12,6 → 12,9 |
# 4 extern access attempts on ALCASAR with the Ulog group 3. |
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova |
CONF_FILE="/usr/local/etc/alcasar.conf" |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
TUNIF="tun0" # listen device for chilli daemon |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
22,7 → 25,7 |
if [[ "$public_ip_mask" == "dhcp" ]] |
then |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
$public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN` |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN` |
dns1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1` |
nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l` |
if [ $nb_dns == 2 ] |
55,9 → 58,6 |
LDAP=${LDAP:=off} |
LDAP_IP=`grep ^LDAP_IP= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side) |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"} |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
TUNIF="tun0" # listen device for chilli daemon |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP |
SAVE_DIR="/etc/sysconfig" # Saving path |
227,6 → 227,14 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
|
# Si configéré, on autorise les réponses DHCP |
# Allow DHCP answers if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT |
fi |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation) |
# Drop broadcast & multicast on EXTIF to avoid log |
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
400,6 → 408,15 |
# Everything is allowed but traffic through outside network interface |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
|
# Si configéré, on autorise les requêtes DHCP |
# Allow DHCP requests if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT |
fi |
|
# On autorise les requêtes DNS vers les serveurs DNS identifiés |
# Allow DNS requests to identified DNS servers |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT |