Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1389 → Rev 1390

/scripts/alcasar-iptables.sh
30,10 → 30,8
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
117,20 → 115,10
ipset del blacklist_ip_blocked $ip
done
 
# Calcul de la taille du set de la whitelist
# Compute the whitelist set length
cd $WL_IP_CAT
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}')))
 
# Création du fichier set temporaire, remplissage, chargement et suppression
# Creating the temporary set file, filling, loading and deleting
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
for category in `ls -1 | cut -d '@' -f1`
do
cat $WL_IP_CAT/$category >> $TMP_set_save
done
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save
cat $WL_IP_OSSI >> $TMP_set_save
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
 
184,9 → 172,6
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "