Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1072 2013-04-14 21:36:57Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1147 2013-07-02 22:00:21Z richard $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 314... |
Line 314... |
314 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
|
314 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
|
315 |
|
315 |
|
316 |
#############################
|
316 |
#############################
|
317 |
# OUTPUT #
|
317 |
# OUTPUT #
|
318 |
#############################
|
318 |
#############################
|
- |
|
319 |
|
319 |
# SSHD rules if activate
|
320 |
# On autorise les retours de connexions légitimes par OUTPUT
|
320 |
if [ $SSH = on ]
|
321 |
# Conntrack on OUTPUT
|
321 |
then
|
- |
|
322 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
|
322 |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
323 |
fi
|
323 |
|
324 |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
|
324 |
# On laisse tout sortir sur INTIF
|
325 |
# Everything is allowed but traffic through outside network interface
|
325 |
# Everything is allowed only on INTIF
|
326 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
326 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
327 |
|
327 |
|
328 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
328 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
329 |
# Allow DNS requests to identified DNS servers
|
329 |
# Allow DNS requests to identified DNS servers
|
330 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
330 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
Line 335... |
Line 335... |
335 |
|
335 |
|
336 |
# On autorise les requêtes FTP
|
336 |
# On autorise les requêtes FTP
|
337 |
# FTP requests are allowed
|
337 |
# FTP requests are allowed
|
338 |
modprobe ip_conntrack_ftp
|
338 |
modprobe ip_conntrack_ftp
|
339 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
|
339 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
|
340 |
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
|
- |
|
341 |
|
340 |
|
342 |
# On autorise les requêtes NTP
|
341 |
# On autorise les requêtes NTP
|
343 |
# NTP requests are allowed
|
342 |
# NTP requests are allowed
|
344 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
343 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
345 |
|
344 |
|
Line 355... |
Line 354... |
355 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
354 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
356 |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
355 |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
357 |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
356 |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
358 |
fi
|
357 |
fi
|
359 |
|
358 |
|
360 |
|
- |
|
361 |
#############################
|
359 |
#############################
|
362 |
# POSTROUTING #
|
360 |
# POSTROUTING #
|
363 |
#############################
|
361 |
#############################
|
364 |
# Traduction dynamique d'adresse en sortie
|
362 |
# Traduction dynamique d'adresse en sortie
|
365 |
# Dynamic NAT on EXTIF
|
363 |
# Dynamic NAT on EXTIF
|