Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1705 2015-10-20 16:52:33Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1731 2015-12-27 22:01:26Z richard $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 148... |
Line 148... |
148 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
148 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
149 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
149 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
150 |
|
150 |
|
151 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
|
151 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
|
152 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
152 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
153 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nfog-prefix "RULE direct-proxy -- DENY "
|
153 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "
|
154 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
|
154 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
|
155 |
|
155 |
|
156 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
|
156 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
|
157 |
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
|
157 |
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
|
158 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "
|
158 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "
|
Line 287... |
Line 287... |
287 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
|
287 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
|
288 |
|
288 |
|
289 |
# SSHD rules if activate
|
289 |
# SSHD rules if activate
|
290 |
if [ $SSH = on ]
|
290 |
if [ $SSH = on ]
|
291 |
then
|
291 |
then
|
292 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
292 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
293 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
|
293 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
|
294 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
294 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
295 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
295 |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
|
296 |
fi
|
296 |
fi
|
297 |
|
297 |
|
298 |
# Insertion de règles locales
|
298 |
# Insertion de règles locales
|
299 |
# Here, we add local rules (i.e. VPN from Internet)
|
299 |
# Here, we add local rules (i.e. VPN from Internet)
|
Line 312... |
Line 312... |
312 |
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "
|
312 |
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "
|
313 |
$IPTABLES -A INPUT -i $INTIF -j REJECT
|
313 |
$IPTABLES -A INPUT -i $INTIF -j REJECT
|
314 |
|
314 |
|
315 |
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
|
315 |
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
|
316 |
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
|
316 |
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
|
317 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-nlgroup 3 --nflog-qthreshold 10 --nflog-prefix "RULE rej-ext -- DROP"
|
317 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
|
318 |
|
318 |
|
319 |
#############################
|
319 |
#############################
|
320 |
# FORWARD #
|
320 |
# FORWARD #
|
321 |
#############################
|
321 |
#############################
|
322 |
|
322 |
|