Subversion Repositories ALCASAR

Rev

Rev 1157 | Rev 1161 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1157 Rev 1159
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1157 2013-07-16 10:48:11Z stephane $
2
# $Id: alcasar-iptables.sh 1159 2013-07-17 09:25:15Z crox53 $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script write the netfilter rules for ALCASAR
4
# This script write the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 43... Line 43...
43
EXTIF="eth0"
43
EXTIF="eth0"
44
INTIF="eth1"
44
INTIF="eth1"
45
TUNIF="tun0"								# listen device for chilli daemon
45
TUNIF="tun0"								# listen device for chilli daemon
46
IPTABLES="/sbin/iptables"
46
IPTABLES="/sbin/iptables"
47
 
47
 
-
 
48
#lancement du module kernel ipt_NETFLOW (module iptables)
-
 
49
modprobe ipt_NETFLOW destination=127.0.0.1:2055
-
 
50
 
48
# Effacement des règles existantes
51
# Effacement des règles existantes
49
# Flush all existing rules
52
# Flush all existing rules
50
$IPTABLES -F
53
$IPTABLES -F
51
$IPTABLES -t nat -F
54
$IPTABLES -t nat -F
52
$IPTABLES -t mangle -F
55
$IPTABLES -t mangle -F
Line 247... Line 250...
247
#		done < $BL_IP_CAT/$category
250
#		done < $BL_IP_CAT/$category
248
#	done
251
#	done
249
#fi
252
#fi
250
 
253
 
251
# Autorisation des retours de connexions légitimes
254
# Autorisation des retours de connexions légitimes
252
# Allow conntrack
-
 
253
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
255
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
254
 
256
 
255
#  If protocols filter is activate 
257
#  If protocols filter is activate 
256
if [ $PROTOCOLS_FILTERING = on ]; then
258
if [ $PROTOCOLS_FILTERING = on ]; then
257
	# Compute exception IP (IP addresses that shouldn't be filtered)
259
	# Compute exception IP (IP addresses that shouldn't be filtered)
Line 259... Line 261...
259
	if [ $nb_exceptions != "0" ]
261
	if [ $nb_exceptions != "0" ]
260
	then
262
	then
261
		while read ip_exception 
263
		while read ip_exception 
262
		do
264
		do
263
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
265
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
-
 
266
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
264
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
267
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
265
		done < /usr/local/etc/alcasar-filter-exceptions
268
		done < /usr/local/etc/alcasar-filter-exceptions
266
	fi
269
	fi
267
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
270
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
268
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
271
	nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
Line 270... Line 273...
270
	then
273
	then
271
		while read ip_allowed_line 
274
		while read ip_allowed_line 
272
		do
275
		do
273
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
276
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
274
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
277
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
-
 
278
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
275
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
279
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
276
		done < /usr/local/etc/alcasar-uamallowed
280
		done < /usr/local/etc/alcasar-uamallowed
277
	fi
281
	fi
278
	# Autorisation des protocoles non commentés
282
	# Autorisation des protocoles non commentés
279
	# Allow non comment protocols
283
	# Allow non comment protocols
Line 284... Line 288...
284
		then	
288
		then	
285
			svc_name=`echo $svc_line|cut -d" " -f1`
289
			svc_name=`echo $svc_line|cut -d" " -f1`
286
			svc_port=`echo $svc_line|cut -d" " -f2`
290
			svc_port=`echo $svc_line|cut -d" " -f2`
287
			if [ $svc_name = "icmp" ]
291
			if [ $svc_name = "icmp" ]
288
			then
292
			then
-
 
293
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
289
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
294
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
290
			else
295
			else
-
 
296
 
291
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
297
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
-
 
298
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
292
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
299
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
293
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
300
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
-
 
301
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
294
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
302
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
295
			fi
303
			fi
296
		fi
304
		fi
297
	done < /usr/local/etc/alcasar-services
305
	done < /usr/local/etc/alcasar-services
298
	# Rejet explicite des autres protocoles
306
	# Rejet explicite des autres protocoles
Line 309... Line 317...
309
fi
317
fi
310
 
318
 
311
# Autorisation des connections sortant du LAN  
319
# Autorisation des connections sortant du LAN  
312
# Allow forward connections with log
320
# Allow forward connections with log
313
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
321
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
-
 
322
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
314
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
323
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
315
 
324
 
316
#############################
325
#############################
317
#         OUTPUT            #
326
#         OUTPUT            #
318
#############################
327
#############################
319
 
-
 
320
# On autorise les retours de connexions légitimes par OUTPUT
328
# SSHD rules if activate 
321
# Conntrack on OUTPUT
329
if [ $SSH = on ]
-
 
330
	then
322
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
331
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
323
 
332
fi
324
# On laisse tout sortir sur INTIF
333
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
325
# Everything is allowed only on INTIF
334
# Everything is allowed but traffic through outside network interface
326
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
335
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
327
 
336
 
328
# On autorise les requêtes DNS vers les serveurs DNS identifiés 
337
# On autorise les requêtes DNS vers les serveurs DNS identifiés 
329
# Allow DNS requests to identified DNS servers
338
# Allow DNS requests to identified DNS servers
330
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
339
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
331
 
340
 
332
# On autorise les requêtes HTTP sortantes
341
# On autorise les requêtes HTTP sortantes
333
# HTTP requests are allowed
342
# HTTP requests are allowed
-
 
343
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
334
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
344
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
335
 
345
 
336
# On autorise les requêtes FTP 
346
# On autorise les requêtes FTP 
337
# FTP requests are allowed
347
# FTP requests are allowed
338
modprobe ip_conntrack_ftp
348
modprobe ip_conntrack_ftp
339
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
349
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
-
 
350
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
340
 
351
 
341
# On autorise les requêtes NTP 
352
# On autorise les requêtes NTP 
342
# NTP requests are allowed
353
# NTP requests are allowed
343
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
354
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
344
 
355
 
Line 354... Line 365...
354
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
365
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
355
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
366
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
356
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
367
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
357
fi
368
fi
358
 
369
 
-
 
370
 
359
#############################
371
#############################
360
#       POSTROUTING         #
372
#       POSTROUTING         #
361
#############################
373
#############################
362
# Traduction dynamique d'adresse en sortie
374
# Traduction dynamique d'adresse en sortie
363
# Dynamic NAT on EXTIF
375
# Dynamic NAT on EXTIF