| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 3258 2025-03-02 15:42:26Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 3294 2025-07-20 22:26:38Z rexy $
|
| 3 |
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
|
3 |
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
|
| 4 |
# Rexy - 3abtux - CPN
|
4 |
# Rexy - 3abtux - CPN
|
| 5 |
#
|
5 |
#
|
| 6 |
# Reminders
|
6 |
# Reminders
|
| 7 |
# There are four channels for log :
|
7 |
# There are four channels for log :
|
| Line 55... |
Line 55... |
| 55 |
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptionsiteiplist"
|
55 |
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptionsiteiplist"
|
| 56 |
ALLOWED_SITES="/usr/local/etc/alcasar-uamallowed" # @IP of external sites/networks allowed for all
|
56 |
ALLOWED_SITES="/usr/local/etc/alcasar-uamallowed" # @IP of external sites/networks allowed for all
|
| 57 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
57 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
| 58 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
58 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
| 59 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
59 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
| - |
|
60 |
REPLICATION_TO=`grep ^REPLICATION_TO= $CONF_FILE | cut -d"=" -f2 | tr ',' '\n'`
|
| 60 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
61 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
| 61 |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
|
62 |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
|
| 62 |
interlan=${interlan:=off}
|
63 |
interlan=${interlan:=off}
|
| 63 |
|
64 |
|
| 64 |
# Allow requests to internal DNS if activated
|
65 |
# Allow requests to internal DNS if activated
|
| Line 527... |
Line 528... |
| 527 |
|
528 |
|
| 528 |
# LDAP requests are allowed
|
529 |
# LDAP requests are allowed
|
| 529 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
530 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
| 530 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
531 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp -m multiport --dports ldap,ldaps -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
| 531 |
|
532 |
|
| - |
|
533 |
# Allow outbound connections to primary servers SSH
|
| - |
|
534 |
for conn in $REPLICATION_TO
|
| - |
|
535 |
do
|
| - |
|
536 |
addr="$(echo $conn | cut -d ':' -f 1)"
|
| - |
|
537 |
port="$(echo $conn | cut -d ':' -f 2)"
|
| - |
|
538 |
# Allow to connect to remote SSH
|
| - |
|
539 |
$IPTABLES -A OUTPUT -o $EXTIF -d "$addr" -p tcp --dport "$port" -j ACCEPT
|
| - |
|
540 |
done
|
| - |
|
541 |
|
| 532 |
#############################
|
542 |
#############################
|
| 533 |
# POSTROUTING #
|
543 |
# POSTROUTING #
|
| 534 |
#############################
|
544 |
#############################
|
| 535 |
# Dynamic NAT on EXTIF
|
545 |
# Dynamic NAT on EXTIF
|
| 536 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
546 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|