Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3242 → Rev 3243

/alcasar.sh
1449,7 → 1449,7
$SED "s?^\.Define LISTDIR.*?\.Define LISTDIR <$DIR_E2G/lists/group1>?g" $DIR_E2G/e2guardianf1.conf
DIR_E2G_GROUP1="$DIR_E2G/lists/group1"
cp -r $DIR_E2G/lists/example.group $DIR_E2G_GROUP1
chown -R e2guardian:root $DIR_E2G_GROUP1
 
# RAZ bannedphraselist
$SED "s?^[^#]?#&?g" $DIR_E2G_GROUP1/bannedphraselist # (comment what is not)
# Disable URL control with regex
1475,19 → 1475,20
# Creation of files for rehabilited domains
> $DIR_E2G_GROUP1/exceptionsitelist
# Creation of files for rehabilited IP
[ -e $DIR_E2G/lists/common/exceptioniplist.default ] || mv $DIR_E2G/lists/common/exceptioniplist $DIR_E2G/lists/common/exceptioniplist.default
touch $DIR_E2G/lists/common/exceptioniplist
[ -e $DIR_E2G_GROUP1/exceptionsiteiplist.default ] || mv $DIR_E2G_GROUP1/exceptionsiteiplist $DIR_E2G_GROUP1/exceptionsiteiplist.default
> $DIR_E2G_GROUP1/exceptionsiteiplist
# Add Bing to the safesearch url regext list (parental control)
cat <<EOF >> $DIR_E2G_GROUP1/urlregexplist
# Bing - add 'adlt=strict'
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
EOF
# 'Safesearch' regex actualisation
# 'Safesearch' regex actualisation
$SED "s?images?search?g" $DIR_E2G_GROUP1/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_E2G_GROUP1/urlregexplist
 
###### ALCASAR filtering for group2 (previously av_users) ####
chown -R e2guardian:root $DIR_E2G_GROUP1
chmod -R 660 $DIR_E2G_GROUP1
###### ALCASAR filtering for group2 (previously av_users) ####
# Create & adapt group2 conf file (av + av_wl)
cp $DIR_E2G/e2guardianf1.conf.default $DIR_E2G/e2guardianf2.conf
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_E2G/e2guardianf2.conf
/scripts/alcasar-conf.sh
77,11 → 77,10
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# backup E2D BL/WL custom files
mkdir $DIR_UPDATE/custom_bl
for i in urlregexplist exceptionsitelist bannedurllist
for i in urlregexplist exceptionsitelist bannedurllist exceptionsiteiplist
do
cp $DIR_E2G/group1/$i $DIR_UPDATE/custom_bl/
done
cp $DIR_E2G/common/exceptioniplist $DIR_UPDATE/custom_bl/
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null
# backup conf files (main conf file, filtering, digest, etc.)
mkdir $DIR_UPDATE/etc/
177,10 → 176,10
[ -e $DIR_UPDATE/gammurc ] && cp -f $DIR_UPDATE/gammurc /etc/ # Gammu conf file
[ -e $DIR_UPDATE/gammu_smsd_conf ] && cp -f $DIR_UPDATE/gammu_smsd_conf /etc/ # Gammu_smsd conf file
# Retrieve BL/WL custom files
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/common/
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/group1/
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/group1/
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/group1/
for i in urlregexplist exceptionsitelist bannedurllist exceptionsiteiplist
do
cp -f $DIR_UPDATE/custom_bl/$i $DIR_E2G/group1/
done
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null
chown -R e2guardian:apache $DIR_E2G
chmod -R g+rw $DIR_E2G
/scripts/alcasar-iptables.sh
1,7 → 1,6
#!/bin/bash
# $Id$
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
# Rexy - 3abtux - CPN
#
# Reminders
53,7 → 52,7
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
REHABILITED_IP="/etc/e2guardian/lists/common/exceptioniplist"
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptionsiteiplist"
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
76,7 → 75,6
done
fi
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
if [ $? -eq 0 ];
91,7 → 89,6
ipset save proto_3 >> $TMP_users_set_save
fi
 
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing
# Saving all of the already connected IP in order to put them back in the load balancing after
if [ ! -f $TMP_ip_gw_save ];then
# Save only if alcasar-network.sh --save has not been executed before
99,17 → 96,15
ipset list $i 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines except the members
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save
fi
done
fi
 
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 
# Effacement des règles existantes
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
118,12 → 113,10
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
 
# Suppression des chaines utilisateurs sur les tables filter et nat
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
 
# Stratégies par défaut
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
132,18 → 125,34
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
#############################
# IPSET #
#############################
# destruction de tous les SET
# destroy all SET
######################################################################################
# IPSET dynamically loaded/unloaded by coova #
# 'not_filtered' : @IP of users without DNS filtering #
# 'av' : @IP of user with AV (no more used) #
# 'av_bl' : @IP of blacklisted users #
# 'av_wl' : @IP of whitelisted users #
# 'proto_0' : @IP of users without protocol filtering #
# 'proto_1 : @IP of users with web ports #
# 'proto_2 : @IP of users with web/ftp/mail/ssh ports #
# 'proto_3 : @IP of users with custom ports #
# IPSET dynamically loaded/unloaded by unbound #
# 'wl_ip_allowed' : @IP of web sites allowed #
# IPSET statically loaded #
# 'bl_ip_blocked' : @IP of sites in selected blacklisted categories #
# 'site_direct' : @IP/@network of trusted system/network (without authentication) #
# 'gwX' : @IP of Gws (to manage load balancing) #
# 'profil1_ports' : list of profil1 allowed ports #
# 'profil2_ports' : list of profil2 allowed ports #
# 'custom_ports' : list of custom allowed ports #
######################################################################################
# destruction de tous les SET / destroy all SET
ipset flush
ipset destroy
 
###### BL set ###########
# Calcul de la taille / Compute the length
###### 'bl_ip_blocked' set ######
# Compute the length
bl_set_length=$(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)
# Chargement / loading
# Loading
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
do
151,13 → 160,13
done
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Suppression des ip réhabilitées / Removing of rehabilitated ip
# Removing of rehabilitated ip
for ip in $(cat $REHABILITED_IP)
do
ipset -q del bl_ip_blocked $ip
done
 
# ipset for exception web sites (usefull for filtered users = av_bl)
###### 'site_direct' (usefull only for authenticated and filtered users) ######
ipset create site_direct hash:net hashsize 1024
for site in $(cat $ALLOWED_SITES)
do
164,12 → 173,12
ipset add site_direct $site
done
 
###### WL set ###########
# taille fixe, car peuplé par unbound / fixe length due to unbound dynamic loading
###### 'wl_ip_allowed' set ######
# Fixe size as it is dynamically populated by unbound
wl_set_length=65536
# Chargement Loading
# Loading
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
#get ip-wl files from ACC
# get ip-wl files from ACC
for category in `ls -1 $WL_IP_CAT |cut -d '@' -f1`
do
cat $WL_IP_CAT/$category >> $TMP_set_save
177,7 → 186,6
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
 
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET
# Restoring the connected users SETs if available, otherwise creating SETs
if [ -e $TMP_users_set_save ];
then
188,7 → 196,7
ipset create av hash:ip hashsize 1024
ipset create av_bl hash:ip hashsize 1024
ipset create av_wl hash:ip hashsize 1024
# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
# set d'utilisateurs pour le filtrages de protocoles / user set for protocol filtering
ipset create proto_0 hash:ip hashsize 1024
ipset create proto_1 hash:ip hashsize 1024
ipset create proto_2 hash:ip hashsize 1024
195,7 → 203,7
ipset create proto_3 hash:ip hashsize 1024
fi
 
#ipsets for load balancing
##### gw0, gw1, gwX : for load balancing ######
for i in $gw_list; do
ipset create $i hash:ip
done
223,10 → 231,43
done
rm -f $TMP_ip_gw_save
 
###### profil1_ports set ######
# http https
ipset create profil1_ports bitmap:port range 0-65535
for svc_port in 80 443
do
ipset add profil1_ports $svc_port
done
 
###### profil2_ports set ######
# ftp ftp-data ssh smtp http pop3 ftps imap https smtps(implicit) smtps(explicit) pop3s imaps smtps(explicit bis)
ipset create profil2_ports bitmap:port range 0-65535
for svc_port in 20 21 22 25 80 110 115 143 443 465 587 993 995 2525
do
ipset add profil2_ports $svc_port
done
 
###### custom_ports set ######
ipset create custom_ports bitmap:port range 0-65535
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
svc_icmp="on"
else
ipset add custom_ports $svc_port
fi
fi
done < /usr/local/etc/alcasar-services
 
#############################
# PREROUTING #
#############################
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
238,7 → 279,6
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6
 
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
250,7 → 290,6
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5
 
# redirection DNS des usagers
# users DNS redirection
# 54 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -p udp --dport domain -j REDIRECT --to-port 54
262,21 → 301,17
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
 
# Redirection HTTP des usagers 'av_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection HTTP des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'av_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Journalisation des usagers "av_bl + av_wl + av" (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# accounting of "av_bl + av_wl + av" users (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
 
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
# 8080 = ipset av_bl
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
285,17 → 320,15
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
 
# Redirection des requêtes HTTPS sortantes des usagers av_bl + av_wl + av vers E2Guardian (in a future version - don't forget to set E2guardian as a tranparent HTTPS proxy)
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
 
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 
#Récupération de la marque associée à une gw pour chaque connection
# Retrieving the mark associated with a gw for each connection
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
 
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then
302,7 → 335,7
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP
fi
 
#Marquage pour le load balancing
# Marking for load balancing
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
temp_index=200
for i in $gw_list; do
314,13 → 347,11
#############################
# INPUT #
#############################
# Tout passe sur loopback
# accept all on loopback
# Accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
# Drop non-standard connections (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
327,7 → 358,6
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
 
# Si configuré, on autorise les réponses DHCP sur EXTIF
# If configured, DHCP responses are allowed on EXTIF
if [[ "$dhcp_on_extif" == "on" ]]
then
335,28 → 365,23
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT
fi
 
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
# Drop broadcast & multicast on EXTIF to avoid log
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # av_bl
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8081 -m mark --mark 2 -j REJECT --reject-with tcp-reset # av_wl + av
#$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # av_bl + av_wl + av (future version)
 
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian
# Allow HTTP connections to E2Guardian
# Allow HTTP/HTTPS connections to E2Guardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8081 -m conntrack --ctstate NEW --syn -j ACCEPT
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT # (future version)
 
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING)
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (see PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable
364,7 → 389,6
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset
 
# On autorise les connexion DNS légitime
# Allow DNS connections
# ipset = av_bl
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT
376,7 → 400,6
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT
 
# On accepte l'accès aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
387,8 → 410,7
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
 
# Accès au serveur SSHD si activé en LAN et WAN
# SSHD server access in LAN and WAN if enabled
# SSHD server access from LAN (and from WAN if enabled)
if [ $SSH_LAN -gt 0 ]
then
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
400,24 → 422,20
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
 
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
# Deny and log on INPUT from the LAN
$IPTABLES -A INPUT -i $TUNIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-group 3 --nflog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
 
425,13 → 443,11
# FORWARD #
#############################
 
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Active le suivi de session
# Allow Conntrack
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
447,74 → 463,31
done < /usr/local/etc/alcasar-uamallowed
fi
 
# filtrage protocole par utilisateur (profile 1 : http, https)
# protocols filtering for users (profil 1 : http, https)
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
# protocols filtering for users (profil1 = http, https)
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m set ! --match-set profil1_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m set ! --match-set profil1_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 
# filtrage protocole par utilisateur (profile 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
# protocols filtering for users (profil 2 : http https smtp pop3 pop3s imap imaps ftp sftp ssh 465+587(smtps))
# protocols filtering for users (profil2 = ftp ftp-data ssh smtp http pop3 ftps imap https smtps(implicit) smtps(explicit) pop3s imaps smtps(explicit bis))
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m set ! --match-set profil2_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m set ! --match-set profil2_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports smtp,http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh,465,587 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
# protocols filtering for users (profil 3 : customized with ACC)
custom_tcp_protocols_list='';custom_udp_protocols_list=''
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
if [ $svc_on != "#" ]
then
svc_name=`echo $svc_line|cut -d" " -f1`
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
svc_icmp="on"
else
if [ "$custom_tcp_protocols_list" == "" ]
then
custom_tcp_protocols_list=$svc_port
else
custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port`
fi
udp_svc=`grep -E "[[:space:]]$svc_port/udp" /etc/services|wc -l`
if [ $udp_svc = "1" ] # udp service exist
then
if [ "$custom_udp_protocols_list" == "" ]
then
custom_udp_protocols_list=$svc_port
else
custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port`
fi
fi
fi
fi
done < /usr/local/etc/alcasar-services
if [ "$custom_tcp_protocols_list" == "" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT
else
if [ "$svc_icmp" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable
fi
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
fi
if [ "$svc_icmp" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable
fi
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m set ! --match-set custom_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m set ! --match-set custom_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
# Users are allowed (or not) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
 
# Blocage des usagers 'av_wl' cherchant à joindre les IP qui ne sont pas dans la WL
# Block 'av_wl' users who want IP not in the WL
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_wl src -m set ! --match-set wl_ip_allowed dst -j DROP
 
# journalisation et autorisation des connections sortant du LAN
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT
522,11 → 495,9
#############################
# OUTPUT #
#############################
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
# We let everything out on INTIF (see following rules for the EXTIF)
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 
# Si configuré, on autorise les requêtes DHCP sur EXTIF
# Allow DHCP requests on EXTIF if configured
if [[ "$dhcp_on_extif" == "on" ]]
then
534,11 → 505,9
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
fi
 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
# Allow DNS requests to identified DNS servers
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
 
# On autorise les requêtes HTTP et HTTPS avec log Netflow (en provenance de E2guardian)
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
545,11 → 514,9
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
 
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
# RSYNC requests are allowed (update of Toulouse BL)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
 
# On autorise les requêtes FTP
# FTP requests are allowed
# modprobe nf_conntrack_ftp # no more needed with kernel > 5.15.85
# $IPTABLES -t raw -A OUTPUT -p tcp --dport ftp -j CT --helper ftp # no more needed with kernel > 5.15.85
556,15 → 523,12
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# On autorise les requêtes NTP
# NTP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
 
# On autorise les requêtes ICMP (ping)
# ICMP (ping) requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
 
# On autorise les requêtes LDAP
# LDAP requests are allowed
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
572,11 → 536,10
#############################
# POSTROUTING #
#############################
# Traduction dynamique d'adresse en sortie
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
#Sauvegarde de la marque associée à la connexion pour le load balancing
# Saving the load balancing mark
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark
 
#############################
/scripts/alcasar-uninstall.sh
104,7 → 104,7
 
e2guardian ()
{
echo -en "(8) : "
echo -en "(7) : "
[ -d /var/e2guardian ] && rm -rf /var/e2guardian
[ -d /var/dansguardian ] && rm -rf /var/dansguardian
if [ -e /etc/systemd/system/e2guardian.service ]; then
116,8 → 116,7
[ -e /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html ] && rm /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html && echo -n "4, "
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "5, "
[ -d /etc/e2guardian/lists/group1 ] && rm -rf /etc/e2guardian/lists/group1 && echo -n "6, "
[ -e /etc/e2guardian/lists/common/exceptioniplist.default ] && mv /etc/e2guardian/lists/common/exceptioniplist.default /etc/e2guardian/lists/common/exceptioniplist && echo -n "7, "
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "8."
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "7"
}
 
antivirus ()
/web/acc/admin/bl_filter.php
294,7 → 294,7
fputs($fichier, form_filter($_POST['BL_rehabilited_domains']));
fclose($fichier);
unset($_POST['BL_rehabilited_domains']);
$fichier=fopen($dir_dg."group1/exceptioniplist","w+");
$fichier=fopen($dir_dg."group1/exceptionsiteiplist","w+");
fputs($fichier, form_filter($_POST['BL_rehabilited_ip']));
fclose($fichier);
unset($_POST['BL_rehabilited_ip']);
466,7 → 466,7
echo "<td width=50% colspan=5 align=center>";
echo "<H3>$l_rehabilitated_ip</H3>$l_rehabilitated_ip_explain<BR>$l_one_ip<BR>";
echo "<textarea name='BL_rehabilited_ip' rows=3 cols=40>";
echo_file ($dir_dg."group1/exceptioniplist");
echo_file ($dir_dg."group1/exceptionsiteiplist");
echo "</textarea></td></tr>";
echo "<tr><td valign='middle' align='left' colspan=10>";
echo "<center><b>$l_add_to_bl</b></center></td></tr>";
/web/acc/admin/protocols_filter.php
17,8 → 17,8
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'fr') {
$l_remove="Retirer de la liste";
$l_title_proto = "Filtrage prersonnalisée de protocoles réseau";
$l_comment="Définissez ici la liste personalisée de protocoles réseau filtrés. Vous pouvez ensuite l'attribuer à des utilisateurs (cf. creation/gestion des utilisateurs).";
$l_title_proto = "Filtrage personnalisée de protocoles réseau";
$l_comment="Définissez ici la liste personalisée de protocoles réseau autorisés. Vous pouvez ensuite l'attribuer à des utilisateurs (cf. creation/gestion des utilisateurs).";
$l_protocols="Protocoles autorisés";
$l_error_open_file="Erreur d'ouverture du fichier";
$l_port="Numéro de port";
28,8 → 28,8
$l_save="Enregistrer les modifications";
} else if($Language == 'es') {
$l_remove="Bloquear";
$l_title_proto = "Filtro de protocolos de red personalizados";
$l_comment="Puede definir aquí el filtrado de protocolos de red personalizados. Luego, puede asignarlo a un usuario (consulte crear / administrar usuarios)";
$l_title_proto = "Filtrado personalizado de protocolos de red";
$l_comment="Aquí puede definir su propia lista de protocolos de red autorizados. Luego, puede asignarlo a un usuario (consulte crear / administrar usuarios)";
$l_protocols="Autorizar protocolos";
$l_error_open_file="Error al abrir el archivo";
$l_port="Número de puerto";
39,8 → 39,8
$l_save="guardar cambios";
} else {
$l_remove="Remove from list";
$l_title_proto = "Custom network protocols filter";
$l_comment="You can define here the custom network protocols filtering. Then, You can assign it to a user (see create/manage users)";
$l_title_proto = "Custom network protocols filtering";
$l_comment="Here, you can define your own list of authorized network protocols. Then, You can assign it to a user (see create/manage users)";
$l_protocols="Authorize protocols";
$l_error_open_file="Error opening the file";
$l_port="Port number";
/web/acc/manager/auth_exceptions.php
32,14 → 32,14
if($Language == 'fr'){
$l_load="Chargement...";
$l_error_open_file = "Erreur d'ouverture du fichier";
$l_trusted_domain = "Noms de domaine Internet de confiance";
$l_trusted_domain = "Noms de domaine de confiance";
$l_domain = "Noms de domaine";
$l_comment_explain = "Lien affiché dans la page d'interception";
$l_comment_explain2 = "Laissez vide si non affiché";
$l_remove = "Retirer de la liste";
$l_trusted_ip = "adresses IP de confiance";
$l_trusted_dest_ip = "adresses IP destination de confiance";
$l_trusted_equipments = "Equipements de consultation de confiance";
$l_trusted_dest_ip = "Adresses IP destination de confiance";
$l_trusted_equipments = "Équipements de consultation de confiance";
$l_comment = "Commentaires";
$l_trusted_domain_explain = "Gérez ici les noms de domaine Internet pouvant être joints sans authentification";
$l_trusted_equipments_explain = "Pour qu'un équipement du réseau de consultation puisse accéder à Internet sans être interceptés : créer un utilisateur dont le nom de login est l'@MAC de l'équipement et le mot de passe est 'password'" ;