| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1377 2014-06-10 22:16:50Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1386 2014-06-12 14:53:07Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 145... |
Line 145... |
| 145 |
ipset create havp_set hash:net hashsize 1024
|
145 |
ipset create havp_set hash:net hashsize 1024
|
| 146 |
ipset create havp_bl_set hash:net hashsize 1024
|
146 |
ipset create havp_bl_set hash:net hashsize 1024
|
| 147 |
ipset create havp_wl_set hash:net hashsize 1024
|
147 |
ipset create havp_wl_set hash:net hashsize 1024
|
| 148 |
fi
|
148 |
fi
|
| 149 |
|
149 |
|
| 150 |
# Sauvegarde de tous les set sauf ceux d'interception (pour restaurer après redémarrage)
|
- |
|
| 151 |
# Backup all sets except interception set
|
- |
|
| 152 |
ipset save blacklist_ip_blocked > $SAVE_DIR/ipset_save
|
- |
|
| 153 |
ipset save whitelist_ip_allowed >> $SAVE_DIR/ipset_save
|
- |
|
| 154 |
echo "create no_filtering_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
|
- |
|
| 155 |
echo "create havp_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
|
- |
|
| 156 |
echo "create havp_bl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
|
- |
|
| 157 |
echo "create havp_wl_set hash:net family inet hashsize 1024 maxelem 65536" >> $SAVE_DIR/ipset_save
|
- |
|
| 158 |
|
- |
|
| 159 |
#############################
|
150 |
#############################
|
| 160 |
# PREROUTING #
|
151 |
# PREROUTING #
|
| 161 |
#############################
|
152 |
#############################
|
| 162 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
153 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
|
| 163 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
154 |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
|
| Line 439... |
Line 430... |
| 439 |
#############################
|
430 |
#############################
|
| 440 |
# Traduction dynamique d'adresse en sortie
|
431 |
# Traduction dynamique d'adresse en sortie
|
| 441 |
# Dynamic NAT on EXTIF
|
432 |
# Dynamic NAT on EXTIF
|
| 442 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
433 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
| 443 |
|
434 |
|
| 444 |
# Save all rules
|
- |
|
| 445 |
/usr/libexec/iptables.init save
|
- |
|
| 446 |
|
- |
|
| 447 |
# End of script
|
435 |
# End of script
|
| 448 |
|
436 |
|