WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables-bypass.sh



#!/bin/bash
# $Id: alcasar-iptables-bypass.sh 1888 2016-05-12 21:53:44Z richard $
 
# alcasar-iptables-bypass.sh
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
 

$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# Insertion de règles de blocage (Devel)
# Here, we add block rules (Devel)
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then 
	while read ip_line
	do
		ip_on=`echo $ip_line|cut -b1`
		if [ $ip_on != "#" ]
		then	
			ip_blocked=`echo $ip_line|cut -d" " -f1`
			$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
			$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
		fi
	done < /usr/local/etc/alcasar-ip-blocked
fi
 
# SSHD rules if activate 
if [ $SSH = on ]
	then
	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
	$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
        . /usr/local/etc/alcasar-iptables-local.sh
fi

# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
# Allow ping (icmp N°0 & 8) from LAN
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
 
 
 
 
 
 
# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On autorise les demandes de connexions sortantes
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 
# On autorise les flux entrant ntp et dns via INTIF
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
 
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit et on log le reste sur les 2 interfaces d'accès
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-prefix "RULE rej-ext -- REJECT "
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables-bypass.sh – Rev 1551 → 1888

Rev 1551		Rev 1888
Line 1...		Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables-bypass.sh 1551 2015-01-10 16:00:48Z richard $`	2	`# $Id: alcasar-iptables-bypass.sh 1888 2016-05-12 21:53:44Z richard $`
3		3
4	`# alcasar-iptables-bypass.sh`	4	`# alcasar-iptables-bypass.sh`
5	`# by Rexy - 3abtux`	5	`# by Rexy - 3abtux`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7		7
Line 53...		Line 53...
53	`$IPTABLES -A OUTPUT -o lo -j ACCEPT`	53	`$IPTABLES -A OUTPUT -o lo -j ACCEPT`
54	`$IPTABLES -A INPUT -i lo -j ACCEPT`	54	`$IPTABLES -A INPUT -i lo -j ACCEPT`
55		55
56	`# Insertion de règles de blocage (Devel)`	56	`# Insertion de règles de blocage (Devel)`
57	`# Here, we add block rules (Devel)`	57	`# Here, we add block rules (Devel)`
58	`if [ -s /usr/local/etc/alcasar-iptables-block ]; then`	58	`if [ -s /usr/local/etc/alcasar-ip-blocked ]; then`
59	`while read ip_line`	59	`while read ip_line`
60	`do`	60	`do`
61	ip_on=`echo $ip_line\|cut -b1`	61	ip_on=`echo $ip_line\|cut -b1`
62	`if [ $ip_on != "#" ]`	62	`if [ $ip_on != "#" ]`
63	`then`	63	`then`
64	ip_blocked=`echo $ip_line\|cut -d" " -f1`	64	ip_blocked=`echo $ip_line\|cut -d" " -f1`
65	`$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "`	65	`$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "`
66	`$IPTABLES -A FORWARD -d $ip_blocked -j REJECT`	66	`$IPTABLES -A FORWARD -d $ip_blocked -j REJECT`
67	`fi`	67	`fi`
68	`done < /usr/local/etc/alcasar-iptables-block`	68	`done < /usr/local/etc/alcasar-ip-blocked`
69	`fi`	69	`fi`
70		70
71	`# SSHD rules if activate`	71	`# SSHD rules if activate`
72	`if [ $SSH = on ]`	72	`if [ $SSH = on ]`
73	`then`	73	`then`
74	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`	74	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"`
75	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`	75	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`
76	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"`	76	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`
77	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`	77	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`
78	`fi`	78	`fi`
79		-
80	`# Insertion de règles locales`	79	`# Insertion de règles locales`
81	`# Here, we add local rules (i.e. VPN from Internet)`	80	`# Here, we add local rules (i.e. VPN from Internet)`
82	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`	81	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
83	`. /usr/local/etc/alcasar-iptables-local.sh`	82	`. /usr/local/etc/alcasar-iptables-local.sh`
84	`fi`	83	`fi`
Line 94...		Line 93...
94	`# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN`	93	`# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN`
95	`# Allow ping (icmp N°0 & 8) from LAN`	94	`# Allow ping (icmp N°0 & 8) from LAN`
96	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT`	95	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT`
97	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT`	96	`$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT`
98		97
99	`# On ajoute ici les règles spécifiques de filtrage réseau (accès exterieur ...)`	-
100	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`	-
101	`. /usr/local/etc/alcasar-iptables-local.sh`	-
102	`fi`	-
103		-
104	`# On autorise les retours de connexions légitimes par FORWARD`	98	`# On autorise les retours de connexions légitimes par FORWARD`
105	`# Conntrack on forward`	99	`# Conntrack on forward`
106	`$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT`	100	`$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT`
107		101
108	`# On autorise les demandes de connexions sortantes`	102	`# On autorise les demandes de connexions sortantes`
109	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "`	103	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-prefix "RULE Transfert -- ACCEPT "`
110	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT`	104	`$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT`
111		105
112	`# On autorise les flux entrant ntp et dns via INTIF`	106	`# On autorise les flux entrant ntp et dns via INTIF`
113	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`	107	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT`
114	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`	108	`$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT`
115		109
116	`# On autorise le retour des connexions entrante déjà acceptées`	110	`# On autorise le retour des connexions entrante déjà acceptées`
117	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`	111	`$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
118		112
119	`# On interdit et on log le reste sur les 2 interfaces d'accès`	113	`# On interdit et on log le reste sur les 2 interfaces d'accès`
120	`$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE rej-int -- REJECT "`	114	`$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "`
121	`$IPTABLES -A INPUT -i $EXTIF -j ULOG --ulog-prefix "RULE rej-ext -- REJECT "`	115	`$IPTABLES -A INPUT -i $EXTIF -j NFLOG --nflog-prefix "RULE rej-ext -- REJECT "`
122	`$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset`	116	`$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset`
123	`$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable`	117	`$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable`
124		118
125	`# On active le masquage d'adresse par translation (NAT)`	119	`# On active le masquage d'adresse par translation (NAT)`
126	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`	120	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`