Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1291 2014-01-10 17:49:15Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1294 2014-01-12 23:03:00Z richard $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
8 |
# There are four channels for log :
|
8 |
# There are four channels for log :
|
9 |
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);
|
9 |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
|
10 |
# 2 protection of ALCASAR with the Ulog group 1 (default group)
|
10 |
# 2 protection of ALCASAR with the Ulog group 1 (default group)
|
11 |
# 3 SSH with the ulog group 2;
|
11 |
# 3 SSH on ALCASAR with the Ulog group 2;
|
12 |
# 4 extern access attempts with the ulog group 3.
|
12 |
# 4 extern access attempts on ALCASAR with the Ulog group 3.
|
13 |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
|
13 |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
|
14 |
conf_file="/usr/local/etc/alcasar.conf"
|
14 |
conf_file="/usr/local/etc/alcasar.conf"
|
15 |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
|
15 |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
|
16 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
16 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
17 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
17 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
Line 27... |
Line 27... |
27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
32 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
32 |
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP
|
33 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
33 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
34 |
QOS=${QOS:=off}
|
34 |
QOS=${QOS:=off}
|
35 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
35 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
36 |
SSH=${SSH:=off}
|
36 |
SSH=${SSH:=off}
|
37 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
37 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
Line 74... |
Line 74... |
74 |
|
74 |
|
75 |
# destruction de tous les SET
|
75 |
# destruction de tous les SET
|
76 |
# destroy all the SET
|
76 |
# destroy all the SET
|
77 |
ipset destroy
|
77 |
ipset destroy
|
78 |
|
78 |
|
79 |
# Création du SET alcasar_ip_blocked et premier peuplement
|
79 |
# Création et peuplement du SET alcasar_ip_blocked
|
80 |
# creation of alcasar_ip_blocked SET and first populating
|
80 |
# creation and first populating of alcasar_ip_blocked SET
|
81 |
ipset create alcasar_ip_blocked hash:net hashsize 1024
|
81 |
ipset create alcasar_ip_blocked hash:net hashsize 1024
|
82 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
82 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
83 |
while read ip_line
|
83 |
while read ip_line
|
84 |
do
|
84 |
do
|
85 |
ip_on=`echo $ip_line|cut -b1`
|
85 |
ip_on=`echo $ip_line|cut -b1`
|
86 |
if [ $ip_on != "#" ]
|
86 |
if [ $ip_on != "#" ]
|
87 |
then
|
87 |
then
|
88 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
88 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
89 |
echo $ip_blocked
|
- |
|
90 |
ipset add alcasar_ip_blocked $ip_blocked
|
89 |
ipset add alcasar_ip_blocked $ip_blocked
|
91 |
fi
|
90 |
fi
|
92 |
done < /usr/local/etc/alcasar-ip-blocked
|
91 |
done < /usr/local/etc/alcasar-ip-blocked
|
93 |
fi
|
92 |
fi
|
94 |
|
93 |
|
- |
|
94 |
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
|
- |
|
95 |
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
|
- |
|
96 |
ipset create authenticated_ip hash:net hashsize 1024
|
- |
|
97 |
OLDIFS=$IFS
|
- |
|
98 |
IFS=$'\n'
|
- |
|
99 |
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
|
- |
|
100 |
do
|
- |
|
101 |
active_ip=`echo $equipment |cut -d" " -f2`
|
- |
|
102 |
active_session=`echo $equipment |cut -d" " -f5`
|
- |
|
103 |
if [[ $(expr $active_session) -eq 1 ]]
|
- |
|
104 |
then
|
- |
|
105 |
ipset add authenticated_ip $active_ip
|
- |
|
106 |
fi
|
- |
|
107 |
done
|
- |
|
108 |
IFS=$OLDIFS
|
- |
|
109 |
|
- |
|
110 |
# Création et peuplement du SET blacklist_ip_blocked
|
- |
|
111 |
# creation and first populating of blacklist_ip_blocked SET
|
- |
|
112 |
# wait for a better blacklist adapt process
|
- |
|
113 |
#ipset create blacklist_ip_blocked hash:net hashsize 1024
|
- |
|
114 |
#cd $BL_IP_CAT
|
- |
|
115 |
#for category in `ls -1 | cut -d"@" -f1`
|
- |
|
116 |
#do
|
- |
|
117 |
# while read ip_blocked
|
- |
|
118 |
# do
|
- |
|
119 |
# ipset add blacklist_ip_blocked $ip_blocked
|
- |
|
120 |
# done < $BL_IP_CAT/$category
|
- |
|
121 |
#done
|
- |
|
122 |
|
95 |
#############################
|
123 |
#############################
|
96 |
# PREROUTING #
|
124 |
# PREROUTING #
|
97 |
#############################
|
125 |
#############################
|
98 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
126 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
99 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
127 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
Line 119... |
Line 147... |
119 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
147 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
120 |
done < /usr/local/etc/alcasar-filter-exceptions
|
148 |
done < /usr/local/etc/alcasar-filter-exceptions
|
121 |
fi
|
149 |
fi
|
122 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
150 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
123 |
fi
|
151 |
fi
|
124 |
# Redirection des requêtes HTTP des IP bloquées vers ALCASAR (page 'accès interdit')
|
152 |
# Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit')
|
125 |
# Redirect HTTP requests of banned ip to ALCASAR (access deny window)
|
153 |
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window)
|
126 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
154 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http
|
- |
|
155 |
|
- |
|
156 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
|
- |
|
157 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
- |
|
158 |
#if [ $DNS_FILTERING = on ]; then
|
- |
|
159 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
- |
|
160 |
#fi
|
- |
|
161 |
|
- |
|
162 |
# Redirection des requêtes HTTPS des IP sans utilisateurs authentifiés vers ALCASAR (page d'interception)
|
- |
|
163 |
# Redirect HTTPS requests of IP that don't have authenticate user to ALCASAR (intercept page)
|
- |
|
164 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set ! --match-set authenticated_ip src ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port https
|
127 |
|
165 |
|
128 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
166 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
|
129 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
167 |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
|
130 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
168 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
|
131 |
|
169 |
|
Line 228... |
Line 266... |
228 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
266 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
229 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
267 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
230 |
|
268 |
|
231 |
# Blocage des IPs du SET alcasar_ip_blocked
|
269 |
# Blocage des IPs du SET alcasar_ip_blocked
|
232 |
# Deny IPs of the SET alcasar_ip_blocked
|
270 |
# Deny IPs of the SET alcasar_ip_blocked
|
233 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
- |
|
234 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
- |
|
235 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
271 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
- |
|
272 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
236 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
273 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
237 |
|
274 |
|
238 |
# Si le filtrage de domain est activé, blocage des IP de la BL
|
275 |
# Blocage des IPs du SET blacklist_ip_blocked
|
239 |
# If DNS filter is on, reject IP of BL
|
276 |
# Deny IPs of the SET blacklist_ip_blocked
|
240 |
# Comment : loading time is too long and iptables should become oveloaded !!! should use "ipset" instead
|
- |
|
241 |
#if [ $DNS_FILTERING = on ]; then
|
277 |
#if [ $DNS_FILTERING = on ]; then
|
242 |
# cd $BL_IP_CAT
|
- |
|
243 |
# for category in `ls -1 | cut -d"@" -f1`
|
- |
|
244 |
# do
|
- |
|
245 |
# while read ip_blocked
|
- |
|
246 |
# do
|
- |
|
247 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
|
- |
|
248 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
|
278 |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
249 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
279 |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
250 |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
280 |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
251 |
# done < $BL_IP_CAT/$category
|
- |
|
252 |
# done
|
- |
|
253 |
#fi
|
281 |
#fi
|
254 |
|
282 |
|
255 |
# Autorisation des retours de connexions légitimes
|
283 |
# Autorisation des retours de connexions légitimes
|
256 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
284 |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
257 |
|
285 |
|