Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1157 2013-07-16 10:48:11Z stephane $
|
2 |
# $Id: alcasar-iptables.sh 1159 2013-07-17 09:25:15Z crox53 $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 43... |
Line 43... |
43 |
EXTIF="eth0"
|
43 |
EXTIF="eth0"
|
44 |
INTIF="eth1"
|
44 |
INTIF="eth1"
|
45 |
TUNIF="tun0" # listen device for chilli daemon
|
45 |
TUNIF="tun0" # listen device for chilli daemon
|
46 |
IPTABLES="/sbin/iptables"
|
46 |
IPTABLES="/sbin/iptables"
|
47 |
|
47 |
|
- |
|
48 |
#lancement du module kernel ipt_NETFLOW (module iptables)
|
- |
|
49 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
- |
|
50 |
|
48 |
# Effacement des règles existantes
|
51 |
# Effacement des règles existantes
|
49 |
# Flush all existing rules
|
52 |
# Flush all existing rules
|
50 |
$IPTABLES -F
|
53 |
$IPTABLES -F
|
51 |
$IPTABLES -t nat -F
|
54 |
$IPTABLES -t nat -F
|
52 |
$IPTABLES -t mangle -F
|
55 |
$IPTABLES -t mangle -F
|
Line 247... |
Line 250... |
247 |
# done < $BL_IP_CAT/$category
|
250 |
# done < $BL_IP_CAT/$category
|
248 |
# done
|
251 |
# done
|
249 |
#fi
|
252 |
#fi
|
250 |
|
253 |
|
251 |
# Autorisation des retours de connexions légitimes
|
254 |
# Autorisation des retours de connexions légitimes
|
252 |
# Allow conntrack
|
- |
|
253 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
255 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
254 |
|
256 |
|
255 |
# If protocols filter is activate
|
257 |
# If protocols filter is activate
|
256 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
258 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
257 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
259 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
Line 259... |
Line 261... |
259 |
if [ $nb_exceptions != "0" ]
|
261 |
if [ $nb_exceptions != "0" ]
|
260 |
then
|
262 |
then
|
261 |
while read ip_exception
|
263 |
while read ip_exception
|
262 |
do
|
264 |
do
|
263 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
265 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
- |
|
266 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
|
264 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
|
267 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
|
265 |
done < /usr/local/etc/alcasar-filter-exceptions
|
268 |
done < /usr/local/etc/alcasar-filter-exceptions
|
266 |
fi
|
269 |
fi
|
267 |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
|
270 |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
|
268 |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
271 |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
Line 270... |
Line 273... |
270 |
then
|
273 |
then
|
271 |
while read ip_allowed_line
|
274 |
while read ip_allowed_line
|
272 |
do
|
275 |
do
|
273 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
276 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
274 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
277 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
- |
|
278 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
|
275 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
|
279 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
|
276 |
done < /usr/local/etc/alcasar-uamallowed
|
280 |
done < /usr/local/etc/alcasar-uamallowed
|
277 |
fi
|
281 |
fi
|
278 |
# Autorisation des protocoles non commentés
|
282 |
# Autorisation des protocoles non commentés
|
279 |
# Allow non comment protocols
|
283 |
# Allow non comment protocols
|
Line 284... |
Line 288... |
284 |
then
|
288 |
then
|
285 |
svc_name=`echo $svc_line|cut -d" " -f1`
|
289 |
svc_name=`echo $svc_line|cut -d" " -f1`
|
286 |
svc_port=`echo $svc_line|cut -d" " -f2`
|
290 |
svc_port=`echo $svc_line|cut -d" " -f2`
|
287 |
if [ $svc_name = "icmp" ]
|
291 |
if [ $svc_name = "icmp" ]
|
288 |
then
|
292 |
then
|
- |
|
293 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
|
289 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
|
294 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
|
290 |
else
|
295 |
else
|
- |
|
296 |
|
291 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
|
297 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
|
- |
|
298 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
|
292 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
|
299 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
|
293 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
|
300 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
|
- |
|
301 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
|
294 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
|
302 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
|
295 |
fi
|
303 |
fi
|
296 |
fi
|
304 |
fi
|
297 |
done < /usr/local/etc/alcasar-services
|
305 |
done < /usr/local/etc/alcasar-services
|
298 |
# Rejet explicite des autres protocoles
|
306 |
# Rejet explicite des autres protocoles
|
Line 309... |
Line 317... |
309 |
fi
|
317 |
fi
|
310 |
|
318 |
|
311 |
# Autorisation des connections sortant du LAN
|
319 |
# Autorisation des connections sortant du LAN
|
312 |
# Allow forward connections with log
|
320 |
# Allow forward connections with log
|
313 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
|
321 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
|
- |
|
322 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
|
314 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
|
323 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
|
315 |
|
324 |
|
316 |
#############################
|
325 |
#############################
|
317 |
# OUTPUT #
|
326 |
# OUTPUT #
|
318 |
#############################
|
327 |
#############################
|
319 |
|
- |
|
320 |
# On autorise les retours de connexions légitimes par OUTPUT
|
328 |
# SSHD rules if activate
|
321 |
# Conntrack on OUTPUT
|
329 |
if [ $SSH = on ]
|
- |
|
330 |
then
|
322 |
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
331 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
|
323 |
|
332 |
fi
|
324 |
# On laisse tout sortir sur INTIF
|
333 |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
|
325 |
# Everything is allowed only on INTIF
|
334 |
# Everything is allowed but traffic through outside network interface
|
326 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
335 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
327 |
|
336 |
|
328 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
337 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
329 |
# Allow DNS requests to identified DNS servers
|
338 |
# Allow DNS requests to identified DNS servers
|
330 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
339 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
331 |
|
340 |
|
332 |
# On autorise les requêtes HTTP sortantes
|
341 |
# On autorise les requêtes HTTP sortantes
|
333 |
# HTTP requests are allowed
|
342 |
# HTTP requests are allowed
|
- |
|
343 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
|
334 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
344 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
335 |
|
345 |
|
336 |
# On autorise les requêtes FTP
|
346 |
# On autorise les requêtes FTP
|
337 |
# FTP requests are allowed
|
347 |
# FTP requests are allowed
|
338 |
modprobe ip_conntrack_ftp
|
348 |
modprobe ip_conntrack_ftp
|
339 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
|
349 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ftp -j ACCEPT
|
- |
|
350 |
$IPTABLES -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
|
340 |
|
351 |
|
341 |
# On autorise les requêtes NTP
|
352 |
# On autorise les requêtes NTP
|
342 |
# NTP requests are allowed
|
353 |
# NTP requests are allowed
|
343 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
354 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
344 |
|
355 |
|
Line 354... |
Line 365... |
354 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
365 |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
|
355 |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
366 |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
356 |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
367 |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
|
357 |
fi
|
368 |
fi
|
358 |
|
369 |
|
- |
|
370 |
|
359 |
#############################
|
371 |
#############################
|
360 |
# POSTROUTING #
|
372 |
# POSTROUTING #
|
361 |
#############################
|
373 |
#############################
|
362 |
# Traduction dynamique d'adresse en sortie
|
374 |
# Traduction dynamique d'adresse en sortie
|
363 |
# Dynamic NAT on EXTIF
|
375 |
# Dynamic NAT on EXTIF
|