58,9 → 58,9 |
if [ $? -eq 0 ]; |
then |
ipset save not_filtered > $TMP_users_set_save |
ipset save havp_set >> $TMP_users_set_save |
ipset save havp_bl_set >> $TMP_users_set_save |
ipset save havp_wl_set >> $TMP_users_set_save |
ipset save havp >> $TMP_users_set_save |
ipset save havp_bl >> $TMP_users_set_save |
ipset save havp_wl >> $TMP_users_set_save |
ipset save not_auth_yet >> $TMP_users_set_save |
ipset save users_list >> $TMP_users_set_save |
fi |
143,16 → 143,16 |
rm -f $TMP_users_set_save |
else |
ipset create not_filtered hash:net hashsize 1024 |
ipset create havp_set hash:net hashsize 1024 |
ipset create havp_bl_set hash:net hashsize 1024 |
ipset create havp_wl_set hash:net hashsize 1024 |
ipset create havp hash:net hashsize 1024 |
ipset create havp_bl hash:net hashsize 1024 |
ipset create havp_wl hash:net hashsize 1024 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau |
#used for intercepting users not connected to the network |
ipset create not_auth_yet hash:net hashsize 1024 |
ipset create users_list list:set |
ipset add users_list havp_set |
ipset add users_list havp_wl_set |
ipset add users_list havp_bl_set |
ipset add users_list havp |
ipset add users_list havp_wl |
ipset add users_list havp_bl |
ipset add users_list not_filtered |
ipset add users_list not_auth_yet |
fi |
195,32 → 195,32 |
|
# redirection DNS des usagers 'havp_bl' vers le port 54 |
# redirect DNS of 'havp_bl' users to port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
|
# redirection DNS des usagers 'havp_wl' vers le port 55 |
# redirect DNS of 'havp_bl' users to port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
# redirect DNS of 'havp_wl' users to port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
|
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT " |
|
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit') |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian |
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
|
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy |
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
|
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
343,11 → 343,11 |
# FORWARD # |
############################# |
|
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Rejet des requêtes DNS vers Internet |
# Deny forward DNS |