356,7 → 356,7 |
|
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-proto-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
365,7 → 365,8 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
|
# Autorisation des retours de connexions légitimes |
# Active le suivi de session |
# Allow Conntrack |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) |
375,41 → 376,26 |
while read ip_allowed_line |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-uamallowed |
fi |
|
# filtrage protocole par utilisateur (profile 1 : http, https) |
# protocols filtering for users (profil 1 : http, https) |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m state --state NEW -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m state --state NEW -j REJECT --reject-with icmp-port-unreachable |
|
# filtrage protocole par utilisateur (profile 2 : http https pop3 pop3s imap imaps ftp sftp ssh) |
# protocols filtering for users (profil 2 : http https pop3 pop3s imap imaps ftp sftp ssh) |
|
#filtrage protocole par utilisateur (on autorise le HTTP pour tous) |
#profile 1 : HTTP/S only |
for proto in $(echo http https) |
do |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P1$proto -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P1$proto -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT |
done |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m state --state NEW -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m state --state NEW -j REJECT --reject-with icmp-port-unreachable |
|
#profile 2 : HTTP/S, POP3S, IMAP/S, FTP, SSH/SFTP |
for proto in $(echo http https pop3 pop3s imap imaps ftp sftp ssh) |
do |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P2$proto -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P2$proto -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT |
done |
|
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC) |
# protocols filtering for users (profil 3 : customized with ACC) |
#profile 3 personalisables via l'ACC |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3http -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT |
custom_tcp_protocols_list='';custom_udp_protocols_list='' |
while read svc_line |
do |
svc_on=`echo $svc_line|cut -b1` |
419,32 → 405,41 |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
svc_icmp="on" |
else |
|
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P3$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
if [ "$custom_tcp_protocols_list" == "" ] |
then |
custom_tcp_protocols_list=$svc_port |
else |
custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port` |
fi |
udp_svc=`egrep "[[:space:]]$svc_port/udp" /etc/services|wc -l` |
if [ $udp_svc = "1" ] # udp service exist |
then |
if [ "$custom_udp_protocols_list" == "" ] |
then |
custom_udp_protocols_list=$svc_port |
else |
custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port` |
fi |
fi |
fi |
fi |
done < /usr/local/etc/alcasar-services |
if [ "$custom_tcp_protocols_list" == "" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT |
else |
if [ "$svc_icmp" != "on" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable |
fi |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m state --state NEW -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m state --state NEW -j REJECT --reject-with icmp-port-unreachable |
fi |
|
# Rejet explicite des autres protocoles pour P1, P2, P3 et les autres |
# reject the others protocols for P1,P2, P3 and other |
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -j NFLOG --nflog-prefix "RULE F_filterP1 -- REJECT " |
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p icmp -j REJECT |
|
|
|
# Autorisation des connections sortant du LAN |
# journalisation et autorisation des connections sortant du LAN |
# Allow forward connections with log |
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
|
453,7 → 448,8 |
############################# |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur |
# Everything is allowed but traffic through outside network interface |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
#$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
$IPTABLES -A OUTPUT -j ACCEPT |
|
# Si configéré, on autorise les requêtes DHCP |
# Allow DHCP requests if configured |