| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 3044 2022-07-24 21:55:18Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 3046 2022-07-30 22:07:33Z rexy $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 20... |
Line 20... |
| 20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
| 21 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
21 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
| 22 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
22 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
| 23 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
|
23 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
|
| 24 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
24 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
| - |
|
25 |
dhcp_on_extif="off"
|
| 25 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
26 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
| 26 |
then
|
27 |
then
|
| - |
|
28 |
dhcp_on_extif="on"
|
| 27 |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
|
29 |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
|
| 28 |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
|
30 |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
|
| 29 |
fi
|
31 |
fi
|
| 30 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
32 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
| 31 |
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
|
33 |
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
|
| Line 55... |
Line 57... |
| 55 |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
57 |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
| 56 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
58 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
| 57 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
59 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
| 58 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
60 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
| 59 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
61 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
| - |
|
62 |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
|
| - |
|
63 |
interlan=${interlan:=off}
|
| 60 |
|
64 |
|
| 61 |
# Allow requests to internal DNS if activated
|
65 |
# Allow requests to internal DNS if activated
|
| 62 |
if [ "$INT_DNS_ACTIVE" = "on" ]
|
66 |
if [ "$INT_DNS_ACTIVE" = "on" ]
|
| 63 |
then
|
67 |
then
|
| 64 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
|
68 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
|
| Line 321... |
Line 325... |
| 321 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
325 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
| 322 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
326 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
| 323 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
327 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
| 324 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
328 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
| 325 |
|
329 |
|
| 326 |
# Si configéré, on autorise les réponses DHCP
|
330 |
# Si configuré, on autorise les réponses DHCP sur EXTIF
|
| 327 |
# Allow DHCP answers if configured
|
331 |
# If configured, DHCP responses are allowed on EXTIF
|
| 328 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
- |
|
| 329 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
332 |
if [[ "$dhcp_on_extif" == "on" ]]
|
| 330 |
then
|
333 |
then
|
| 331 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT
|
334 |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT
|
| 332 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT
|
335 |
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT
|
| 333 |
fi
|
336 |
fi
|
| - |
|
337 |
|
| 334 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
338 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
| 335 |
# Drop broadcast & multicast on EXTIF to avoid log
|
339 |
# Drop broadcast & multicast on EXTIF to avoid log
|
| 336 |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
340 |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
| 337 |
|
341 |
|
| 338 |
# On autorise les retours de connexions légitimes par INPUT
|
342 |
# On autorise les retours de connexions légitimes par INPUT
|
| Line 418... |
Line 422... |
| 418 |
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
|
422 |
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
|
| 419 |
|
423 |
|
| 420 |
#############################
|
424 |
#############################
|
| 421 |
# FORWARD #
|
425 |
# FORWARD #
|
| 422 |
#############################
|
426 |
#############################
|
| - |
|
427 |
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
|
| - |
|
428 |
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
|
| - |
|
429 |
if [ "$interlan" != "on" ]
|
| - |
|
430 |
then
|
| - |
|
431 |
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
|
| - |
|
432 |
fi
|
| - |
|
433 |
|
| 423 |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
|
434 |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
|
| 424 |
# Deny IPs of the SET bl_ip_blocked for the set av_bl
|
435 |
# Deny IPs of the SET bl_ip_blocked for the set av_bl
|
| 425 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
|
436 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
|
| 426 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
|
437 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
|
| 427 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
438 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
| Line 512... |
Line 523... |
| 512 |
#############################
|
523 |
#############################
|
| 513 |
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
|
524 |
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
|
| 514 |
# We let everything out on INTIF (see following rules for the EXTIF)
|
525 |
# We let everything out on INTIF (see following rules for the EXTIF)
|
| 515 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
526 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
| 516 |
|
527 |
|
| 517 |
# Si configuré, on autorise les requêtes DHCP
|
528 |
# Si configuré, on autorise les requêtes DHCP sur EXTIF
|
| 518 |
# Allow DHCP requests if configured
|
529 |
# Allow DHCP requests on EXTIF if configured
|
| 519 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
- |
|
| 520 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
530 |
if [[ "$dhcp_on_extif" == "on" ]]
|
| 521 |
then
|
531 |
then
|
| 522 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
|
532 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
|
| 523 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
|
533 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
|
| 524 |
fi
|
534 |
fi
|
| 525 |
|
535 |
|