110,11 → 110,11 |
############################# |
# INPUT # |
############################# |
|
# Tout passe sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
|
|
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
123,8 → 123,8 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
|
# On rejette les trame en broadcast et en multicast sur EXTIF (pour ne pas les journaliser) |
# Drop broadcast & multicast on EXTIF to not be logged |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation) |
# Drop broadcast & multicast on EXTIF to avoid log |
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
|
# On autorise les retours de connexions légitimes par INPUT |
201,6 → 201,7 |
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service) |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP" |
|
|
############################# |
# FORWARD # |
############################# |
243,9 → 244,9 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
fi |
# Compute uamallowed IP (IP address of equipments connect between ALCASAR and Internet (DMZ, own servers, ...) |
nb_exceptions=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1` |
if [ $nb_uamallowed != "0" ] |
then |
while read ip_allowed_line |
do |