| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1332 2014-04-23 12:40:53Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1339 2014-05-05 12:55:57Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| 8 |
# There are four channels for log :
|
8 |
# There are four channels for log :
|
| 9 |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
|
9 |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
|
| Line 28... |
Line 28... |
| 28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
| 31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
| 32 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
32 |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
|
| - |
|
33 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
| 33 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
34 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
| 34 |
QOS=${QOS:=off}
|
35 |
QOS=${QOS:=off}
|
| 35 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
36 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
| 36 |
SSH=${SSH:=off}
|
37 |
SSH=${SSH:=off}
|
| 37 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
38 |
SSH_ADMIN_FROM=`grep SSH_ADMIN_FROM= $conf_file|cut -d"=" -f2`
|
| Line 42... |
Line 43... |
| 42 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
43 |
LDAP_IP=${LDAP_IP:="0.0.0.0/0.0.0.0"}
|
| 43 |
EXTIF="eth0"
|
44 |
EXTIF="eth0"
|
| 44 |
INTIF="eth1"
|
45 |
INTIF="eth1"
|
| 45 |
TUNIF="tun0" # listen device for chilli daemon
|
46 |
TUNIF="tun0" # listen device for chilli daemon
|
| 46 |
IPTABLES="/sbin/iptables"
|
47 |
IPTABLES="/sbin/iptables"
|
| 47 |
|
- |
|
| - |
|
48 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
| 48 |
|
49 |
|
| 49 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
50 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
| 50 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
51 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
| 51 |
|
52 |
|
| 52 |
# Effacement des règles existantes
|
53 |
# Effacement des règles existantes
|
| Line 74... |
Line 75... |
| 74 |
|
75 |
|
| 75 |
# destruction de tous les SET
|
76 |
# destruction de tous les SET
|
| 76 |
# destroy all SET
|
77 |
# destroy all SET
|
| 77 |
ipset destroy
|
78 |
ipset destroy
|
| 78 |
|
79 |
|
| 79 |
# Création et peuplement du SET alcasar_ip_blocked
|
- |
|
| 80 |
# creation and first populating of alcasar_ip_blocked SET
|
- |
|
| 81 |
ipset create alcasar_ip_blocked hash:net hashsize 1024
|
- |
|
| 82 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
|
- |
|
| 83 |
while read ip_line
|
- |
|
| 84 |
do
|
- |
|
| 85 |
ip_on=`echo $ip_line|cut -b1`
|
- |
|
| 86 |
if [ $ip_on != "#" ]
|
- |
|
| 87 |
then
|
- |
|
| 88 |
ip_blocked=`echo $ip_line|cut -d" " -f1`
|
- |
|
| 89 |
ipset add alcasar_ip_blocked $ip_blocked
|
- |
|
| 90 |
fi
|
- |
|
| 91 |
done < /usr/local/etc/alcasar-ip-blocked
|
- |
|
| 92 |
fi
|
- |
|
| 93 |
|
- |
|
| 94 |
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
|
80 |
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
|
| 95 |
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
|
81 |
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
|
| 96 |
ipset create authenticated_ip hash:net hashsize 1024
|
82 |
ipset create authenticated_ip hash:net hashsize 1024
|
| 97 |
OLDIFS=$IFS
|
83 |
OLDIFS=$IFS
|
| 98 |
IFS=$'\n'
|
84 |
IFS=$'\n'
|
| Line 105... |
Line 91... |
| 105 |
ipset add authenticated_ip $active_ip
|
91 |
ipset add authenticated_ip $active_ip
|
| 106 |
fi
|
92 |
fi
|
| 107 |
done
|
93 |
done
|
| 108 |
IFS=$OLDIFS
|
94 |
IFS=$OLDIFS
|
| 109 |
|
95 |
|
| 110 |
# Calcul de la taille du SET blacklist_ip_blocked
|
96 |
# Calcul de la taille de l'ipset
|
| 111 |
# Computing the length of the blacklist_ip_blocked set
|
- |
|
| 112 |
cd $BL_IP_CAT
|
97 |
cd $BL_IP_CAT
|
| 113 |
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1)
|
98 |
ipset_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
|
| 114 |
|
- |
|
| 115 |
# Ajout du delta (ip entrées manuellement)
|
- |
|
| 116 |
# Addition of the delta (ip entered manually)
|
- |
|
| 117 |
((ipset_length=$ipset_length+10))
|
- |
|
| 118 |
|
99 |
|
| 119 |
# Création du fichier ipset temporaire, remplissage, chargement et suppression
|
100 |
# Création du fichier set temporaire, remplissage, chargement et suppression
|
| 120 |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save
|
101 |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > /tmp/ipset_save
|
| 121 |
for category in `ls -1 | cut -d '@' -f1`
|
102 |
for category in `ls -1 | cut -d '@' -f1`
|
| 122 |
do
|
103 |
do
|
| 123 |
cat $BL_IP_CAT/$category >> ipset_save
|
104 |
cat $BL_IP_CAT/$category >> /tmp/ipset_save
|
| 124 |
done
|
105 |
done
|
| - |
|
106 |
cat $BL_IP_OSSI >> /tmp/ipset_save
|
| 125 |
ipset -! restore < ipset_save
|
107 |
ipset -! restore < /tmp/ipset_save
|
| 126 |
rm -f ipset_save
|
108 |
rm -f /tmp/ipset_save
|
| 127 |
|
109 |
|
| - |
|
110 |
# Extraction des ip réhabilitées
|
| - |
|
111 |
for ip in $(cat $IP_REHABILITEES)
|
| - |
|
112 |
do
|
| - |
|
113 |
ipset del blacklist_ip_blocked $ip
|
| - |
|
114 |
done
|
| - |
|
115 |
|
| 128 |
# Sauvegarde de tous les ipset (pour restaurer après redémarrage)
|
116 |
# Sauvegarde de tous les set (pour restaurer après redémarrage)
|
| 129 |
ipset save > /etc/sysconfig/ipset_save
|
117 |
ipset save > /etc/sysconfig/ipset_save
|
| 130 |
|
118 |
|
| 131 |
#############################
|
119 |
#############################
|
| 132 |
# PREROUTING #
|
120 |
# PREROUTING #
|
| 133 |
#############################
|
121 |
#############################
|
| Line 155... |
Line 143... |
| 155 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
143 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
| 156 |
done < /usr/local/etc/alcasar-filter-exceptions
|
144 |
done < /usr/local/etc/alcasar-filter-exceptions
|
| 157 |
fi
|
145 |
fi
|
| 158 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
146 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
| 159 |
fi
|
147 |
fi
|
| 160 |
# Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit')
|
- |
|
| 161 |
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window)
|
- |
|
| 162 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http
|
- |
|
| 163 |
|
148 |
|
| 164 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
|
149 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
|
| 165 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
150 |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
|
| 166 |
if [ $DNS_FILTERING = on ]; then
|
151 |
if [ $DNS_FILTERING = on ]; then
|
| 167 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
152 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
| Line 268... |
Line 253... |
| 268 |
# Rejet des requêtes DNS vers Internet
|
253 |
# Rejet des requêtes DNS vers Internet
|
| 269 |
# Deny forward DNS
|
254 |
# Deny forward DNS
|
| 270 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
255 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
| 271 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
256 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
| 272 |
|
257 |
|
| 273 |
# Blocage des IPs du SET alcasar_ip_blocked
|
- |
|
| 274 |
# Deny IPs of the SET alcasar_ip_blocked
|
- |
|
| 275 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
- |
|
| 276 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
- |
|
| 277 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
- |
|
| 278 |
|
- |
|
| 279 |
# Blocage des IPs du SET blacklist_ip_blocked
|
- |
|
| 280 |
# Deny IPs of the SET blacklist_ip_blocked
|
- |
|
| 281 |
if [ $DNS_FILTERING = on ]; then
|
258 |
if [ $DNS_FILTERING = on ]; then
|
| - |
|
259 |
# Blocage des IPs du SET blacklist_ip_blocked
|
| - |
|
260 |
# Deny IPs of the SET blacklist_ip_blocked
|
| 282 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
261 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
|
| 283 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
262 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
| 284 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
263 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
|
| 285 |
fi
|
264 |
fi
|
| 286 |
|
265 |
|