direct $site
163
    ipset add site_direct $site
167
done
164
done
168
 
165
 
169
###### WL set  ###########
166
###### WL set  ###########
Line 223... Line 220...
223
	done
220
	done
224
	ipset add $gw_min $ip
221
	ipset add $gw_min $ip
225
done
222
done
226
rm -f $TMP_ip_gw_save
223
rm -f $TMP_ip_gw_save
227
 
224
 
228
 
-
 
229
 
-
 
230
#############################
225
#############################
231
#       PREROUTING          #
226
#       PREROUTING          #
232
#############################
227
#############################
233
 
-
 
234
 
-
 
235
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
228
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
236
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
229
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
237
# 8080 = ipset av_bl
230
# 8080 = ipset av_bl
238
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
231
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
239
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
232
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
Line 315... Line 308...
315
		$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
308
		$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
316
		temp_index=$(($temp_index+1))
309
		temp_index=$(($temp_index+1))
317
	done
310
	done
318
fi
311
fi
319
 
312
 
320
 
-
 
321
#############################
313
#############################
322
#         INPUT             #
314
#         INPUT             #
323
#############################
315
#############################
324
 
-
 
325
# Tout passe sur loopback
316
# Tout passe sur loopback
326
# accept all on loopback
317
# accept all on loopback
327
$IPTABLES -A INPUT -i lo -j ACCEPT
318
$IPTABLES -A INPUT -i lo -j ACCEPT
328
$IPTABLES -A OUTPUT -o lo -j ACCEPT
319
$IPTABLES -A OUTPUT -o lo -j ACCEPT
329
 
320
 
Line 403... Line 394...
403
	$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
394
	$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
404
fi
395
fi
405
if [ $SSH_WAN -gt 0 ]
396
if [ $SSH_WAN -gt 0 ]
406
	then
397
	then
407
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
398
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
408
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT
399
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
409
fi
400
fi
410
 
401
 
411
# Insertion de règles locales
402
# Insertion de règles locales
412
# Here, we add local rules (i.e. VPN from Internet)
403
# Here, we add local rules (i.e. VPN from Internet)
413
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
404
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
Line 430... Line 421...
430
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
421
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
431
 
422
 
432
#############################
423
#############################
433
#        FORWARD            #
424
#        FORWARD            #
434
#############################
425
#############################
435
 
-
 
436
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
426
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
437
# Deny IPs of the SET bl_ip_blocked for the set av_bl
427
# Deny IPs of the SET bl_ip_blocked for the set av_bl
438
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
428
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
439
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
429
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
440
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
430
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset