| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables-bypass.sh 958 2012-07-19 09:01:30Z franck $
|
2 |
# $Id: alcasar-iptables-bypass.sh 990 2012-08-24 22:47:27Z franck $
|
| 3 |
|
3 |
|
| 4 |
# alcasar-iptables-bypass.sh
|
4 |
# alcasar-iptables-bypass.sh
|
| 5 |
# by Rexy - 3abtux
|
5 |
# by Rexy - 3abtux
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
7 |
|
| Line 41... |
Line 41... |
| 41 |
$IPTABLES -X
|
41 |
$IPTABLES -X
|
| 42 |
$IPTABLES -t nat -X
|
42 |
$IPTABLES -t nat -X
|
| 43 |
|
43 |
|
| 44 |
# On autorise tout sur loopback
|
44 |
# On autorise tout sur loopback
|
| 45 |
# accept all on loopback
|
45 |
# accept all on loopback
|
| - |
|
46 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
| 46 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
47 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
| 47 |
|
48 |
|
| 48 |
# Insertion de règles de blocage (Devel)
|
49 |
# Insertion de règles de blocage (Devel)
|
| 49 |
# Here, we add block rules (Devel)
|
50 |
# Here, we add block rules (Devel)
|
| 50 |
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
|
51 |
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
|
| Line 56... |
Line 57... |
| 56 |
$IPTABLES -A FORWARD -s $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
|
57 |
$IPTABLES -A FORWARD -s $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
|
| 57 |
$IPTABLES -A FORWARD -s $ip_blocked -j REJECT
|
58 |
$IPTABLES -A FORWARD -s $ip_blocked -j REJECT
|
| 58 |
done < /usr/local/etc/alcasar-iptables-block
|
59 |
done < /usr/local/etc/alcasar-iptables-block
|
| 59 |
fi
|
60 |
fi
|
| 60 |
|
61 |
|
| - |
|
62 |
# SSHD rules if activate
|
| - |
|
63 |
if [ $SSH = on ]
|
| - |
|
64 |
then
|
| - |
|
65 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
|
| - |
|
66 |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
|
| - |
|
67 |
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
|
| - |
|
68 |
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
|
| - |
|
69 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
|
| - |
|
70 |
fi
|
| - |
|
71 |
|
| 61 |
# on autorise les requêtes dhcp
|
72 |
# on autorise les requêtes dhcp
|
| 62 |
# accept dhcp
|
73 |
# accept dhcp
|
| 63 |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
|
74 |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
|
| 64 |
|
75 |
|
| 65 |
# On drop le broadcast et le multicast sur les interfaces (sans Log)
|
76 |
# On drop le broadcast et le multicast sur les interfaces (sans Log)
|