Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1863 2016-05-03 12:18:07Z raphael.pion $
|
2 |
# $Id: alcasar-iptables.sh 1867 2016-05-04 12:22:08Z raphael.pion $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 52... |
Line 52... |
52 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
52 |
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist" # Rehabilitated IP
|
53 |
SAVE_DIR="/etc/sysconfig" # Saving path
|
53 |
SAVE_DIR="/etc/sysconfig" # Saving path
|
54 |
|
54 |
|
55 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
55 |
# Sauvegarde des SET des utilisateurs connectés si ils existent
|
56 |
# Saving SET of connected users if it exists
|
56 |
# Saving SET of connected users if it exists
|
57 |
ipset list no_filtering_set 1>/dev/null 2>&1
|
57 |
ipset list not_filtered 1>/dev/null 2>&1
|
58 |
if [ $? -eq 0 ];
|
58 |
if [ $? -eq 0 ];
|
59 |
then
|
59 |
then
|
60 |
ipset save no_filtering_set > $TMP_users_set_save
|
60 |
ipset save not_filtered > $TMP_users_set_save
|
61 |
ipset save havp_set >> $TMP_users_set_save
|
61 |
ipset save havp_set >> $TMP_users_set_save
|
62 |
ipset save havp_bl_set >> $TMP_users_set_save
|
62 |
ipset save havp_bl_set >> $TMP_users_set_save
|
63 |
ipset save havp_wl_set >> $TMP_users_set_save
|
63 |
ipset save havp_wl_set >> $TMP_users_set_save
|
64 |
ipset save user_not_connected_yet >> $TMP_users_set_save
|
64 |
ipset save not_auth_yet >> $TMP_users_set_save
|
65 |
ipset save ipset_users_list >> $TMP_users_set_save
|
65 |
ipset save users_list >> $TMP_users_set_save
|
66 |
fi
|
66 |
fi
|
67 |
|
67 |
|
68 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
68 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
69 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
69 |
modprobe ipt_NETFLOW destination=127.0.0.1:2055
|
70 |
|
70 |
|
Line 98... |
Line 98... |
98 |
|
98 |
|
99 |
# destruction de tous les SET
|
99 |
# destruction de tous les SET
|
100 |
# destroy all SET
|
100 |
# destroy all SET
|
101 |
ipset destroy
|
101 |
ipset destroy
|
102 |
|
102 |
|
103 |
ipset flush blacklist_ip_blocked
|
103 |
ipset flush bl_ip_blocked
|
104 |
ipset destroy blacklist_ip_blocked
|
104 |
ipset destroy bl_ip_blocked
|
105 |
ipset flush whitelist_ip_allowed
|
105 |
ipset flush wl_ip_allowed
|
106 |
ipset destroy whitelist_ip_allowed
|
106 |
ipset destroy wl_ip_allowed
|
107 |
###### BL set ###########
|
107 |
###### BL set ###########
|
108 |
# Calcul de la taille / Compute the length
|
108 |
# Calcul de la taille / Compute the length
|
109 |
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
|
109 |
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
|
110 |
# Chargement / loading
|
110 |
# Chargement / loading
|
111 |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
|
111 |
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
|
112 |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
|
112 |
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
|
113 |
do
|
113 |
do
|
114 |
cat $BL_IP_CAT/$category >> $TMP_set_save
|
114 |
cat $BL_IP_CAT/$category >> $TMP_set_save
|
115 |
done
|
115 |
done
|
116 |
cat $BL_IP_OSSI >> $TMP_set_save
|
116 |
cat $BL_IP_OSSI >> $TMP_set_save
|
117 |
ipset -! restore < $TMP_set_save
|
117 |
ipset -! restore < $TMP_set_save
|
118 |
rm -f $TMP_set_save
|
118 |
rm -f $TMP_set_save
|
119 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip
|
119 |
# Suppression des ip réhabilitées / Removing of rehabilitated ip
|
120 |
for ip in $(cat $IP_REHABILITEES)
|
120 |
for ip in $(cat $IP_REHABILITEES)
|
121 |
do
|
121 |
do
|
122 |
ipset del blacklist_ip_blocked $ip
|
122 |
ipset del bl_ip_blocked $ip
|
123 |
done
|
123 |
done
|
124 |
|
124 |
|
125 |
###### WL set ###########
|
125 |
###### WL set ###########
|
126 |
# Calcul de la taille / Compute the length
|
126 |
# Calcul de la taille / Compute the length
|
127 |
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
|
127 |
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
|
128 |
# Chargement Loading
|
128 |
# Chargement Loading
|
129 |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
|
129 |
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
|
130 |
#get ip-wl files from ACC
|
130 |
#get ip-wl files from ACC
|
131 |
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
|
131 |
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
|
132 |
do
|
132 |
do
|
133 |
cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
|
133 |
cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
|
134 |
done
|
134 |
done
|
Line 140... |
Line 140... |
140 |
if [ -e $TMP_users_set_save ];
|
140 |
if [ -e $TMP_users_set_save ];
|
141 |
then
|
141 |
then
|
142 |
ipset -! restore < $TMP_users_set_save
|
142 |
ipset -! restore < $TMP_users_set_save
|
143 |
rm -f $TMP_users_set_save
|
143 |
rm -f $TMP_users_set_save
|
144 |
else
|
144 |
else
|
145 |
ipset create no_filtering_set hash:net hashsize 1024
|
145 |
ipset create not_filtered hash:net hashsize 1024
|
146 |
ipset create havp_set hash:net hashsize 1024
|
146 |
ipset create havp_set hash:net hashsize 1024
|
147 |
ipset create havp_bl_set hash:net hashsize 1024
|
147 |
ipset create havp_bl_set hash:net hashsize 1024
|
148 |
ipset create havp_wl_set hash:net hashsize 1024
|
148 |
ipset create havp_wl_set hash:net hashsize 1024
|
149 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
149 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
150 |
#used for intercepting users not connected to the network
|
150 |
#used for intercepting users not connected to the network
|
151 |
ipset create user_not_connected_yet hash:net hashsize 1024
|
151 |
ipset create not_auth_yet hash:net hashsize 1024
|
152 |
ipset create ipset_users_list list:set
|
152 |
ipset create users_list list:set
|
153 |
ipset add ipset_users_list havp_set
|
153 |
ipset add users_list havp_set
|
154 |
ipset add ipset_users_list havp_wl_set
|
154 |
ipset add users_list havp_wl_set
|
155 |
ipset add ipset_users_list havp_bl_set
|
155 |
ipset add users_list havp_bl_set
|
156 |
ipset add ipset_users_list no_filtering_set
|
156 |
ipset add users_list not_filtered
|
157 |
ipset add ipset_users_list user_not_connected_yet
|
157 |
ipset add users_list not_auth_yet
|
158 |
fi
|
158 |
fi
|
159 |
|
159 |
|
160 |
#############################
|
160 |
#############################
|
161 |
# PREROUTING #
|
161 |
# PREROUTING #
|
162 |
#############################
|
162 |
#############################
|
163 |
|
163 |
|
164 |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
|
164 |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
|
165 |
# Redirect users not connected DNS requests in DNS-Blackhole
|
165 |
# Redirect users not connected DNS requests in DNS-Blackhole
|
166 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
|
166 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
|
167 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
|
167 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
|
168 |
|
168 |
|
169 |
|
169 |
|
170 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
|
170 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
|
171 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
171 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
172 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
172 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
Line 205... |
Line 205... |
205 |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
|
205 |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
|
206 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
|
206 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
|
207 |
|
207 |
|
208 |
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
|
208 |
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
|
209 |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
|
209 |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
|
210 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
210 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
211 |
|
211 |
|
212 |
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
|
212 |
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
|
213 |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
|
213 |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
|
214 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
|
214 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
|
215 |
|
215 |
|
216 |
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
|
216 |
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
|
217 |
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
|
217 |
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
|
218 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
218 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
219 |
|
219 |
|
Line 341... |
Line 341... |
341 |
|
341 |
|
342 |
#############################
|
342 |
#############################
|
343 |
# FORWARD #
|
343 |
# FORWARD #
|
344 |
#############################
|
344 |
#############################
|
345 |
|
345 |
|
346 |
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
|
346 |
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set
|
347 |
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
|
347 |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set
|
348 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
348 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
349 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
349 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
350 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
350 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
351 |
|
351 |
|
352 |
# Rejet des requêtes DNS vers Internet
|
352 |
# Rejet des requêtes DNS vers Internet
|
353 |
# Deny forward DNS
|
353 |
# Deny forward DNS
|
354 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
354 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
355 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
355 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|