WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables-bypass.sh

 #!/bin/bash
-# $Id: alcasar-iptables-bypass.sh 1523 2014-12-20 18:30:19Z franck $
+# $Id: alcasar-iptables-bypass.sh 1551 2015-01-10 16:00:48Z richard $
 # alcasar-iptables-bypass.sh
 # by Rexy - 3abtux
 # This script is distributed under the Gnu General Public License (GPL)
 PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
 SSH=`grep SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
 SSH=${SSH:=off}
 SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
 SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"}				# WAN IP address to reduce ssh access (all ip allowed on LAN side)
-PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`        # Network protocols filter (on/off)
-PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 # On vide (flush) toutes les règles existantes
 # Flush all existing rules
 $IPTABLES -F
 # SSHD rules if activate
 if [ $SSH = on ]
 	then
 	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
 	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
-	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
+	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
 	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
 fi
 # Insertion de règles locales
 # Here, we add local rules (i.e. VPN from Internet)
 if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
         . /usr/local/etc/alcasar-iptables-local.sh
 fi
-#  If protocols filter is activate
-if [ $PROTOCOLS_FILTERING = on ]; then
-        echo "PROTOCOL FILTERING = On"
-        # Compute exception IP (IP addresses that shouldn't be filtered)
-       nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
-       if [ $nb_exceptions != "0" ]
-       then
-               while read ip_exception
-               do
-                       $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
-#                       $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j NETFLOW
-                       $IPTABLES -A FORWARD -i $INTIF -s $ip_exception -m state --state NEW -j ACCEPT
-               done < /usr/local/etc/alcasar-filter-exceptions
-       fi
-#       # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
-#       nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
-#       if [ $nb_uamallowed != "0" ]
-#       then
-#               while read ip_allowed_line
-#               do
-#                       ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
-#                       $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
-##                       $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j NETFLOW
-#                       $IPTABLES -A FORWARD -i $INTIF -d $ip_allowed -m state --state NEW -j ACCEPT
-#               done < /usr/local/etc/alcasar-uamallowed
-#       fi
-        # Autorisation des protocoles non commentés
-        # Allow non comment protocols
-        while read svc_line
-        do
-                svc_on=`echo $svc_line|cut -b1`
-                if [ $svc_on != "#" ]
-                then
-                        svc_name=`echo $svc_line|cut -d" " -f1`
-                        svc_port=`echo $svc_line|cut -d" " -f2`
-                        if [ $svc_name = "icmp" ]
-                        then
-#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
-                                $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
-                        else
-                                echo "Service = $svc_port  pour $svc_name"
-                                $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
-#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
-                                $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
-#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
-##                              $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
-#                               $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
-                        fi
-                fi
-        done < /usr/local/etc/alcasar-services
-        # Don't forget the HTTP port
-	$IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-http -- ACCEPT "
-#       $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j NETFLOW
-        $IPTABLES -A FORWARD -i $INTIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 80 -m state --state NEW -j ACCEPT
-        # Rejet explicite des autres protocoles
-        # reject the others protocols
-        $IPTABLES -A FORWARD -i $INTIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
-        $IPTABLES -A FORWARD -i $INTIF -p tcp -j REJECT --reject-with tcp-reset
-        $IPTABLES -A FORWARD -i $INTIF -p udp -j REJECT --reject-with icmp-port-unreachable
-        $IPTABLES -A FORWARD -i $INTIF -p icmp -j REJECT
-else
-        ## On autorise les demandes de connexions sortantes
-        echo "PROTOCOL FILTERING = Off"
-        $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
-        $IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
-fi
 # on autorise les requêtes dhcp
 # accept dhcp
 $IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
 # On drop le broadcast et le multicast sur les interfaces (sans Log)
 # On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
 # Allow ping (icmp N°0 & 8) from LAN
 $IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
 $IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
+#  On ajoute ici les règles spécifiques de filtrage réseau (accès exterieur ...)
+if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
+        . /usr/local/etc/alcasar-iptables-local.sh
+fi
 # On autorise les retours de connexions légitimes par FORWARD
 # Conntrack on forward
-$IPTABLES -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
+$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+# On autorise les demandes de connexions sortantes
+$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
-$IPTABLES -A FORWARD -p udp -j DROP
+$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 # On autorise les flux entrant ntp et dns via INTIF
 $IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
 $IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables-bypass.sh – Rev 1523 → 1551