WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 2668 2018-12-06 22:11:54Z rexy $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders

	ipset save proto_1 >> $TMP_users_set_save
	ipset save proto_2 >> $TMP_users_set_save
	ipset save proto_3 >> $TMP_users_set_save
fi
 
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
 
# Effacement des règles existantes
# Flush all existing rules

else
	ipset create not_filtered hash:ip hashsize 1024
	ipset create havp hash:ip hashsize 1024
	ipset create havp_bl hash:ip hashsize 1024
	ipset create havp_wl hash:ip hashsize 1024
	# pour les filtrages de protocole par utilisateur / For network protocols filtering by user
	ipset create proto_0 hash:ip hashsize 1024
	ipset create proto_1 hash:ip hashsize 1024
	ipset create proto_2 hash:ip hashsize 1024
	ipset create proto_3 hash:ip hashsize 1024
fi
 
#############################
#       PREROUTING          #
#############################
 
 
 
 
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 

# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)
 
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP  -p tcp --dport http -j REDIRECT --to-port 8080
 
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
 

$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT	# Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT	# Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT	# Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
 
# Accès au serveur SSHD si activé
# SSHD server access if enabled
if [ $SSH = on ]
	then
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"

 
# Active le suivi de session
# Allow Conntrack
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
if [ $nb_uamallowed != "0" ]
then
	while read ip_allowed_line
	do

	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
 
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
# protocols filtering for users (profil 3 : customized with ACC)
 
custom_tcp_protocols_list='';custom_udp_protocols_list=''
while read svc_line
do
	svc_on=`echo $svc_line|cut -b1`
	if [ $svc_on != "#" ]

# On autorise les requêtes DNS vers les serveurs DNS identifiés
# Allow DNS requests to identified DNS servers
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT
 
# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)
# HTTP requests are allowed with netflow log (from E2guardian)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
 
# On autorise les requêtes HTTPS sortantes
# HTTPS requests are allowed

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh @ 2598 – Rev 2642 → 2668

Rev 2642		Rev 2668
Line 1...		Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 2642 2018-09-24 17:39:20Z rexy $`	2	`# $Id: alcasar-iptables.sh 2668 2018-12-06 22:11:54Z rexy $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script writes the netfilter rules for ALCASAR`	4	`# This script writes the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
Line 58...		Line 58...
58	`ipset save proto_1 >> $TMP_users_set_save`	58	`ipset save proto_1 >> $TMP_users_set_save`
59	`ipset save proto_2 >> $TMP_users_set_save`	59	`ipset save proto_2 >> $TMP_users_set_save`
60	`ipset save proto_3 >> $TMP_users_set_save`	60	`ipset save proto_3 >> $TMP_users_set_save`
61	`fi`	61	`fi`
62		62
-		63	`# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)`
63	`# loading of NetFlow probe (ipt_NETFLOW kernel module)`	64	`# loading of NetFlow probe (ipt_NETFLOW kernel module)`
64	`modprobe ipt_NETFLOW destination=127.0.0.1:2055`	65	`modprobe ipt_NETFLOW destination=127.0.0.1:2055`
65		66
66	`# Effacement des règles existantes`	67	`# Effacement des règles existantes`
67	`# Flush all existing rules`	68	`# Flush all existing rules`
Line 142...		Line 143...
142	`else`	143	`else`
143	`ipset create not_filtered hash:ip hashsize 1024`	144	`ipset create not_filtered hash:ip hashsize 1024`
144	`ipset create havp hash:ip hashsize 1024`	145	`ipset create havp hash:ip hashsize 1024`
145	`ipset create havp_bl hash:ip hashsize 1024`	146	`ipset create havp_bl hash:ip hashsize 1024`
146	`ipset create havp_wl hash:ip hashsize 1024`	147	`ipset create havp_wl hash:ip hashsize 1024`
147	`#pour les filtrages de protocole par utilisateur`	148	`# pour les filtrages de protocole par utilisateur / For network protocols filtering by user`
148	`ipset create proto_0 hash:ip hashsize 1024`	149	`ipset create proto_0 hash:ip hashsize 1024`
149	`ipset create proto_1 hash:ip hashsize 1024`	150	`ipset create proto_1 hash:ip hashsize 1024`
150	`ipset create proto_2 hash:ip hashsize 1024`	151	`ipset create proto_2 hash:ip hashsize 1024`
151	`ipset create proto_3 hash:ip hashsize 1024`	152	`ipset create proto_3 hash:ip hashsize 1024`
152	`fi`	153	`fi`
153		154
154	`#############################`	155	`#############################`
155	`# PREROUTING #`	156	`# PREROUTING #`
156	`#############################`	157	`#############################`
157		158
158	`# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT`	-
159	`# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules`	-
160	`#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10`	-
161		-
162	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT`	159	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT`
163	`# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules`	160	`# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules`
164	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`	161	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`
165	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`	162	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`
166		163
Line 211...		Line 208...
211	`# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)`	208	`# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)`
212	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80`	209	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80`
213		210
214	`# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian`	211	`# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian`
215	`# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)`	212	`# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy)`
216	`# $IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`	-
217	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`	213	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080`
-		214
218	`# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy`	215	`# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy`
219	`# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy`	216	`# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy`
220	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`	217	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`
221	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`	218	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090`
222		219
Line 312...		Line 309...
312	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC`	309	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC`
313	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages`	310	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages`
314	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests`	311	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests`
315	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server`	312	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server`
316		313
-		314	`# Accès au serveur SSHD si activé`
317	`# SSHD rules if activate`	315	`# SSHD server access if enabled`
318	`if [ $SSH = on ]`	316	`if [ $SSH = on ]`
319	`then`	317	`then`
320	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"`	318	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"`
321	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`	319	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
322	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`	320	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`
Line 356...		Line 354...
356		354
357	`# Active le suivi de session`	355	`# Active le suivi de session`
358	`# Allow Conntrack`	356	`# Allow Conntrack`
359	`$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`	357	`$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`
360		358
361	`# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)`	359	`# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)`
362	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed \| cut -d" " -f1`	360	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed \| cut -d" " -f1`
363	`if [ $nb_uamallowed != "0" ]`	361	`if [ $nb_uamallowed != "0" ]`
364	`then`	362	`then`
365	`while read ip_allowed_line`	363	`while read ip_allowed_line`
366	`do`	364	`do`
Line 381...		Line 379...
381	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset`	379	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset`
382	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable`	380	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable`
383		381
384	`# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)`	382	`# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)`
385	`# protocols filtering for users (profil 3 : customized with ACC)`	383	`# protocols filtering for users (profil 3 : customized with ACC)`
386	`#profile 3 personalisables via l'ACC`	-
387	`custom_tcp_protocols_list='';custom_udp_protocols_list=''`	384	`custom_tcp_protocols_list='';custom_udp_protocols_list=''`
388	`while read svc_line`	385	`while read svc_line`
389	`do`	386	`do`
390	svc_on=`echo $svc_line\|cut -b1`	387	svc_on=`echo $svc_line\|cut -b1`
391	`if [ $svc_on != "#" ]`	388	`if [ $svc_on != "#" ]`
Line 451...		Line 448...
451	`# On autorise les requêtes DNS vers les serveurs DNS identifiés`	448	`# On autorise les requêtes DNS vers les serveurs DNS identifiés`
452	`# Allow DNS requests to identified DNS servers`	449	`# Allow DNS requests to identified DNS servers`
453	`$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT`	450	`$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT`
454		451
455	`# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)`	452	`# On autorise les requêtes HTTP avec log Netflow (en provenance de E2guardian)`
456	`# HTTPS requests are allowed with netflow log (from E2guardian)`	453	`# HTTP requests are allowed with netflow log (from E2guardian)`
457	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW`	454	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW`
458	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT`	455	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT`
459		456
460	`# On autorise les requêtes HTTPS sortantes`	457	`# On autorise les requêtes HTTPS sortantes`
461	`# HTTPS requests are allowed`	458	`# HTTPS requests are allowed`