30,8 → 30,10 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
FILE_IP_WL="/usr/local/share/ossi_wl" # ip of the whitelist |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist |
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
44,8 → 46,8 |
LDAP=${LDAP:=off} |
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side) |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"} |
EXTIF="eth0" |
INTIF="eth1" |
EXTIF="enp1s0" |
INTIF="enp2s0" |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
92,11 → 94,13 |
# destroy all SET |
ipset destroy |
|
# Calcul de la taille du set |
# Calcul de la taille du set de la blacklist |
# Compute the blacklist set length |
cd $BL_IP_CAT |
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}'))) |
|
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
107,6 → 111,7 |
rm -f $TMP_set_save |
|
# Extraction des ip réhabilitées |
# Extracting rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
do |
ipset del blacklist_ip_blocked $ip |
113,15 → 118,24 |
done |
|
# Calcul de la taille du set de la whitelist |
set_wl_length=$(wc -l $FILE_IP_WL | awk '{print $1}') |
# Compute the whitelist set length |
cd $WL_IP_CAT |
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}'))) |
|
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save |
cat $FILE_IP_WL >> $TMP_set_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
cat $WL_IP_CAT/$category >> $TMP_set_save |
done |
cat $WL_IP_OSSI >> $TMP_set_save |
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
|
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET |
# Restoring the connected users SETs if available, otherwise creating SETs |
if [ -e $TMP_users_set_save ]; |
then |
ipset -! restore < $TMP_users_set_save |
134,6 → 148,7 |
fi |
|
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage) |
# Backup all sets except interception set |
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save |
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save |
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save |
162,6 → 177,10 |
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4 |
|
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8091 pour pouvoir les rejeter en INPUT |
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5 |
|
# Aiguillage des flux DNS |
# Switching DNS streams |
# havp_bl_set --> redirection vers le port 54 |
174,13 → 193,16 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
|
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_set |
# Redirect outbound HTTP requests to HAVP for the set havp_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# Redirection des requêtes HTTP sortantes vers HAVP (8091) pour le set havp_set |
# Redirect outbound HTTP requests to HAVP (8091) for the set havp_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8091 |
|
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent) pour le set havp_bl_set |
# Redirect outbound HTTP requests to DansGuardian (transparent proxy) for the set havp_bl_set |
188,7 → 210,7 |
|
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set |
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8091 |
|
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
239,10 → 261,18 |
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset |
|
# On interdit les connexions directes au port 8091. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on 8091. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
|
# Autorisation des connexions légitimes à HAVP |
# Allow connections for HAVP |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT |
|
# Autorisation des connexions légitimes à HAVP |
# Allow connections for HAVP |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8091 -m state --state NEW --syn -j ACCEPT |
|
# autorisation des connexion légitime à DNSMASQ (avec blacklist) |
# Allow connections for DNSMASQ (with blacklist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |