WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/sh
-# $Id: alcasar-iptables.sh 612 2011-05-22 21:19:27Z richard $
+# $Id: alcasar-iptables.sh 615 2011-05-24 21:47:25Z richard $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script write the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
 # There are three channels for log :
 #	1 (default) for tracability;
 #	3 for exterior access attempts.
 # The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
 conf_file="/usr/local/etc/alcasar.conf"
 private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
+private_ip_mask=${private_ip_mask:=192.168.182.1/24}
 private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
 private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
 dns1=`grep DNS1 $conf_file|cut -d"=" -f2`				# first public DNS server
+dns1=${dns1:=208.67.220.220}
 dns2=`grep DNS2 $conf_file|cut -d"=" -f2`				# second public DNS server
+dns2=${dns2:=208.67.222.222}
-PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2`	# Network protocols filter (yes/no)
+PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
+PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
-DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2`		# DNS and URLs filter (yes/no)
+DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
+DNS_FILTERING=${DNS_FILTERING:=off}
-QOS=`grep QOS $conf_file|cut -d"=" -f2`					# QOS (yse/no)
+QOS=`grep QOS $conf_file|cut -d"=" -f2`					# QOS (on/off)
+QOS=${QOS:=off}
-SSH=`grep SSH $conf_file|cut -d"=" -f2`					# sshd active (yes/no)
+SSH=`grep SSH $conf_file|cut -d"=" -f2`					# sshd active (on/off)
+SSH=${SSH:=off}
+LDAP=`grep LDAP $conf_file|cut -d"=" -f2`				# ldap external server active (on/off)
+LDAP=${LDAP:=off}
 PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
 PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
 DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
 EXTIF="eth0"
 INTIF="eth1"
 $IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 # On autorise les requêtes DNS vers les serveurs DNS identifiés
 # Allow DNS requests to identified DNS servers
 $IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
-# On autorise les requêtes http sortantes
+# On autorise les requêtes HTTP sortantes
 # HTTP requests are allowed
 $IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
-# On autorise les requêtes ntp
+# On autorise les requêtes NTP
 # NTP requests are allowed
 $IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
 # On autorise les requêtes ICMP (ping)
 # ICMP (ping) requests are allowed
 $IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
+# On autorise les requêtes LDAP si un serveur externe est configué
+# LDAP requests are allowed if an external server is declared
+if [ $LDAP = on ]
+	then
+	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ldap -j ACCEPT
+	$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ldap -j ACCEPT
+fi
 # Traduction dynamique d'adresse en sortie
 # Dynamic NAT on EXTIF
 $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 # Save all rules

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh @ 2641 – Rev 612 → 615