Subversion Repositories ALCASAR

Rev

Rev 1827 | Rev 1854 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1827 Rev 1852
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1827 2016-04-19 09:47:29Z raphael.pion $
2
# $Id: alcasar-iptables.sh 1852 2016-05-01 18:46:46Z raphael.pion $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 35... Line 35...
35
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
35
DNSSERVERS="$dns1,$dns2"						# first and second public DNS servers
36
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE|cut -d"=" -f2`	# Network protocols filter (on/off)
36
PROTOCOLS_FILTERING=`grep ^PROTOCOLS_FILTERING= $CONF_FILE|cut -d"=" -f2`	# Network protocols filter (on/off)
37
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
37
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
38
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
38
BL_IP_CAT="/usr/local/share/iptables-bl-enabled"			# categories files of the BlackListed IP
39
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
39
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi"				# ossi categoty
40
WL_IP_OSSI="/usr/local/share/ossi-ip-wl"				# ip of the whitelist
-
 
41
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled"		# enabled domain names for the Whitelist
40
DIR_WL_IP_ENABLED="/usr/local/share/iptables-wl-enabled/"				# ip files repository of the WL (feature : imported wl file from ACC)
42
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set 
41
TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set 
43
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
42
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
44
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
43
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`				# sshd active (on/off)
45
SSH=${SSH:=off}
44
SSH=${SSH:=off}
46
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
45
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
Line 119... Line 118...
119
	ipset del blacklist_ip_blocked $ip
118
	ipset del blacklist_ip_blocked $ip
120
done
119
done
121
 
120
 
122
###### WL set  ###########
121
###### WL set  ###########
123
# Calcul de la taille / Compute the length
122
# Calcul de la taille / Compute the length
124
wl_set_length=$(($(wc -l $DNSMASQ_WL_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
123
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
125
# Chargement Loading
124
# Chargement Loading
126
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
125
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
-
 
126
#get ip-wl files from ACC
-
 
127
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
-
 
128
do
-
 
129
	echo $ossi
127
cat $WL_IP_OSSI >> $TMP_set_save
130
	cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
-
 
131
done
128
ipset -! restore < $TMP_set_save
132
ipset -! restore < $TMP_set_save
129
rm -f $TMP_set_save
133
rm -f $TMP_set_save
130
 
134
 
131
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET 
135
# Restoration des SET des utilisateurs connectés si ils existent sinon création des SET 
132
# Restoring the connected users SETs if available, otherwise creating SETs
136
# Restoring the connected users SETs if available, otherwise creating SETs