53,7 → 53,7 |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
IPTABLES="/sbin/iptables" |
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist" |
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptioniplist" |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
231,9 → 231,9 |
# 8080 = ipset av_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# 8090 = ipset av_wl + av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# 8081 = ipset av_wl + av (to be redefine) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8081 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8081 -j MARK --set-mark 2 |
# 8443 = tranparent HTTPS for ipsets av_bl + av_wl + av (future version) |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6 |
281,9 → 281,9 |
# 8080 = ipset av_bl |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset av_wl & av |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# 8081 = ipset av_wl & av |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081 |
|
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy) |
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian |
346,13 → 346,13 |
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8081 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av |
#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version) |
|
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian |
# Allow HTTP connections to E2Guardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8081 -m conntrack --ctstate NEW --syn -j ACCEPT |
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version) |
|
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |