Subversion Repositories ALCASAR

Rev

Rev 2642 | Rev 2674 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2642 Rev 2668
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 2642 2018-09-24 17:39:20Z rexy $
2
# $Id: alcasar-iptables.sh 2668 2018-12-06 22:11:54Z rexy $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 58... Line 58...
58
	ipset save proto_1 >> $TMP_users_set_save
58
	ipset save proto_1 >> $TMP_users_set_save
59
	ipset save proto_2 >> $TMP_users_set_save
59
	ipset save proto_2 >> $TMP_users_set_save
60
	ipset save proto_3 >> $TMP_users_set_save
60
	ipset save proto_3 >> $TMP_users_set_save
61
fi
61
fi
62
 
62
 
-
 
63
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
63
# loading of NetFlow probe (ipt_NETFLOW kernel module)
64
# loading of NetFlow probe (ipt_NETFLOW kernel module)
64
modprobe ipt_NETFLOW destination=127.0.0.1:2055
65
modprobe ipt_NETFLOW destination=127.0.0.1:2055
65
 
66
 
66
# Effacement des règles existantes
67
# Effacement des règles existantes
67
# Flush all existing rules
68
# Flush all existing rules
Line 142... Line 143...
142
else
143
else
143
	ipset create not_filtered hash:ip hashsize 1024
144
	ipset create not_filtered hash:ip hashsize 1024
144
	ipset create havp hash:ip hashsize 1024
145
	ipset create havp hash:ip hashsize 1024
145
	ipset create havp_bl hash:ip hashsize 1024
146
	ipset create havp_bl hash:ip hashsize 1024
146
	ipset create havp_wl hash:ip hashsize 1024
147
	ipset create havp_wl hash:ip hashsize 1024
147
	#pour les filtrages de protocole par utilisateur
148
	# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
148
	ipset create proto_0 hash:ip hashsize 1024
149
	ipset create proto_0 hash:ip hashsize 1024
149
	ipset create proto_1 hash:ip hashsize 1024
150
	ipset create proto_1 hash:ip hashsize 1024
150
	ipset create proto_2 hash:ip hashsize 1024
151
	ipset create proto_2 hash:ip hashsize 1024
151
	ipset create proto_3 hash:ip hashsize 1024
152
	ipset create proto_3 hash:ip hashsize 1024
152
fi
153
fi
153
 
154
 
154
#############################
155
#############################
155
#       PREROUTING          #
156
#       PREROUTING          #
156
#############################
157
#############################
157
 
158
 
158
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
-
 
159
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
-
 
160
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
-
 
161
 
-
 
162
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT
159
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT
163
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules
160
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules
164
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
161
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
165
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
162
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
166
 
163
 
Line 211... Line 208...
211
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
208
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
212
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
209
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
213
 
210
 
214
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian
211
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian
215
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)
212
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)
216
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
-
 
217
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
213
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
-
 
214
 
218
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
215
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
219
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
216
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
220
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
217
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
221
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
218
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
222
 
219
 
Line 312... Line 309...
312
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
309
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
313
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
310
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
314
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
311
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
315
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
312
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
316
 
313
 
-
 
314
# Accès au serveur SSHD si activé
317
# SSHD rules if activate
315
# SSHD server access if enabled
318
if [ $SSH = on ]
316
if [ $SSH = on ]
319
	then
317
	then
320
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
318
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
321
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
319
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
322
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
320
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
Line 356... Line 354...
356
 
354
 
357
# Active le suivi de session
355
# Active le suivi de session
358
# Allow Conntrack
356
# Allow Conntrack
359
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
357
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
360
 
358
 
361
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
359
# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)
362
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
360
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
363
if [ $nb_uamallowed != "0" ]
361
if [ $nb_uamallowed != "0" ]
364
then
362
then
365
	while read ip_allowed_line
363
	while read ip_allowed_line
366
	do
364
	do
Line 381... Line 379...
381
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
379
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
382
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
380
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
383
 
381
 
384
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
382
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
385
# protocols filtering for users (profil 3 : customized with ACC)
383
# protocols filtering for users (profil 3 : customized with ACC)
386
#profile 3 personalisables via l'ACC
-
 
387
custom_tcp_protocols_list='';custom_udp_protocols_list=''
384
custom_tcp_protocols_list='';custom_udp_protocols_list=''
388
while read svc_line
385
while read svc_line
389
do
386
do
390
	svc_on=`echo $svc_line|cut -b1`
387
	svc_on=`echo $svc_line|cut -b1`
391
	if [ $svc_on != "#" ]
388
	if [ $svc_on != "#" ]
Line 451... Line 448...
451
# On autorise les requêtes DNS vers les serveurs DNS identifiés
448
# On autorise les requêtes DNS vers les serveurs DNS identifiés
452
# Allow DNS requests to identified DNS servers
449
# Allow DNS requests to identified DNS servers
453
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
450
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
454
 
451
 
455
# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)
452
# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)
456
# HTTPS requests are allowed with netflow log (from E2guardian)
453
# HTTP requests are allowed with netflow log (from E2guardian)
457
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
454
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
458
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
455
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
459
 
456
 
460
# On autorise les requêtes HTTPS sortantes
457
# On autorise les requêtes HTTPS sortantes
461
# HTTPS requests are allowed
458
# HTTPS requests are allowed