WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/bash
-# $Id: alcasar-iptables.sh 1063 2013-04-01 21:36:46Z richard $
+# $Id: alcasar-iptables.sh 1072 2013-04-14 21:36:57Z richard $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script write the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
+#
 # Reminders
 DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
 PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2`	# Network protocols filter (on/off)
 PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`		# DNS and URLs filter (on/off)
 DNS_FILTERING=${DNS_FILTERING:=off}
+BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
 QOS=`grep QOS= $conf_file|cut -d"=" -f2`				# QOS (on/off)
 QOS=${QOS:=off}
 SSH=`grep SSH= $conf_file|cut -d"=" -f2`				# sshd active (on/off)
 SSH=${SSH:=off}
 SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
 # Remarque : Ce port n'est ouvert que lorsque le filtrage est activé
 # Remark : this port is only open when filtering is on
 # $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
-# Si le filtrage est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
+# Si le filtrage DNS est activé, redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
 # If DNS filter is on, redirect DNS request to udp 54 (dns+blackhole) except for exception IP addresses
 if [ $DNS_FILTERING = on ]; then
 	# Compute exception IP
 	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 	if [ $nb_exceptions != "0" ]
 # Deny forward DNS
 $IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 $IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 # Insertion des règles de blocage IP
-# Here, we add IP block rules
+# Here, we add local IP block rules
 if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
 	while read ip_line
 	do
 		ip_on=`echo $ip_line|cut -b1`
 		if [ $ip_on != "#" ]
 			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
 		fi
 	done < /usr/local/etc/alcasar-ip-blocked
 fi
+# Si le filtrage de domain est activé, blocage des IP de la BL
+# If DNS filter is on, reject IP of BL
+# Comment : loading time is too long and iptables should become oveloaded !!!
+#if [ $DNS_FILTERING = on ]; then
+#	cd $BL_IP_CAT
+#	for category in `ls -1 | cut -d"@" -f1`
+#	do
+#		while read ip_blocked
+#		do
+#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
+#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
+#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
+#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
+#		done < $BL_IP_CAT/$category
+#	done
+#fi
 # Autorisation des retours de connexions légitimes
 # Allow conntrack
 $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 #  If protocols filter is activate

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 1063 → 1072