Subversion Repositories ALCASAR

Rev

Rev 1161 | Rev 1230 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1161 Rev 1221
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1161 2013-07-17 20:16:26Z richard $
2
# $Id: alcasar-iptables.sh 1221 2013-09-22 20:39:20Z richard $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script write the netfilter rules for ALCASAR
4
# This script write the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
8
# There are three channels for log :
8
# There are four channels for log :
9
#	1 (default) for tracability;
9
#	1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);
10
#	2 for secure admin (ssh);
10
#	2 protection of ALCASAR with the Ulog group 1 (default group) 
11
#	3 for exterior access attempts.
11
#	3 SSH with the ulog group 2;
12
# The French Security Agency (ANSSI) rules was applied by 'this script
12
#	4 extern access attempts with the ulog group 3.
13
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova 
13
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova 
14
conf_file="/usr/local/etc/alcasar.conf"
14
conf_file="/usr/local/etc/alcasar.conf"
15
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
15
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
16
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
16
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
17
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
17
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
Line 74... Line 74...
74
#############################
74
#############################
75
#       PREROUTING          #
75
#       PREROUTING          #
76
#############################
76
#############################
77
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
77
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
78
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
78
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
79
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
79
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
80
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
80
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
81
 
81
 
82
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
82
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
83
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
83
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules
84
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé
84
# Remarque : Ce port n'est ouvert que lorsque le filtrage est activé
Line 100... Line 100...
100
	fi
100
	fi
101
		$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
101
		$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
102
fi
102
fi
103
 
103
 
104
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD
104
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD
105
# Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
105
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
106
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
106
## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
-
 
107
 
107
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)
108
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)
108
# Redirect HTTP requests in DansGuardian (transparent proxy)
109
# Redirect HTTP requests in DansGuardian (transparent proxy)
109
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
110
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
110
 
111
 
111
# Redirection des requêtes NTP vers le serveur NTP local
112
# Redirection des requêtes NTP vers le serveur NTP local
Line 135... Line 136...
135
 
136
 
136
# On autorise les retours de connexions légitimes par INPUT
137
# On autorise les retours de connexions légitimes par INPUT
137
# Conntrack on INPUT
138
# Conntrack on INPUT
138
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
139
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
139
 
140
 
140
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
141
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
141
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
142
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
142
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
143
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
143
 
144
 
144
# Insertion des règles de blocage IP
145
# Insertion des règles de blocage IP
145
# Here, we add IP block rules 
146
# Here, we add IP block rules 
146
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then 
147
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then 
Line 148... Line 149...
148
	do
149
	do
149
		ip_on=`echo $ip_line|cut -b1`
150
		ip_on=`echo $ip_line|cut -b1`
150
		if [ $ip_on != "#" ]
151
		if [ $ip_on != "#" ]
151
		then	
152
		then	
152
			ip_blocked=`echo $ip_line|cut -d" " -f1`
153
			ip_blocked=`echo $ip_line|cut -d" " -f1`
153
			$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
154
#			$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
154
			$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT 
155
			$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT 
155
		fi
156
		fi
156
	done < /usr/local/etc/alcasar-ip-blocked
157
	done < /usr/local/etc/alcasar-ip-blocked
157
fi
158
fi
158
# Autorisation des connexions légitimes à DansGuardian 
159
# Autorisation des connexions légitimes à DansGuardian 
Line 224... Line 225...
224
	do
225
	do
225
		ip_on=`echo $ip_line|cut -b1`
226
		ip_on=`echo $ip_line|cut -b1`
226
		if [ $ip_on != "#" ]
227
		if [ $ip_on != "#" ]
227
		then	
228
		then	
228
			ip_blocked=`echo $ip_line|cut -d" " -f1`
229
			ip_blocked=`echo $ip_line|cut -d" " -f1`
229
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
-
 
230
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
230
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
231
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
231
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
232
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
232
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
233
		fi
233
		fi
234
	done < /usr/local/etc/alcasar-ip-blocked
234
	done < /usr/local/etc/alcasar-ip-blocked
Line 260... Line 260...
260
	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
260
	nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
261
	if [ $nb_exceptions != "0" ]
261
	if [ $nb_exceptions != "0" ]
262
	then
262
	then
263
		while read ip_exception 
263
		while read ip_exception 
264
		do
264
		do
265
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
265
#			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
266
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
266
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
267
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
267
			$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
268
		done < /usr/local/etc/alcasar-filter-exceptions
268
		done < /usr/local/etc/alcasar-filter-exceptions
269
	fi
269
	fi
270
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
270
	# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...) 
Line 272... Line 272...
272
	if [ $nb_uamallowed != "0" ]
272
	if [ $nb_uamallowed != "0" ]
273
	then
273
	then
274
		while read ip_allowed_line 
274
		while read ip_allowed_line 
275
		do
275
		do
276
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
276
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
277
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
277
#			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
278
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
278
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
279
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
279
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
280
		done < /usr/local/etc/alcasar-uamallowed
280
		done < /usr/local/etc/alcasar-uamallowed
281
	fi
281
	fi
282
	# Autorisation des protocoles non commentés
282
	# Autorisation des protocoles non commentés
Line 292... Line 292...
292
			then
292
			then
293
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
293
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
294
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
294
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
295
			else
295
			else
296
 
296
 
297
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
297
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
298
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
298
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
299
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
299
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
300
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
300
#				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
301
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
301
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
302
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
302
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
303
			fi
303
			fi
304
		fi
304
		fi
305
	done < /usr/local/etc/alcasar-services
305
	done < /usr/local/etc/alcasar-services
306
	# Rejet explicite des autres protocoles
306
	# Rejet explicite des autres protocoles
307
	# reject the others protocols
307
	# reject the others protocols
308
	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
308
#	$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
309
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
309
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
310
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
310
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
311
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
311
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
312
fi
312
fi
313
 
313
 
Line 316... Line 316...
316
	. /usr/local/etc/alcasar-iptables-qos.sh 	
316
	. /usr/local/etc/alcasar-iptables-qos.sh 	
317
fi
317
fi
318
 
318
 
319
# Autorisation des connections sortant du LAN  
319
# Autorisation des connections sortant du LAN  
320
# Allow forward connections with log
320
# Allow forward connections with log
321
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
321
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
322
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
322
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
323
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
323
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
324
 
324
 
325
#############################
325
#############################
326
#         OUTPUT            #
326
#         OUTPUT            #
Line 356... Line 356...
356
# LDAP requests are allowed if an external server is declared
356
# LDAP requests are allowed if an external server is declared
357
if [ $LDAP = on ]
357
if [ $LDAP = on ]
358
	then
358
	then
359
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
359
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
360
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
360
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
361
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
-
 
362
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
-
 
363
fi
361
fi
364
 
362
 
365
 
363
 
366
#############################
364
#############################
367
#       POSTROUTING         #
365
#       POSTROUTING         #