| 22,8 → 22,10 |
|---|
| private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
| PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24) |
| public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
| dhcp_on_extif="off" |
| if [[ "$public_ip_mask" == "dhcp" ]] |
| then |
| dhcp_on_extif="on" |
| PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
| public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN` |
| fi |
| 57,6 → 59,8 |
|---|
| PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
| PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
| nb_gw=`grep ^WAN $CONF_FILE|wc -l` |
| interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2` |
| interlan=${interlan:=off} |
| |
| # Allow requests to internal DNS if activated |
| if [ "$INT_DNS_ACTIVE" = "on" ] |
| 323,14 → 327,14 |
|---|
| $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
| $IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP |
| |
| # Si configéré, on autorise les réponses DHCP |
| # Allow DHCP answers if configured |
| public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
| if [[ "$public_ip_mask" == "dhcp" ]] |
| # Si configuré, on autorise les réponses DHCP sur EXTIF |
| # If configured, DHCP responses are allowed on EXTIF |
| if [[ "$dhcp_on_extif" == "on" ]] |
| then |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT |
| $IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT |
| $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT |
| $IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT |
| fi |
| |
| # On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation) |
| # Drop broadcast & multicast on EXTIF to avoid log |
| $IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
| 420,6 → 424,13 |
|---|
| ############################# |
| # FORWARD # |
| ############################# |
| # On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet |
| # Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router |
| if [ "$interlan" != "on" ] |
| then |
| $IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP |
| fi |
| |
| # Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
| # Deny IPs of the SET bl_ip_blocked for the set av_bl |
| $IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
| 514,10 → 525,9 |
|---|
| # We let everything out on INTIF (see following rules for the EXTIF) |
| $IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
| |
| # Si configuré, on autorise les requêtes DHCP |
| # Allow DHCP requests if configured |
| public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
| if [[ "$public_ip_mask" == "dhcp" ]] |
| # Si configuré, on autorise les requêtes DHCP sur EXTIF |
| # Allow DHCP requests on EXTIF if configured |
| if [[ "$dhcp_on_extif" == "on" ]] |
| then |
| $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT |
| $IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT |