Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1230 2013-10-01 07:52:22Z crox53 $
|
2 |
# $Id: alcasar-iptables.sh 1291 2014-01-10 17:49:15Z richard $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 43... |
Line 43... |
43 |
EXTIF="eth0"
|
43 |
EXTIF="eth0"
|
44 |
INTIF="eth1"
|
44 |
INTIF="eth1"
|
45 |
TUNIF="tun0" # listen device for chilli daemon
|
45 |
TUNIF="tun0" # listen device for chilli daemon
|
46 |
IPTABLES="/sbin/iptables"
|
46 |
IPTABLES="/sbin/iptables"
|
47 |
|
47 |
|
- |
|
48 |
|
48 |
#lancement du module kernel ipt_NETFLOW (module iptables)
|
49 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
49 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
50 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
50 |
|
51 |
|
51 |
# Effacement des règles existantes
|
52 |
# Effacement des règles existantes
|
52 |
# Flush all existing rules
|
53 |
# Flush all existing rules
|
53 |
$IPTABLES -F
|
54 |
$IPTABLES -F
|
Line 69... |
Line 70... |
69 |
$IPTABLES -P OUTPUT DROP
|
70 |
$IPTABLES -P OUTPUT DROP
|
70 |
$IPTABLES -t nat -P PREROUTING ACCEPT
|
71 |
$IPTABLES -t nat -P PREROUTING ACCEPT
|
71 |
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
72 |
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
72 |
$IPTABLES -t nat -P OUTPUT ACCEPT
|
73 |
$IPTABLES -t nat -P OUTPUT ACCEPT
|
73 |
|
74 |
|
- |
|
75 |
# destruction de tous les SET
|
- |
|
76 |
# destroy all the SET
|
- |
|
77 |
ipset destroy
|
- |
|
78 |
|
- |
|
79 |
# Création du SET alcasar_ip_blocked et premier peuplement
|
- |
|
80 |
# creation of alcasar_ip_blocked SET and first populating
|
- |
|
81 |
ipset create alcasar_ip_blocked hash:net hashsize 1024
|
- |
|
82 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
- |
|
83 |
while read ip_line
|
- |
|
84 |
do
|
- |
|
85 |
ip_on=`echo $ip_line|cut -b1`
|
- |
|
86 |
if [ $ip_on != "#" ]
|
- |
|
87 |
then
|
- |
|
88 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
- |
|
89 |
echo $ip_blocked
|
- |
|
90 |
ipset add alcasar_ip_blocked $ip_blocked
|
- |
|
91 |
fi
|
- |
|
92 |
done < /usr/local/etc/alcasar-ip-blocked
|
- |
|
93 |
fi
|
- |
|
94 |
|
74 |
#############################
|
95 |
#############################
|
75 |
# PREROUTING #
|
96 |
# PREROUTING #
|
76 |
#############################
|
97 |
#############################
|
77 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
98 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
78 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
99 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
Line 98... |
Line 119... |
98 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
119 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
99 |
done < /usr/local/etc/alcasar-filter-exceptions
|
120 |
done < /usr/local/etc/alcasar-filter-exceptions
|
100 |
fi
|
121 |
fi
|
101 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
122 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
102 |
fi
|
123 |
fi
|
- |
|
124 |
# Redirection des requêtes HTTP des IP bloquées vers ALCASAR (page 'accès interdit')
|
- |
|
125 |
# Redirect HTTP requests of banned ip to ALCASAR (access deny window)
|
- |
|
126 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
103 |
|
127 |
|
104 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD
|
128 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
105 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
|
129 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
106 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
130 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
107 |
|
131 |
|
108 |
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)
|
132 |
# Redirection des requêtes HTTP sortantes vers DansGuardian (proxy transparent)
|
109 |
# Redirect HTTP requests in DansGuardian (transparent proxy)
|
133 |
# Redirect outbound HTTP requests to DansGuardian (transparent proxy)
|
110 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
134 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
111 |
|
135 |
|
112 |
# Redirection des requêtes NTP vers le serveur NTP local
|
136 |
# Redirection des requêtes NTP vers le serveur NTP local
|
113 |
# Redirect NTP request in local NTP server
|
137 |
# Redirect NTP request in local NTP server
|
114 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
138 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
Line 140... |
Line 164... |
140 |
|
164 |
|
141 |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
|
165 |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
|
142 |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
|
166 |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
|
143 |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
|
167 |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
|
144 |
|
168 |
|
145 |
# Insertion des règles de blocage IP
|
- |
|
146 |
# Here, we add IP block rules
|
- |
|
147 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
- |
|
148 |
while read ip_line
|
- |
|
149 |
do
|
- |
|
150 |
ip_on=`echo $ip_line|cut -b1`
|
- |
|
151 |
if [ $ip_on != "#" ]
|
- |
|
152 |
then
|
- |
|
153 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
- |
|
154 |
# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
|
- |
|
155 |
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT
|
- |
|
156 |
fi
|
- |
|
157 |
done < /usr/local/etc/alcasar-ip-blocked
|
- |
|
158 |
fi
|
- |
|
159 |
# Autorisation des connexions légitimes à DansGuardian
|
169 |
# Autorisation des connexions légitimes à DansGuardian
|
160 |
# Allow connections for DansGuardian
|
170 |
# Allow connections for DansGuardian
|
161 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
|
171 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
|
162 |
|
172 |
|
163 |
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
|
173 |
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
|
Line 216... |
Line 226... |
216 |
# Rejet des requêtes DNS vers Internet
|
226 |
# Rejet des requêtes DNS vers Internet
|
217 |
# Deny forward DNS
|
227 |
# Deny forward DNS
|
218 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
228 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
219 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
229 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
220 |
|
230 |
|
221 |
# Insertion des règles de blocage IP
|
231 |
# Blocage des IPs du SET alcasar_ip_blocked
|
222 |
# Here, we add local IP block rules
|
232 |
# Deny IPs of the SET alcasar_ip_blocked
|
223 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
233 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
224 |
while read ip_line
|
- |
|
225 |
do
|
- |
|
226 |
ip_on=`echo $ip_line|cut -b1`
|
- |
|
227 |
if [ $ip_on != "#" ]
|
- |
|
228 |
then
|
- |
|
229 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
- |
|
230 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
|
234 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
231 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
235 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
232 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
236 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
233 |
fi
|
- |
|
234 |
done < /usr/local/etc/alcasar-ip-blocked
|
- |
|
235 |
fi
|
- |
|
236 |
|
237 |
|
237 |
# Si le filtrage de domain est activé, blocage des IP de la BL
|
238 |
# Si le filtrage de domain est activé, blocage des IP de la BL
|
238 |
# If DNS filter is on, reject IP of BL
|
239 |
# If DNS filter is on, reject IP of BL
|
239 |
# Comment : loading time is too long and iptables should become oveloaded !!! should use "ipset" instead
|
240 |
# Comment : loading time is too long and iptables should become oveloaded !!! should use "ipset" instead
|
240 |
#if [ $DNS_FILTERING = on ]; then
|
241 |
#if [ $DNS_FILTERING = on ]; then
|