WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh


#!/bin/sh
# $Id: alcasar-iptables.sh 493 2011-02-14 06:46:55Z franck $
# script de mise en place des regles du parefeu d'Alcasar (mode normal)
# Rexy - 3abtux - CPN
# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts,
 
IPTABLES="/sbin/iptables"
FILTERING="no"
QOS="no"
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0"
PRIVATE_NETWORK_MASK="192.168.182.0/24"
PRIVATE_IP="192.168.182.1"
 
# Flush all existing rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -N SYN-FLOOD
 
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
# Flush non default rules on filter and nat tables
$IPTABLES -X
$IPTABLES -t nat -X
 
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# Block all attempts to spoof the loopback address
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP
 
# Block all attempts to spoof the local IP address
$IPTABLES -A INPUT -s $PRIVATE_IP -j DROP
 
# Block Syn Flood attacks
$IPTABLES -A INPUT -p tcp -m tcp --syn -j SYN-FLOOD
 
# Syn flood filtering chain
$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A SYN-FLOOD -j DROP
 
# Ensure that TCP connections start with syn packets
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
 
#############################
#       INTIF rules         #
#############################
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
# INTIF is closed (all by TUNIF)
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
#############################
#  Local protection rules   #
#############################
# Drop XMAS & NULLscans 
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# Antispoofing rules with log
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "
$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP
# Allow ping (icmp N°0 & 8) from LAN
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
#  Here, we add local rules (i.e. ssh from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
        . /usr/local/etc/alcasar-iptables-local.sh
fi
 
# Deny forward DNS (even for authenticated users ...)
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#####################################
#  If protocols filter is activate  #
#####################################
if [ $FILTERING = "yes" ]; then
	# Compute exception IP
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
	if [ $nb_exceptions != "0" ]
	then
		while read ip_exception 
		do
			echo $ip_exception 
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-filter-exceptions
	fi
	# Allow non comment protocols
	while read svc_line
	do
		svc_on=`echo $svc_line|cut -b1`
		if [ $svc_on != "#" ]
		then	
			svc_name=`echo $svc_line|cut -d" " -f1`
			svc_port=`echo $svc_line|cut -d" " -f2`
			if [ $svc_name = "icmp" ]
			then
				$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT 
			else
				$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
			fi
		fi
	done < /usr/local/etc/alcasar-services
	# reject the others
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
fi
 
########################
#  If QOS is activate  #
########################
if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
	. /usr/local/etc/alcasar-iptables-qos.sh 	
fi
 
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT
 
####################################################################################
#  Imput from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #
####################################################################################
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
 
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Deny direct connections on DansGuardian port (8080)
# The concerned paquets are marked by a pre-routing rule (see further)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP
# Allow connections for DansGuardian
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
 
# Log HTTP requests (only syn)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
# Redirect HTTP request in DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080
# Mark the dansguardian bypass attempts
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1
 
# Deny and log on INPUT from the LAN
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
# Drop on EXTIF
$IPTABLES -A INPUT -i $EXTIF -j DROP
 
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
# Save all rules
/etc/init.d/iptables save
 
# no martians log (for mdv2009 only)
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
 
# End of script
 
 

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh @ 2318 – Rev 492 → 493

Rev 492		Rev 493
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-iptables.sh 492 2011-02-14 06:40:53Z franck $`	2	`# $Id: alcasar-iptables.sh 493 2011-02-14 06:46:55Z franck $`
3	`# script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# Rexy - 3abtux - CPN`	4	`# Rexy - 3abtux - CPN`
5	`# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts,`	5	`# there are three channels for log : 1 (default) for tracability, 2 for secure admin (ssh), 3 for exterior access attempts,`
6		6
7	`IPTABLES="/sbin/iptables"`	7	`IPTABLES="/sbin/iptables"`
8	`FILTERING="no"`	8	`FILTERING="no"`
9	`QOS="no"`	9	`QOS="no"`
10	`EXTIF="eth0"`	10	`EXTIF="eth0"`
11	`INTIF="eth1"`	11	`INTIF="eth1"`
12	`TUNIF="tun0"`	12	`TUNIF="tun0"`
13	`PRIVATE_NETWORK_MASK="192.168.182.0/24"`	13	`PRIVATE_NETWORK_MASK="192.168.182.0/24"`
14	`PRIVATE_IP="192.168.182.1"`	14	`PRIVATE_IP="192.168.182.1"`
15		15
16	`# Flush all existing rules`	16	`# Flush all existing rules`
17	`$IPTABLES -F`	17	`$IPTABLES -F`
18	`$IPTABLES -t nat -F`	18	`$IPTABLES -t nat -F`
19	`$IPTABLES -t mangle -F`	19	`$IPTABLES -t mangle -F`
20	`$IPTABLES -F INPUT`	20	`$IPTABLES -F INPUT`
21	`$IPTABLES -F FORWARD`	21	`$IPTABLES -F FORWARD`
22	`$IPTABLES -F OUTPUT`	22	`$IPTABLES -F OUTPUT`
23	`$IPTABLES -N SYN-FLOOD`	23	`$IPTABLES -N SYN-FLOOD`
24		24
25	`# Default policies`	25	`# Default policies`
26	`$IPTABLES -P INPUT DROP`	26	`$IPTABLES -P INPUT DROP`
27	`$IPTABLES -P FORWARD DROP`	27	`$IPTABLES -P FORWARD DROP`
28	`$IPTABLES -P OUTPUT ACCEPT`	28	`$IPTABLES -P OUTPUT ACCEPT`
29	`$IPTABLES -t nat -P PREROUTING ACCEPT`	29	`$IPTABLES -t nat -P PREROUTING ACCEPT`
30	`$IPTABLES -t nat -P POSTROUTING ACCEPT`	30	`$IPTABLES -t nat -P POSTROUTING ACCEPT`
31	`$IPTABLES -t nat -P OUTPUT ACCEPT`	31	`$IPTABLES -t nat -P OUTPUT ACCEPT`
32		32
33	`# Flush non default rules on filter and nat tables`	33	`# Flush non default rules on filter and nat tables`
34	`$IPTABLES -X`	34	`$IPTABLES -X`
35	`$IPTABLES -t nat -X`	35	`$IPTABLES -t nat -X`
36		36
37	`# accept all on loopback`	37	`# accept all on loopback`
38	`$IPTABLES -A INPUT -i lo -j ACCEPT`	38	`$IPTABLES -A INPUT -i lo -j ACCEPT`
39		39
40	`# Block all attempts to spoof the loopback address`	40	`# Block all attempts to spoof the loopback address`
41	`$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP`	41	`$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP`
42	`$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP`	42	`$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP`
43		43
44	`# Block all attempts to spoof the local IP address`	44	`# Block all attempts to spoof the local IP address`
45	`$IPTABLES -A INPUT -s $PRIVATE_IP -j DROP`	45	`$IPTABLES -A INPUT -s $PRIVATE_IP -j DROP`
46		46
47	`# Block Syn Flood attacks`	47	`# Block Syn Flood attacks`
48	`$IPTABLES -A INPUT -p tcp -m tcp --syn -j SYN-FLOOD`	48	`$IPTABLES -A INPUT -p tcp -m tcp --syn -j SYN-FLOOD`
49		49
50	`# Syn flood filtering chain`	50	`# Syn flood filtering chain`
51	`$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN`	51	`$IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN`
52	`$IPTABLES -A SYN-FLOOD -j DROP`	52	`$IPTABLES -A SYN-FLOOD -j DROP`
53		53
54	`# Ensure that TCP connections start with syn packets`	54	`# Ensure that TCP connections start with syn packets`
55	`$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP`	55	`$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP`
56		56
57	`#############################`	57	`#############################`
58	`# INTIF rules #`	58	`# INTIF rules #`
59	`#############################`	59	`#############################`
60	`# accept dhcp`	60	`# accept dhcp`
61	`$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT`	61	`$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT`
62	`# INTIF is closed (all by TUNIF)`	62	`# INTIF is closed (all by TUNIF)`
63	`$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "`	63	`$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "`
64	`$IPTABLES -A INPUT -i $INTIF -j REJECT`	64	`$IPTABLES -A INPUT -i $INTIF -j REJECT`
65		65
66	`#############################`	66	`#############################`
67	`# Local protection rules #`	67	`# Local protection rules #`
68	`#############################`	68	`#############################`
69	`# Drop XMAS & NULLscans`	69	`# Drop XMAS & NULLscans`
70	`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`	70	`$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`
71	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`	71	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`
72	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`	72	`$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`
73	`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`	73	`$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
74	`# Drop broadcast & multicast`	74	`# Drop broadcast & multicast`
75	`$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`	75	`$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP`
76	`# Antispoofing rules with log`	76	`# Antispoofing rules with log`
77	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "`	77	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY "`
78	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP`	78	`$IPTABLES -A INPUT -i $TUNIF ! -s $PRIVATE_NETWORK_MASK -j DROP`
79	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "`	79	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY "`
80	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP`	80	`$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP`
81	`# Allow ping (icmp N°0 & 8) from LAN`	81	`# Allow ping (icmp N°0 & 8) from LAN`
82	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT`	82	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT`
83	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT`	83	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT`
84		84
85	`# Here, we add local rules (i.e. ssh from Internet)`	85	`# Here, we add local rules (i.e. ssh from Internet)`
86	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`	86	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
87	`. /usr/local/etc/alcasar-iptables-local.sh`	87	`. /usr/local/etc/alcasar-iptables-local.sh`
88	`fi`	88	`fi`
89		89
90	`# Deny forward DNS (even for authenticated users ...)`	90	`# Deny forward DNS (even for authenticated users ...)`
91	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`	91	`$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable`
92	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset`	92	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset`
93		93
94	`# Conntrack on forward`	94	`# Conntrack on forward`
95	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`	95	`$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT`
96		96
97	`#####################################`	97	`#####################################`
98	`# If protocols filter is activate #`	98	`# If protocols filter is activate #`
99	`#####################################`	99	`#####################################`
100	`if [ $FILTERING = "yes" ]; then`	100	`if [ $FILTERING = "yes" ]; then`
101	`# Compute exception IP`	101	`# Compute exception IP`
102	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`	102	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions \| cut -d" " -f1`
103	`if [ $nb_exceptions != "0" ]`	103	`if [ $nb_exceptions != "0" ]`
104	`then`	104	`then`
105	`while read ip_exception`	105	`while read ip_exception`
106	`do`	106	`do`
107	`echo $ip_exception`	107	`echo $ip_exception`
108	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`	108	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "`
109	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`	109	`$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT`
110	`done < /usr/local/etc/alcasar-filter-exceptions`	110	`done < /usr/local/etc/alcasar-filter-exceptions`
111	`fi`	111	`fi`
112	`# Allow non comment protocols`	112	`# Allow non comment protocols`
113	`while read svc_line`	113	`while read svc_line`
114	`do`	114	`do`
115	svc_on=`echo $svc_line\|cut -b1`	115	svc_on=`echo $svc_line\|cut -b1`
116	`if [ $svc_on != "#" ]`	116	`if [ $svc_on != "#" ]`
117	`then`	117	`then`
118	svc_name=`echo $svc_line\|cut -d" " -f1`	118	svc_name=`echo $svc_line\|cut -d" " -f1`
119	svc_port=`echo $svc_line\|cut -d" " -f2`	119	svc_port=`echo $svc_line\|cut -d" " -f2`
120	`if [ $svc_name = "icmp" ]`	120	`if [ $svc_name = "icmp" ]`
121	`then`	121	`then`
122	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT`	122	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j ACCEPT`
123	`else`	123	`else`
124	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "`	124	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_$svc_name -- ACCEPT "`
125	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`	125	`$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`
126	`fi`	126	`fi`
127	`fi`	127	`fi`
128	`done < /usr/local/etc/alcasar-services`	128	`done < /usr/local/etc/alcasar-services`
129	`# reject the others`	129	`# reject the others`
130	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`	130	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`
131	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	131	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
132	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	132	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
133	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`	133	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`
134	`fi`	134	`fi`
135		135
136	`########################`	136	`########################`
137	`# If QOS is activate #`	137	`# If QOS is activate #`
138	`########################`	138	`########################`
139	`if [ $QOS = "yes" ]; then`	139	`if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then`
140	`. /usr/local/etc/alcasar-iptables-qos.sh`	140	`. /usr/local/etc/alcasar-iptables-qos.sh`
141	`fi`	141	`fi`
142		142
143	`# Allow forward connections with log`	143	`# Allow forward connections with log`
144	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`	144	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "`
145	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT`	145	`$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT`
146		146
147	`####################################################################################`	147	`####################################################################################`
148	`# Imput from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #`	148	`# Imput from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #`
149	`####################################################################################`	149	`####################################################################################`
150	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`	150	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`
151	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`	151	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`
152	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT`	152	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT`
153	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT`	153	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT`
154	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`	154	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`
155	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`	155	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
156	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT`	156	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT`
157		157
158	`# Conntrack on INPUT`	158	`# Conntrack on INPUT`
159	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`	159	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
160		160
161	`# Deny direct connections on DansGuardian port (8080)`	161	`# Deny direct connections on DansGuardian port (8080)`
162	`# The concerned paquets are marked by a pre-routing rule (see further)`	162	`# The concerned paquets are marked by a pre-routing rule (see further)`
163	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP`	163	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j DROP`
164	`# Allow connections for DansGuardian`	164	`# Allow connections for DansGuardian`
165	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`	165	`$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT`
166		166
167	`# Log HTTP requests (only syn)`	167	`# Log HTTP requests (only syn)`
168	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`	168	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`
169	`# Redirect HTTP request in DansGuardian (transparent proxy)`	169	`# Redirect HTTP request in DansGuardian (transparent proxy)`
170	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080`	170	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp ! -d $PRIVATE_IP --dport http -j REDIRECT --to-port 8080`
171	`# Mark the dansguardian bypass attempts`	171	`# Mark the dansguardian bypass attempts`
172	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`	172	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`
173	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1`	173	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j MARK --set-mark 1`
174		174
175	`# Deny and log on INPUT from the LAN`	175	`# Deny and log on INPUT from the LAN`
176	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "`	176	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "`
177	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	177	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
178	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	178	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
179		179
180	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`	180	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`
181	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"`	181	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"`
182	`# Drop on EXTIF`	182	`# Drop on EXTIF`
183	`$IPTABLES -A INPUT -i $EXTIF -j DROP`	183	`$IPTABLES -A INPUT -i $EXTIF -j DROP`
184		184
185	`# Dynamic NAT on EXTIF`	185	`# Dynamic NAT on EXTIF`
186	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`	186	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`
187		187
188	`# Save all rules`	188	`# Save all rules`
189	`/etc/init.d/iptables save`	189	`/etc/init.d/iptables save`
190		190
191	`# no martians log (for mdv2009 only)`	191	`# no martians log (for mdv2009 only)`
192	`echo 0 > /proc/sys/net/ipv4/conf/all/log_martians`	192	`echo 0 > /proc/sys/net/ipv4/conf/all/log_martians`
193		193
194	`# End of script`	194	`# End of script`
195		195
196		196