33,6 → 33,8 |
dns1=${dns1:=208.67.220.220} |
dns2=${dns2:=208.67.222.222} |
DNSSERVERS="$dns1,$dns2" # first and second public DNS servers |
INT_DNS_IP=`grep INT_DNS_IP $CONF_FILE|cut -d"=" -f2` # Adresse du serveur DNS interne |
INT_DNS_ACTIVE=`grep INT_DNS_ACTIVE $CONF_FILE|cut -d"=" -f2` # Activation de la redirection DNS interne |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
45,6 → 47,12 |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # Site Direct (no havp and no filtrage) for user BL |
|
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
then |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP" |
fi |
|
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
111,7 → 119,7 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
do |
ipset del bl_ip_blocked $ip |
ipset -q del bl_ip_blocked $ip |
done |
|
# rajout exception havp_bl --> Site en direct pour les Utilisateurs filtrés |
118,11 → 126,11 |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
do |
ipset add site_direct $site |
ipset add site_direct $site |
done |
|
###### WL set ########### |
# taille fixe, car peupler par dnsmasq / fixe length due to dnsmasq dynamic loading |
# taille fixe, car peuplé par dnsmasq / fixe length due to dnsmasq dynamic loading |
wl_set_length=65536 |
# Chargement Loading |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save |
285,18 → 293,18 |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
|
# autorisation des connexion légitime à DNSMASQ (avec blacklist) |
# Allow connections for DNSMASQ (with blacklist) |
# autorisation des connexion légitime à Unbound (avec blacklist) |
# Allow connections for Unbound (with blacklist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
|
# autorisation des connexion légitime à DNSMASQ (avec whitelist) |
# Allow connections for DNSMASQ (with whitelist) |
# autorisation des connexion légitime à Unbound (avec whitelist) |
# Allow connections for Unbound (with whitelist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
|
# autorisation des connexion légitime à DNSMASQ (mode blackhole) |
# Allow connections for DNSMASQ (blackhole mode) |
# autorisation des connexion légitime à Unbound (mode blackhole) |
# Allow connections for Unbound (blackhole mode) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT |
|
386,7 → 394,7 |
do |
svc_on=`echo $svc_line|cut -b1` |
if [ $svc_on != "#" ] |
then |
then |
svc_name=`echo $svc_line|cut -d" " -f1` |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |