31,6 → 31,9 |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
FILE_IP_WL="/usr/local/share/ossi_wl" # ip of the whitelist |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
46,7 → 49,19 |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
SAVE_DIR="/etc/sysconfig" # Saving path |
|
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list no_filtering_set 1>/dev/null 2>&1 |
if [ $? -eq 0 ]; |
then |
ipset save no_filtering_set > $TMP_users_set_save |
ipset save havp_set >> $TMP_users_set_save |
ipset save havp_bl_set >> $TMP_users_set_save |
ipset save havp_wl_set >> $TMP_users_set_save |
fi |
|
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
|
77,35 → 92,19 |
# destroy all SET |
ipset destroy |
|
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown) |
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts) |
ipset create authenticated_ip hash:net hashsize 1024 |
OLDIFS=$IFS |
IFS=$'\n' |
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"` |
do |
active_ip=`echo $equipment |cut -d" " -f2` |
active_session=`echo $equipment |cut -d" " -f5` |
if [[ $(expr $active_session) -eq 1 ]] |
then |
ipset add authenticated_ip $active_ip |
fi |
done |
IFS=$OLDIFS |
|
# Calcul de la taille de l'ipset |
# Calcul de la taille du set |
cd $BL_IP_CAT |
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
|
# Création du fichier set temporaire, remplissage, chargement et suppression |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> /tmp/ipset_save |
cat $BL_IP_CAT/$category >> $TMP_set_save |
done |
cat $BL_IP_OSSI >> /tmp/ipset_save |
ipset -! restore < /tmp/ipset_save |
rm -f /tmp/ipset_save |
cat $BL_IP_OSSI >> $TMP_set_save |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
|
# Extraction des ip réhabilitées |
for ip in $(cat $IP_REHABILITEES) |
113,9 → 112,35 |
ipset del blacklist_ip_blocked $ip |
done |
|
# Sauvegarde de tous les set (pour restaurer après redémarrage) |
ipset save > /etc/sysconfig/ipset_save |
# Calcul de la taille du set de la whitelist |
set_wl_length=$(wc -l $FILE_IP_WL | awk '{print $1}') |
|
# Création du fichier set temporaire, remplissage, chargement et suppression |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save |
cat $FILE_IP_WL >> $TMP_set_save |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
|
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET |
if [ -e $TMP_users_set_save ]; |
then |
ipset -! restore < $TMP_users_set_save |
rm -f $TMP_users_set_save |
else |
ipset create no_filtering_set hash:net hashsize 1024 |
ipset create havp_set hash:net hashsize 1024 |
ipset create havp_bl_set hash:net hashsize 1024 |
ipset create havp_wl_set hash:net hashsize 1024 |
fi |
|
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage) |
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save |
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save |
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save |
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save |
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save |
echo "create havp_wl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save |
|
############################# |
# PREROUTING # |
############################# |
126,40 → 151,45 |
|
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules |
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé |
# Remark : this port is only open when filtering is on |
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2 |
|
# Si le filtrage DNS est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions |
# If DNS filter is on, redirect DNS request to udp 54 (dns+blackhole) except for exception IP addresses |
if [ $DNS_FILTERING = on ]; then |
# Compute exception IP |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
then |
while read ip_exception |
do |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
fi |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
fi |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 55 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3 |
|
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window) |
if [ $DNS_FILTERING = on ]; then |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
fi |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT |
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4 |
|
# Aiguillage des flux DNS |
# Switching DNS streams |
# havp_bl_set --> redirection vers le port 54 |
# havp_bl_set --> redirect to port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
# havp_wl_set --> redirection vers le port 55 |
# havp_wl_set --> redirect to port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55 |
|
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
|
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) |
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_set |
# Redirect outbound HTTP requests to HAVP for the set havp_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
|
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set |
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
|
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set |
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
|
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
199,15 → 229,31 |
|
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable |
|
# autorisation des connexion légitime à DNSMASQ (avec blackhole) |
# Allow connections for DNSMASQ (with blackhole) |
# On interdit les connexions directes au port UDP 55. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 55. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable |
|
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset |
|
# Autorisation des connexions légitimes à HAVP |
# Allow connections for HAVP |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT |
|
# autorisation des connexion légitime à DNSMASQ (avec blacklist) |
# Allow connections for DNSMASQ (with blacklist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
|
# autorisation des connexion légitime à DNSMASQ (avec whitelist) |
# Allow connections for DNSMASQ (with whitelist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
|
# Accès direct aux services internes |
# Internal services access |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blacklist |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC |
245,83 → 291,69 |
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service) |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP" |
|
|
############################# |
# FORWARD # |
############################# |
|
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set |
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Rejet des requêtes DNS vers Internet |
# Deny forward DNS |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset |
|
if [ $DNS_FILTERING = on ]; then |
# Blocage des IPs du SET blacklist_ip_blocked |
# Deny IPs of the SET blacklist_ip_blocked |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
fi |
|
# Autorisation des retours de connexions légitimes |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
# If protocols filter is activate |
if [ $PROTOCOLS_FILTERING = on ]; then |
# Compute exception IP (IP addresses that shouldn't be filtered) |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
then |
while read ip_exception |
do |
# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
fi |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1` |
if [ $nb_uamallowed != "0" ] |
then |
while read ip_allowed_line |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
# If protocols filter is activate |
#if [ $PROTOCOLS_FILTERING = on ]; then |
# # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) |
# nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1` |
# if [ $nb_uamallowed != "0" ] |
# then |
# while read ip_allowed_line |
# do |
# ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-uamallowed |
fi |
# Autorisation des protocoles non commentés |
# Allow non comment protocols |
while read svc_line |
do |
svc_on=`echo $svc_line|cut -b1` |
if [ $svc_on != "#" ] |
then |
svc_name=`echo $svc_line|cut -d" " -f1` |
svc_port=`echo $svc_line|cut -d" " -f2` |
if [ $svc_name = "icmp" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
else |
|
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
# done < /usr/local/etc/alcasar-uamallowed |
# fi |
# # Autorisation des protocoles non commentés |
# # Allow non comment protocols |
# while read svc_line |
# do |
# svc_on=`echo $svc_line|cut -b1` |
# if [ $svc_on != "#" ] |
# then |
# svc_name=`echo $svc_line|cut -d" " -f1` |
# svc_port=`echo $svc_line|cut -d" " -f2` |
# if [ $svc_name = "icmp" ] |
# then |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
# else |
# |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
fi |
fi |
done < /usr/local/etc/alcasar-services |
# Rejet explicite des autres protocoles |
# reject the others protocols |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
# fi |
# fi |
# done < /usr/local/etc/alcasar-services |
# # Rejet explicite des autres protocoles |
# # reject the others protocols |
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT " |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |
fi |
# $IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
# $IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |
#fi |
|
# If QOS is activate # |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then |
372,7 → 404,6 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
fi |
|
|
############################# |
# POSTROUTING # |
############################# |