39,6 → 39,7 |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
46,6 → 47,10 |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
nb_gw=`grep ^WAN $CONF_FILE|wc -l` |
|
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
53,6 → 58,15 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP" |
fi |
|
#ipset name list for load_balancing |
gw_list="gw0" |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
for ((i=1 ; i<=$nb_gw ; i++)); do |
gw_list="${gw_list} gw$i" |
done |
fi |
|
|
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
68,6 → 82,20 |
ipset save proto_3 >> $TMP_users_set_save |
fi |
|
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing |
# Saving all of the already connected IP in order to put them back in the load balancing after |
if [ ! -f $TMP_ip_gw_save ];then |
# Save only if alcasar-network.sh --save has not been executed before |
for i in $gw_list;do |
ipset list $i 1>/dev/null 2>&1 |
if [ $? -eq 0 ] |
then |
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members |
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save |
fi |
done |
fi |
|
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW) |
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
160,10 → 188,41 |
ipset create proto_3 hash:ip hashsize 1024 |
fi |
|
#ipsets for load balancing |
for i in $gw_list; do |
ipset create $i hash:ip |
done |
cat $TMP_ip_gw_save | while read ip; do |
gw_min="gw0" |
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2` |
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2` |
#The *1000 is here to avoid working on floats in bash |
gw_min_value=$((1000 * $already / $weight)) |
i=1 |
for gw in $gw_list;do |
if [ "$gw" != "gw0" ]; then |
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'` |
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2` |
value=$((1000 * $already / $weight)) |
if [ $value -lt $gw_min_value ] |
then |
gw_min_value=$value |
gw_min=$gw |
fi |
i=$(($i+1)) |
fi |
done |
ipset add $gw_min $ip |
done |
rm -f $TMP_ip_gw_save |
|
|
|
############################# |
# PREROUTING # |
############################# |
|
|
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset av_bl |
196,7 → 255,7 |
# 55 = ipset av_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# 53 = all other users |
# 53 = all other users |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
|
217,6 → 276,7 |
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian |
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian |
# 8080 = ipset av_bl |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset av_wl & av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
232,6 → 292,23 |
# Redirect NTP request in local NTP server |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
|
#Récupération de la marque associée à une gw pour chaque connection |
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark |
|
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP |
fi |
|
#Marquage pour le load balancing |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
temp_index=200 |
for i in $gw_list; do |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index |
temp_index=$(($temp_index+1)) |
done |
fi |
|
|
############################# |
# INPUT # |
############################# |
242,7 → 319,7 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
|
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN) |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
455,7 → 532,7 |
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy) |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT |
|
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse) |
489,6 → 566,9 |
# Dynamic NAT on EXTIF |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
|
#Sauvegarde de la marque associée à la connexion pour le load balancing |
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark |
|
############################# |
# FAIL2BAN # |
############################# |