Subversion Repositories ALCASAR

Rev

Rev 1863 | Rev 1872 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1863 Rev 1867
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
# $Id: alcasar-iptables.sh 1863 2016-05-03 12:18:07Z raphael.pion $
2
# $Id: alcasar-iptables.sh 1867 2016-05-04 12:22:08Z raphael.pion $
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
3
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4
# This script writes the netfilter rules for ALCASAR
4
# This script writes the netfilter rules for ALCASAR
5
# Rexy - 3abtux - CPN
5
# Rexy - 3abtux - CPN
6
#
6
#
7
# Reminders
7
# Reminders
Line 52... Line 52...
52
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
52
IP_REHABILITEES="/etc/dansguardian/lists/exceptioniplist"		# Rehabilitated IP
53
SAVE_DIR="/etc/sysconfig"						# Saving path
53
SAVE_DIR="/etc/sysconfig"						# Saving path
54
 
54
 
55
# Sauvegarde des SET des utilisateurs connectés si ils existent
55
# Sauvegarde des SET des utilisateurs connectés si ils existent
56
# Saving SET of connected users if it exists
56
# Saving SET of connected users if it exists
57
ipset list no_filtering_set 1>/dev/null 2>&1
57
ipset list not_filtered 1>/dev/null 2>&1
58
if [ $? -eq 0 ];
58
if [ $? -eq 0 ];
59
then
59
then
60
	ipset save no_filtering_set > $TMP_users_set_save
60
	ipset save not_filtered > $TMP_users_set_save
61
	ipset save havp_set >> $TMP_users_set_save
61
	ipset save havp_set >> $TMP_users_set_save
62
	ipset save havp_bl_set >> $TMP_users_set_save
62
	ipset save havp_bl_set >> $TMP_users_set_save
63
	ipset save havp_wl_set >> $TMP_users_set_save
63
	ipset save havp_wl_set >> $TMP_users_set_save
64
	ipset save user_not_connected_yet >> $TMP_users_set_save
64
	ipset save not_auth_yet >> $TMP_users_set_save
65
	ipset save ipset_users_list >> $TMP_users_set_save
65
	ipset save users_list >> $TMP_users_set_save
66
fi
66
fi
67
 
67
 
68
# loading of NetFlow probe (ipt_NETFLOW kernel module)
68
# loading of NetFlow probe (ipt_NETFLOW kernel module)
69
modprobe ipt_NETFLOW destination=127.0.0.1:2055
69
modprobe ipt_NETFLOW destination=127.0.0.1:2055
70
 
70
 
Line 98... Line 98...
98
 
98
 
99
# destruction de tous les SET
99
# destruction de tous les SET
100
# destroy all SET
100
# destroy all SET
101
ipset destroy
101
ipset destroy
102
 
102
 
103
ipset flush blacklist_ip_blocked
103
ipset flush bl_ip_blocked
104
ipset destroy blacklist_ip_blocked
104
ipset destroy bl_ip_blocked
105
ipset flush whitelist_ip_allowed
105
ipset flush wl_ip_allowed
106
ipset destroy whitelist_ip_allowed
106
ipset destroy wl_ip_allowed
107
###### BL set  ###########
107
###### BL set  ###########
108
# Calcul de la taille / Compute the length
108
# Calcul de la taille / Compute the length
109
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
109
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
110
# Chargement / loading
110
# Chargement / loading
111
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
111
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
112
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
112
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
113
do
113
do
114
	cat $BL_IP_CAT/$category >> $TMP_set_save
114
	cat $BL_IP_CAT/$category >> $TMP_set_save
115
done
115
done
116
cat $BL_IP_OSSI >> $TMP_set_save
116
cat $BL_IP_OSSI >> $TMP_set_save
117
ipset -! restore < $TMP_set_save
117
ipset -! restore < $TMP_set_save
118
rm -f $TMP_set_save
118
rm -f $TMP_set_save
119
# Suppression des ip réhabilitées / Removing of rehabilitated ip
119
# Suppression des ip réhabilitées / Removing of rehabilitated ip
120
for ip in $(cat $IP_REHABILITEES)
120
for ip in $(cat $IP_REHABILITEES)
121
do
121
do
122
	ipset del blacklist_ip_blocked $ip
122
	ipset del bl_ip_blocked $ip
123
done
123
done
124
 
124
 
125
###### WL set  ###########
125
###### WL set  ###########
126
# Calcul de la taille / Compute the length
126
# Calcul de la taille / Compute the length
127
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
127
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
128
# Chargement Loading
128
# Chargement Loading
129
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
129
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
130
#get ip-wl files from ACC
130
#get ip-wl files from ACC
131
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
131
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
132
do
132
do
133
	cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
133
	cat $DIR_WL_IP_ENABLED/$ossi >> $TMP_set_save
134
done
134
done
Line 140... Line 140...
140
if [ -e $TMP_users_set_save ];
140
if [ -e $TMP_users_set_save ];
141
then
141
then
142
	ipset -! restore < $TMP_users_set_save
142
	ipset -! restore < $TMP_users_set_save
143
	rm -f $TMP_users_set_save
143
	rm -f $TMP_users_set_save
144
else
144
else
145
	ipset create no_filtering_set hash:net hashsize 1024
145
	ipset create not_filtered hash:net hashsize 1024
146
	ipset create havp_set hash:net hashsize 1024
146
	ipset create havp_set hash:net hashsize 1024
147
	ipset create havp_bl_set hash:net hashsize 1024
147
	ipset create havp_bl_set hash:net hashsize 1024
148
	ipset create havp_wl_set hash:net hashsize 1024
148
	ipset create havp_wl_set hash:net hashsize 1024
149
	#utilisé pour l'interception des utilisateurs non authentifiés au réseau
149
	#utilisé pour l'interception des utilisateurs non authentifiés au réseau
150
	#used for intercepting users not connected to the network
150
	#used for intercepting users not connected to the network
151
	ipset create user_not_connected_yet hash:net hashsize 1024
151
	ipset create not_auth_yet hash:net hashsize 1024
152
	ipset create ipset_users_list list:set
152
	ipset create users_list list:set
153
	ipset add ipset_users_list havp_set
153
	ipset add users_list havp_set
154
	ipset add ipset_users_list havp_wl_set
154
	ipset add users_list havp_wl_set
155
	ipset add ipset_users_list havp_bl_set
155
	ipset add users_list havp_bl_set
156
	ipset add ipset_users_list no_filtering_set
156
	ipset add users_list not_filtered
157
	ipset add ipset_users_list user_not_connected_yet
157
	ipset add users_list not_auth_yet
158
fi
158
fi
159
 
159
 
160
#############################
160
#############################
161
#       PREROUTING          #
161
#       PREROUTING          #
162
#############################
162
#############################
163
 
163
 
164
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
164
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
165
# Redirect users not connected DNS requests in DNS-Blackhole
165
# Redirect users not connected DNS requests in DNS-Blackhole
166
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
166
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
167
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
167
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
168
 
168
 
169
 
169
 
170
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
170
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
171
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
171
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
172
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
172
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
Line 205... Line 205...
205
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
205
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
206
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
206
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
207
 
207
 
208
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
208
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
209
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
209
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
210
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
210
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
211
 
211
 
212
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
212
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
213
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
213
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
214
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
214
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
215
 
215
 
216
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
216
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
217
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
217
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
218
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
218
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
219
 
219
 
Line 341... Line 341...
341
 
341
 
342
#############################
342
#############################
343
#        FORWARD            #
343
#        FORWARD            #
344
#############################
344
#############################
345
 
345
 
346
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
346
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set
347
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
347
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set
348
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
348
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
349
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
349
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
350
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
350
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
351
 
351
 
352
# Rejet des requêtes DNS vers Internet
352
# Rejet des requêtes DNS vers Internet
353
# Deny forward DNS
353
# Deny forward DNS
354
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
354
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
355
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
355
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset