| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1294 2014-01-12 23:03:00Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1299 2014-01-13 22:26:55Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 107... |
Line 107... |
| 107 |
done
|
107 |
done
|
| 108 |
IFS=$OLDIFS
|
108 |
IFS=$OLDIFS
|
| 109 |
|
109 |
|
| 110 |
# Création et peuplement du SET blacklist_ip_blocked
|
110 |
# Création et peuplement du SET blacklist_ip_blocked
|
| 111 |
# creation and first populating of blacklist_ip_blocked SET
|
111 |
# creation and first populating of blacklist_ip_blocked SET
|
| 112 |
# wait for a better blacklist adapt process
|
112 |
# It take a lot of time (try to do this during the blacklist import process)
|
| 113 |
#ipset create blacklist_ip_blocked hash:net hashsize 1024
|
113 |
#ipset create blacklist_ip_blocked hash:net hashsize 1024
|
| 114 |
#cd $BL_IP_CAT
|
114 |
#cd $BL_IP_CAT
|
| 115 |
#for category in `ls -1 | cut -d"@" -f1`
|
115 |
#for category in `ls -1 | cut -d"@" -f1`
|
| 116 |
#do
|
116 |
#do
|
| 117 |
# while read ip_blocked
|
117 |
# while read ip_blocked
|
| Line 157... |
Line 157... |
| 157 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
157 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
| 158 |
#if [ $DNS_FILTERING = on ]; then
|
158 |
#if [ $DNS_FILTERING = on ]; then
|
| 159 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
159 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
| 160 |
#fi
|
160 |
#fi
|
| 161 |
|
161 |
|
| 162 |
# Redirection des requêtes HTTPS des IP sans utilisateurs authentifiés vers ALCASAR (page d'interception)
|
- |
|
| 163 |
# Redirect HTTPS requests of IP that don't have authenticate user to ALCASAR (intercept page)
|
- |
|
| 164 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set ! --match-set authenticated_ip src ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port https
|
- |
|
| 165 |
|
- |
|
| 166 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
162 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
| 167 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
163 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
| 168 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
164 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
| 169 |
|
165 |
|
| 170 |
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent)
|
166 |
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent)
|