Subversion Repositories ALCASAR

Compare Revisions

Regard whitespace Rev 1586 → Rev 1587

/scripts/alcasar-iptables.sh
12,6 → 12,9
# 4 extern access attempts on ALCASAR with the Ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/INTIF by coova
CONF_FILE="/usr/local/etc/alcasar.conf"
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
TUNIF="tun0" # listen device for chilli daemon
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
22,7 → 25,7
if [[ "$public_ip_mask" == "dhcp" ]]
then
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
$public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
dns1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`
nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
if [ $nb_dns == 2 ]
55,9 → 58,6
LDAP=${LDAP:=off}
LDAP_IP=`grep ^LDAP_IP= $CONF_FILE|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
TUNIF="tun0" # listen device for chilli daemon
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
SAVE_DIR="/etc/sysconfig" # Saving path
227,6 → 227,14
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
# Si configéré, on autorise les réponses DHCP
# Allow DHCP answers if configured
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT
fi
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
# Drop broadcast & multicast on EXTIF to avoid log
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
400,6 → 408,15
# Everything is allowed but traffic through outside network interface
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 
# Si configéré, on autorise les requêtes DHCP
# Allow DHCP requests if configured
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
fi
 
# On autorise les requêtes DNS vers les serveurs DNS identifiés
# Allow DNS requests to identified DNS servers
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT