| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 1731 2015-12-27 22:01:26Z richard $
|
2 |
# $Id: alcasar-iptables.sh 1769 2016-01-17 20:39:23Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 39... |
Line 39... |
| 39 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
39 |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
|
| 40 |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
|
40 |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
|
| 41 |
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist
|
41 |
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist
|
| 42 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
42 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
|
| 43 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
43 |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
|
| 44 |
QOS=`grep ^QOS= $CONF_FILE|cut -d"=" -f2` # QOS (on/off)
|
- |
|
| 45 |
QOS=${QOS:=off}
|
- |
|
| 46 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
44 |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
|
| 47 |
SSH=${SSH:=off}
|
45 |
SSH=${SSH:=off}
|
| 48 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
46 |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
|
| 49 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
47 |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
|
| 50 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
48 |
LDAP=`grep ^LDAP= $CONF_FILE|cut -d"=" -f2` # LDAP external server active (on/off)
|
| Line 381... |
Line 379... |
| 381 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
379 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
|
| 382 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
380 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
|
| 383 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
381 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
|
| 384 |
fi
|
382 |
fi
|
| 385 |
|
383 |
|
| 386 |
# If QOS is activate #
|
- |
|
| 387 |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
|
- |
|
| 388 |
. /usr/local/etc/alcasar-iptables-qos.sh
|
- |
|
| 389 |
fi
|
- |
|
| 390 |
|
- |
|
| 391 |
# Autorisation des connections sortant du LAN
|
384 |
# Autorisation des connections sortant du LAN
|
| 392 |
# Allow forward connections with log
|
385 |
# Allow forward connections with log
|
| 393 |
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
|
386 |
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
|
| 394 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
|
387 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
|
| 395 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
|
388 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
|