| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 3294 2025-07-20 22:26:38Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 3310 2026-01-06 12:48:09Z rexy $
|
| 3 |
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
|
3 |
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
|
| 4 |
# Rexy - 3abtux - CPN
|
4 |
# Rexy - 3abtux - CPN
|
| 5 |
#
|
5 |
#
|
| 6 |
# Reminders
|
6 |
# Reminders
|
| 7 |
# There are four channels for log :
|
7 |
# There are four channels for log :
|
| Line 104... |
Line 104... |
| 104 |
fi
|
104 |
fi
|
| 105 |
|
105 |
|
| 106 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
106 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
| 107 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
107 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
| 108 |
|
108 |
|
| - |
|
109 |
# set conntrack timer to 1h (3600s) instead of 5 weeks
|
| - |
|
110 |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
|
| - |
|
111 |
sysctl -p /etc/sysctl.d/alcasar.conf
|
| - |
|
112 |
|
| 109 |
# Flush all existing rules
|
113 |
# Flush all existing rules
|
| 110 |
$IPTABLES -F
|
114 |
$IPTABLES -F
|
| 111 |
$IPTABLES -t nat -F
|
115 |
$IPTABLES -t nat -F
|
| 112 |
$IPTABLES -t mangle -F
|
116 |
$IPTABLES -t mangle -F
|
| 113 |
$IPTABLES -F INPUT
|
117 |
$IPTABLES -F INPUT
|
| Line 506... |
Line 510... |
| 506 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
|
510 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
|
| 507 |
|
511 |
|
| 508 |
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
|
512 |
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
|
| 509 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
|
513 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
|
| 510 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
514 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
| 511 |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
|
515 |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be configure in transparent HTTPS proxy
|
| 512 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
|
516 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
|
| 513 |
|
517 |
|
| 514 |
# RSYNC requests are allowed (update of Toulouse BL)
|
518 |
# RSYNC requests are allowed (update of Toulouse BL)
|
| 515 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
|
519 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport rsync -j ACCEPT
|
| 516 |
|
520 |
|
| 517 |
# FTP requests are allowed
|
521 |
# FTP requests are allowed
|
| 518 |
# modprobe nf_conntrack_ftp # no more needed with kernel > 5.15.85
|
522 |
# modprobe nf_conntrack_ftp # no more needed with kernel > 5.15.85
|
| 519 |
# $IPTABLES -t raw -A OUTPUT -p tcp --dport ftp -j CT --helper ftp # no more needed with kernel > 5.15.85
|
- |
|
| 520 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
|
523 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
|
| 521 |
$IPTABLES -A OUTPUT -o $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
524 |
$IPTABLES -A OUTPUT -o $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
| 522 |
|
525 |
|
| 523 |
# NTP requests are allowed
|
526 |
# NTP requests are allowed
|
| 524 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
527 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|