| Line 1... |
Line 1... |
| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
# $Id: alcasar-iptables.sh 810 2012-02-06 21:45:53Z franck $
|
2 |
# $Id: alcasar-iptables.sh 815 2012-02-08 20:49:07Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 214... |
Line 214... |
| 214 |
if [ $EXT_LAN_FILTERING = on ]; then
|
214 |
if [ $EXT_LAN_FILTERING = on ]; then
|
| 215 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
|
215 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
|
| 216 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
|
216 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
|
| 217 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -d $public_ip_mask -j REJECT --reject-with tcp-reset
|
217 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -d $public_ip_mask -j REJECT --reject-with tcp-reset
|
| 218 |
fi
|
218 |
fi
|
| - |
|
219 |
# Autorisation des retours de connexions légitimes
|
| - |
|
220 |
# Allow conntrack
|
| - |
|
221 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
| 219 |
|
222 |
|
| 220 |
# If protocols filter is activate
|
223 |
# If protocols filter is activate
|
| 221 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
224 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
| 222 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
225 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
| 223 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
226 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
| Line 265... |
Line 268... |
| 265 |
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
|
268 |
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
|
| 266 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
269 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
| 267 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
270 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
| 268 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
271 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
| 269 |
fi
|
272 |
fi
|
| 270 |
# Autorisation des retours de connexions légitimes
|
- |
|
| 271 |
# Allow conntrack
|
- |
|
| 272 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
- |
|
| 273 |
|
273 |
|
| 274 |
# If QOS is activate #
|
274 |
# If QOS is activate #
|
| 275 |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
|
275 |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
|
| 276 |
. /usr/local/etc/alcasar-iptables-qos.sh
|
276 |
. /usr/local/etc/alcasar-iptables-qos.sh
|
| 277 |
fi
|
277 |
fi
|