WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 1704 2015-10-19 12:50:17Z richard $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders

# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nfog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
 
# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3

# redirect DNS of 'havp_bl' users to port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
 
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. 
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
 
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 

$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT	# Serveur local de temps # local time server
 
# SSHD rules if activate 
if [ $SSH = on ]
	then
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
	$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)

        . /usr/local/etc/alcasar-iptables-local.sh
fi
 
# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
# Deny and log on INPUT from the LAN
$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
 
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-nlgroup 3 --nflog-qthreshold 10 --nflog-prefix "RULE rej-ext -- DROP"
 
#############################
#        FORWARD            #
#############################
 

	if [ $nb_uamallowed != "0" ]
	then
		while read ip_allowed_line 
		do
			ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
			$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
		done < /usr/local/etc/alcasar-uamallowed
	fi
	# Autorisation du HTTP et des protocoles non commentés
	# Allow HTTP and non comment protocols
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
	$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
	while read svc_line
	do
		svc_on=`echo $svc_line|cut -b1`

			then
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT 
			else
 
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
				$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
			fi
		fi
	done < /usr/local/etc/alcasar-services
	# Rejet explicite des autres protocoles
	# reject the others protocols
	$IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT "
	$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
	$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
	$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT 
fi
 

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 1629 → 1704

Rev 1629		Rev 1704
Line 1...		Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 1629 2015-05-22 22:34:19Z richard $`	2	`# $Id: alcasar-iptables.sh 1704 2015-10-19 12:50:17Z richard $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script writes the netfilter rules for ALCASAR`	4	`# This script writes the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
Line 148...		Line 148...
148	`# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules`	148	`# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules`
149	`#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10`	149	`#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10`
150		150
151	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT`	151	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT`
152	`# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules`	152	`# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules`
153	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`	153	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nfog-prefix "RULE direct-proxy -- DENY "`
154	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`	154	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`
155		155
156	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT`	156	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT`
157	`# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules`	157	`# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules`
158	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "`	158	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "`
159	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2`	159	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2`
160		160
161	`# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT`	161	`# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT`
162	`# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules`	162	`# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules`
163	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3`	163	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3`
Line 178...		Line 178...
178	`# redirect DNS of 'havp_bl' users to port 55`	178	`# redirect DNS of 'havp_bl' users to port 55`
179	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55`	179	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55`
180		180
181	`# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.`	181	`# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.`
182	`# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow`	182	`# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow`
183	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "`	183	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "`
184		184
185	`# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')`	185	`# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')`
186	`# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)`	186	`# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)`
187	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80`	187	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80`
188		188
Line 287...		Line 287...
287	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server`	287	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server`
288		288
289	`# SSHD rules if activate`	289	`# SSHD rules if activate`
290	`if [ $SSH = on ]`	290	`if [ $SSH = on ]`
291	`then`	291	`then`
292	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`	292	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"`
293	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`	293	`$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
294	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"`	294	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`
295	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`	295	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT`
296	`fi`	296	`fi`
297		297
298	`# Insertion de règles locales`	298	`# Insertion de règles locales`
299	`# Here, we add local rules (i.e. VPN from Internet)`	299	`# Here, we add local rules (i.e. VPN from Internet)`
Line 301...		Line 301...
301	`. /usr/local/etc/alcasar-iptables-local.sh`	301	`. /usr/local/etc/alcasar-iptables-local.sh`
302	`fi`	302	`fi`
303		303
304	`# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN`	304	`# Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN`
305	`# Deny and log on INPUT from the LAN`	305	`# Deny and log on INPUT from the LAN`
306	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "`	306	`$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "`
307	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	307	`$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
308	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	308	`$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
309		309
310	`# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).`	310	`# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).`
311	`# Reject INTIF access (only when chilli is down)`	311	`# Reject INTIF access (only when chilli is down)`
312	`$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "`	312	`$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "`
313	`$IPTABLES -A INPUT -i $INTIF -j REJECT`	313	`$IPTABLES -A INPUT -i $INTIF -j REJECT`
314		314
315	`# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)`	315	`# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)`
316	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`	316	`# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)`
317	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"`	317	`$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-nlgroup 3 --nflog-qthreshold 10 --nflog-prefix "RULE rej-ext -- DROP"`
318		318
319	`#############################`	319	`#############################`
320	`# FORWARD #`	320	`# FORWARD #`
321	`#############################`	321	`#############################`
322		322
Line 341...		Line 341...
341	`if [ $nb_uamallowed != "0" ]`	341	`if [ $nb_uamallowed != "0" ]`
342	`then`	342	`then`
343	`while read ip_allowed_line`	343	`while read ip_allowed_line`
344	`do`	344	`do`
345	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`	345	ip_allowed=`echo $ip_allowed_line\|cut -d"\"" -f2`
346	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "`	346	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "`
347	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW`	347	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW`
348	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`	348	`$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT`
349	`done < /usr/local/etc/alcasar-uamallowed`	349	`done < /usr/local/etc/alcasar-uamallowed`
350	`fi`	350	`fi`
351	`# Autorisation du HTTP et des protocoles non commentés`	351	`# Autorisation du HTTP et des protocoles non commentés`
352	`# Allow HTTP and non comment protocols`	352	`# Allow HTTP and non comment protocols`
353	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`	353	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`
354	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW`	354	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW`
355	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT`	355	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT`
356	`while read svc_line`	356	`while read svc_line`
357	`do`	357	`do`
358	svc_on=`echo $svc_line\|cut -b1`	358	svc_on=`echo $svc_line\|cut -b1`
Line 364...		Line 364...
364	`then`	364	`then`
365	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW`	365	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW`
366	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`	366	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT`
367	`else`	367	`else`
368		368
369	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`	369	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "`
370	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW`	370	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW`
371	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`	371	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT`
372	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`	372	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT "`
373	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW`	373	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW`
374	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`	374	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT`
375	`fi`	375	`fi`
376	`fi`	376	`fi`
377	`done < /usr/local/etc/alcasar-services`	377	`done < /usr/local/etc/alcasar-services`
378	`# Rejet explicite des autres protocoles`	378	`# Rejet explicite des autres protocoles`
379	`# reject the others protocols`	379	`# reject the others protocols`
380	`$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "`	380	`$IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT "`
381	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`	381	`$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset`
382	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`	382	`$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable`
383	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`	383	`$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT`
384	`fi`	384	`fi`
385		385